By Michael Loney

March 11 - (The Insurer) - The cyber insurance market is continuing to mature with more consistency in coverage while there is a “leveling of rate changes”, according to a new report from wholesale broker Risk Placement Services.

RPS said that the “breakneck pace of coverage innovation” from 2013 through 2019 is gone, and the policy language that addresses these risks has remained relatively consistent lately.

“The coverage grants in cyber policies are proving sufficiently broad to handle a wide array of privacy and digital risks,” the report from the Arthur J Gallagher wholesale unit said. “Where much of the innovation in the product's infancy was aimed at broadening coverage, more recent changes have narrowed the scope in areas such as biometric information privacy, website tracking software and business interruption from supply chain providers.”

RPS also commented that the next wave of affirmative coverage expansion is already occurring in artificial intelligence and machine learning, where threat actors employ these tools to execute their attacks.

“AI is already covered in many policies, but we're seeing a trend develop for affirmative coverage grants – particularly in privacy and security liability insuring agreements, in addition to social engineering and cyber deception,” the report said.

The broker also suggested that another sign of the maturing cyber product is seen in the underwriting questions and process used to assess the risk. Carriers are now more consistent in underwriting and are not adding pages of questions to get the answers they are looking for.

Insurers’ profitability continues to benefit from the large rate increases applied in 2021 and 2022 in response to the ransomware epidemic.

“And, while 2023 and 2024 saw some rate softening, we're witnessing a leveling of rate changes,” the report said. “Significant movement in rates is now more specifically tied to insurer profitability within specific verticals, such as car dealerships for insurers with outsized exposure to the CDK ransomware attack.

“Whether or not we will we see a similar effect in the K-12 education vertical, proportionate to insurer exposure in a late 2024 breach, remains to be seen.”

Popular K-12 school software provider PowerSchool was the target of a data breach in late December.

RPS also said that the Cyber insurance market has withstood the stress of what it termed "micro-agg" events for third-party vendors in the healthcare, automotive and education sectors.

“This resilience is yet another sign that underwriting processes and pricing models have matured in the cyber insurance space,” it said.

RPS reported that it can more easily obtain $5 million and $10 million primary and excess limits for its insureds because of the increased capacity in the market.

“While higher limits still can present challenges for certain insurers — and for certain sectors such as public entity, education and healthcare — our ability to source adequate capacity has improved greatly,” the report said.

RPS said that the cyber insurance market dynamics are "varied."

“Increased capacity has been further demonstrated by several new managed general agents (MGAs) entering the market in recent months. Additionally, mergers or partnerships between insurtechs and traditional insurers have created welcome combinations of innovation and stability,” the report said.

“While new entrants, diversified capital availability and mergers are contributing to this varied dynamic, so too are certain players making moves in different directions — in some cases, away from the admitted space altogether.”

RPS is seeing increasing focus on insurers providing endpoint, managed and extended detection and response solutions directly to insureds.

SURGE IN CLAIMS SO FAR IN 2025

Discussing claims, RPS said that “2025 opened with a bang” with a significant surge in claims frequency predominantly resulting from third-party vendor incidents.

SaaS platforms that cater to specific industry verticals have accounted for the lion's share of these incidents.

Third-party vendor incidents causing significant network downtime are resulting in protracted claims timelines as business interruption losses are accounted for and negotiated.

The RPS SME cyber insurance internal customer base has seen a 72% increase in business interruption losses over 2023, litigation settlements are up more than 74% over 2023, while the frequency of ransomware events remains high, although victims are less likely to pay.

RPS also cited figures from data privacy law firm Mullen Coughlin that showed business email compromise incidents were up more than 19% over 2023, ransomware frequency was up 14% over 2023, inching closer to 2021 highs, median ransomware payments increased 32.5% in 2024, and total incident count was up nearly 10% over 2023.

RPS identified trends to watch for this year including increased focus on cyber insurance application data and its relevance in claims adjudication, a hard line on the use of pre-approved vendors for cyber incidents and the continued influence of AI on the market, both positive and negative.

In addition, the broker expects more sector-specific micro-agg events.

“We've seen this play out in the healthcare sector, auto dealer industry and in K-12 education,” the report said. “We expect to see similar events on the horizon in verticals such as financial services, manufacturing and hospitality.

From a cyber insurance underwriting perspective, look for more questions about vendors, contractual risk transfer and redundancies to account for over-reliance on any one provider.”