Cyber insurers had initially based premium prices and coverage offerings on guesswork about an emerging area. But now they’ve seen enough cyber incidents to understand what payouts cost them, said Alan Shark, executive director of the Public Technology Institute. As such, many insurers have reduced what they’ll cover, while also asking for premiums high enough to be nearly unaffordable for some local governments. Other insurers have deemed cyber too risky and pulled out of the space entirely, reducing applicants’ options.
Cyber risk management tools provider KYND’s 2024 survey of 100 brokers and insurers found that nearly two-thirds believed the U.S. cyber insurance market would harden over the next 12 months.
Insurers are restricting how much they’ll cover certain kinds of losses, including setting lower sublimits on ransomware incidents. The Association of Washington Cities (AWC) offers a risk management pool to its local government members, while covering some risk through reinsurance. In recent years, reinsurers have set sublimits on “aggregate exposure,” in which several members file similar kinds of claims in the same year, said Carol Wilmes, AWC director of member pooling programs. And while cyber plans often used to exclude coverage for acts of war, many insurers have now expanded that to exclude any kind of nation-state-sponsored cyber attack, said Shayne Kavanagh, senior manager of research and consulting at the Government Finance Officers Association.
As insurers seek to better understand would-be clients’ cyber risks, they keep adding questions to their applications. Insurers now often ask about would-be customers’ alignment with the National Institute of Standards and Technology’s enhanced security standards, the number of employees with up-to-date cyber certifications and how the government is handling its third-party risks, Shark said.
Today’s cyber plans often vary over matters like whether they’ll cover ransomware incidents if the encryption attack occurred during the coverage period but the initial malware infection predated it, Kavanagh said. And would-be policyholders should find out whether damage sustained to operational technology during a cyber attack is covered by cyber insurance, property insurance or neither.
Governments determining how best to manage their risks may decide to use a more basic coverage plan while securing secondary insurance for catastrophic cyber events, and will also want to consider how much risk to take on themselves before any potential insurance plan kicks in. Organizations considering how to pay until they meet deductibles or relying solely on self-insurance can use different strategies to understand how much money they’ll need.
Shark suggested governments review multiple providers’ insurance policies to understand the things their self-insurance strategy would need to pay for. He also suggested having an outside consultant run the organization through tabletop exercises, to help ensure they’ve considered all possible costs that could be incurred during an incident. Those can include everything from lost income during an outage, legal advice, equipment repair, overtime pay for staff and years of credit monitoring for anyone whose personal information might be exposed. The AWC, which has a self-insured retention, considers members’ claims histories and gets advice from consultants to understand where to set its member premiums to cover the costs the association will absorb.
Small local governments can benefit from turning to municipal risk pooling. For one, this spreads out risk more than if each government relied just on self-insurance, Kavanagh said. Plus, joint purchasing power can enable small jurisdictions to get a better quality and level of insurance than they could alone, Wilmes said.
And, of course, cyber insurance only kicks in to help offset loss after something’s gone wrong. Investing in defensive measures can both reduce the likelihood of incidents in the first place and make applicants more appealing to insurance providers.
Part of the AWC’s strategy is to connect its members with resources, such as grants, that could enable them to mature their cyber postures. That could mean towns adopting multifactor authentication, updating systems and taking other steps.
Wilmes said this approach may be why the AWC could maintain the same reinsurance limit for the past four years, even as some peers have not been able to.
“That helps us to be more attractive to the marketplace in obtaining insurance, to show that we're really trying to mitigate our risk against cyber incidents,” she said.
