June 24, 2024

Cyber Insurance Market Update

Insights & Research / Brown & Brown

Cyber Insurance Market Trends

After significant increases in premiums in 2021 and 2022, the cyber insurance market has now stabilized despite a steady acceleration in the frequency and sophistication of attacks. This has led to competitive renewal expense for companies that can demonstrate improved cyber maturity and a simultaneous increase in costs amongst firms with recent cyber incidents or without demonstrated year-over-year improvements to IT security controls.

Based on a recent report from IBM, Financial Services remained the second most attacked sector behind manufacturing with roughly 20% of cyber incidents impacting this industry over the last five years. According to a survey of single-family offices by Dentons, a global law firm, a quarter of family offices surveyed reported a cyber attack in 2023, up from 17% in 2020. Half of respondents said they knew of another family office that suffered a cyber attack. Ransomware negotiator, Coveware, noted the percentage of companies paying a ransom demand has decreased over the past year. However, the dollar amount of ransomware being paid has increased significantly.

Surprisingly, many smaller financial institutions do not purchase cyber insurance. According to IBM, the average cost of a data breach was $4.45 million, meaning that firms should not only consider having cyber insurance but should determine the appropriate limits of coverage as well.

Source: IBM XForce Threat Intelligence Index 2024

Navigating the Market

Making the appropriate investments in cybersecurity and controls will have an impact on underwriting options and ultimately lower the rate.
Companies using independent cybersecurity advisors like Drawbridge can benefit from improved controls and more favorable underwriting.
Companies that have experienced a breach or loss may be declined coverage but could receive favorable treatment from underwriters if they have implemented appropriate controls and taken corrective action on vulnerabilities.

Premium

After significant increases in cyber insurance rates in 2021 and 2022, Brown & Brown has seen premium rate decreases in 2023/2024 of between 10%-15% for mid-size financial services firms with mature cyber controls.
Competition can still be aggressive on renewals for insureds with best-in-class controls.
With increased coverage and services being offered, companies are encouraged to revisit carriers and investigate coverages. Price alone should not dictate placement decisions.

Limits

While cyber insurance premiums have been decreasing over the last two years, hedge funds and Alternative Investment Managers have been increasing coverage limits.
On average, hedge funds and Alternative Investment Managers who purchase cyber insurance purchase limits almost two times greater than non-financial services companies of similar revenue size.
The average limits purchased ranged between $2 million to $3 million through 2021 but have increased on average from $3 million to $5 million through 2023.
Largest increase in limits on average have been for hedge funds and Alternative Investment Managers that realize revenues of $50 million or more.

Coverage

Risks and regulations have changed in the financial sector. Some carriers have made modifications to policy coverages to address these. Your policy should reflect expanded coverages and services.
Carriers may offer increases in sublimited coverages and added enhancements.
Financial services firms should focus high-risk areas and seek complementary coverages and sublimits. Financial institutions should focus particularly on fraudulent funds transfer sublimits, ransomware and reputational harm coverages and services in their cyber policy.
Embedded services are important coverage elements for financial services entities with limited resources. Take advantage of additional offerings as carriers compete for business.

Capacity

Carriers are offering expanded capacity in the U.S. and London, fostering competition on programs with quality controls.
Some markets have increased their available lines, and there are new entrants to the cyber market.

Carriers are looking for companies who recognize and address cybersecurity seriously. Conduct a policy review and make sure that your efforts to secure your firm are properly reflected in your premium.

In collaboration with Drawbridge, Brown & Brown, a leading cyber insurance broker, is available to assist you in assessing your cyber insurance needs through the Cyber Insurance Affinity Program.

If you are responsible for your firm’s cyber insurance program, follow the links to learn more and reach out to our team: CyberAffinityDB@bbrown.com.
If you are not responsible for your firm’s cybersecurity insurance, forward this document to the appropriate person to make them aware of this offer.

If you are ready to apply for cyber insurance or get a competitive quote, use the following link: Brown & Brown Cyber Insurance Affinity Program.

View all News & Views

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	1 hour	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	6 months	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
hubspotutk	6 months	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
trackalyzer	1 year	Leadlander sets this cookie to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.

Cyber Insurance Market Update

Related News & Views

What to do after completing a Cyber Risk Assessment on your Portfolio Companies

Top 10 Essential Data Security Tips for International Business Travel