On August 14, 2024, the Cybersecurity (H) Working Group ("CWG") of the Innovation, Cybersecurity and Technology (H) Committee met at the Summer 2024 National Meeting of the US National Association of Insurance Commissioners ("NAIC"). In addition to routine matters, such as the adoption of the CWG's July 9 meeting minutes, the meeting covered the following matters.
The State of the Cyber Insurance Market
The CWG hosted an industry panel discussion on "The State of the Cyber Insurance Market: Trends, Challenges, and Opportunities," moderated by Jon Godfread, the North Dakota Insurance Commissioner. The discussion covered the evolving cyber insurance market, including underwriting innovations, cyber risk mitigation, coverage developments and regulatory support.
Market Trends
The panelists noted that the cyber insurance market has quickly developed in recent years. Some of the market trends highlighted included the following:
- The pricing environment has become more competitive as new cyber insurance providers have entered the market.
- Coverage has become more complicated and comprehensive. There have been pricing developments, such as the use of coinsurance. There have also been developments in the types of coverage offered, such as coverage of ransomware.
- The underwriting process has become more sophisticated and additional technologies have been deployed to support the underwriting process.
- There has been an increased focus recently on risk mitigation and engaging with insureds in a consultative way to try and prevent cybersecurity incidents from happening in the first place.
- The importance of cyber education has increased for both insureds and capacity providers, such as reinsurers.
"Off-the-Shelf" Cyber Policies
During the discussion, a CWG member asked whether "off-the-shelf" cyber coverage exists or is feasible. A panelist explained that there is currently no universal off-the-shelf policy. Cyber policies need to be carefully underwritten and crafted to the individual policyholder's needs. A small subset of insurers currently offers robust policy templates that require less refinement than others, but such policies are not available consistently across all industry verticals, and there remains significant variance to be addressed. Industry panelists and CWG members expressed agreement that standardized, off-the-shelf cyber coverage is increasingly feasible, but significant gaps remain.
Artificial Intelligence
The panelists and CWG members discussed artificial intelligence ("AI") and its current and anticipated implications for cyber insurance and for cyber incidents more generally. An industry panelist explained that advancements in AI, as with many commercial applications, enable threat actors to scale their operations and conduct more widescale attacks. One example provided was ransomware attacks in Japan, which have become easier to conduct with the advent of language translation by AI, whereas threat actors previously had been limited in their ability to communicate in Japanese. The panelist noted that AI has also led to advances in defense against cyber-attacks.
Cyber War Exclusions and Cyber-Attack Coverage
CWG members and industry panelists discussed the industry response to an August 2022 bulletin issued by Lloyd's of London outlining guidelines for state-action and cyber-terrorism exclusions with which Lloyd's market participants were expected to comply by March 2023. The Lloyd's Market Association has now identified approximately 40 different cyber war exclusion clauses that comply with the bulletin. The industry panelists observed that the presence of cyber war exclusionshas become normalized and most policyholders are now willing to accept the inclusion of a cyber war exclusion clause in their cyber policies.CWG members also asked about the viability of a federal cyber backstop, and the industry panelists responded that the industry is working through this issue.
Regulatory Support
Industry panelists highlighted the need for openness from insurance regulators regarding innovation in the cyber insurance space. They also noted the need for insurance regulators to remain aware of the ever-evolving nature of cyber risk, and to maintain a proper understanding of the product.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.