Over the past two years, cyber risks have evolved across many fronts. Threat actors are using new, strategic tactics every day. The attack surface has expanded as employees continue to work from home, and supply chain-related attacks perpetuate growing systemic risk concerns. It is no surprise that in Aon’s 2021 Global Risk Management Survey, participants around the globe rated the risk of cyber attacks/data breaches as the number one threat facing companies today.
The sheer number of cyber attacks on corporations have increased dramatically over the past few years. For example, ransomware attacks grew significantly— up 323 percent from Q1 2019 to Q4 2021. Meanwhile, we saw an average of two new errors and omissions (E&O) and cyber matters per day in 2021.
As we emerge from the pandemic, the hope is that the worst is behind us, but insurers are still in recovery mode. The E&O and cyber marketplace should brace itself for potential further challenges in 2022.
Looking back, 2021 became progressively more difficult for clients, brokers, and underwriters. Clients continued to see dramatic pricing increases, particularly in the second half of 2021 - and in many instances, pricing adjustments were additive to striking increases in retention levels, reductions in capacity available, and the introduction of coverage changes that were new or restrictive in nature. E&O or cyber insurance placements often required an underwriting process that was far more invasive than previous years. The combination of passing a more demanding underwriting test, only to experience an unfavorable outcome, was a challenging message for organizations.
While we still expect the marketplace to be tough this year, we anticipate pricing pressure will be less severe than 2021, particularly for placements in the second half of 2022. Clients may experience more comfort as insurer underwriting strategies become clearer, and they gain greater perspective regarding the challenges faced to secure E&O and cyber coverage.
Organizations now recognize the criticality of timing, with a focus on starting the placement process early. They are generally more prepared, collaborating internally to gather and present strategies around contractual risk management, network security, privacy and operational continuity to the insurance market. As difficult market conditions continue to prevail, Aon remains focused on timing, process, and creativity as we support, and advocate, for our clients.
Aon expects the following core themes in the E&O and cyber market throughout 2022:
Climbing Rate Environment
The majority of carriers are signaling significant rate increases for the first half of 2022. We expect this to be comparable to the second half of 2021, but anticipate potential stabilization in the second half of 2022.
Increased Underwriting Rigor
Similar to 2021, we anticipate all insurers offering cyber and E&O insurance to continue to bring new scrutiny, applications and underwriting questions into the placement process. In addition to the ongoing evaluation of “standard” security control questions, insurers will continue to focus on “real time” issues related to new attack methods or emerging tactics and threat actors' leverage to exploit emerging vulnerabilities. A recent market survey showed all carriers list a lack of Multi-Factor Authentication, Endpoint Detection and Response measures, and backups as criteria for declination.
Throughout 2021, many insurers focused on capacity deployment on a risk-by-risk basis. The economic benefit of reducing exposed limit across a portfolio while obtaining more premium per million in limit deployed can quickly solve profitability issues for many insurers. As 2022 develops, we anticipate many insurers will shift focus to systemic and correlated risk concerns and their impact on the insurer. Supply chain attack strategies and geopolitical tensions, paired with the reliance many companies have on common technology service providers, will likely drive a focus on war exclusions and infrastructure language in cyber policies.
Client Segment Differentiation
Insurers continue to face challenges in specific industry verticals, particularly public sector, healthcare, manufacturing, and higher education, and across small to mid-sized companies. Industries with decentralized security strategies, and those that tend to have heavy merger and acquisition growth strategies, continue to show increased loss activity compared to other industries. Consistently aligning security controls can be difficult for companies in these verticals. When looking at differentiation across company size, many fast-growth companies are still developing strategies and determining resourcing for network security, privacy, and contractual risk management. Smaller organizations may experience more rigid positions from underwriters with respect to specific security controls perceived to be critical when protecting against certain attack methods. Retention and pricing challenges will likely be ongoing for these organizations as they seek to secure and expand their E&O and cyber coverage.
As we provide our 2022 report, our goal is to share loss and pricing trends to date, feedback from insurers, and – most importantly – key recommendations for clients to consider as we navigate a challenging E&O and cyber market.