In our annual Cyber Looking Ahead Guide published in January 2023, we looked at market trends and prognosticated on issues that would impact the cyber insurance market throughout 2023. As we hit the halfway point of the year, how is the cyber insurance market performing? Have any of our expectations for the year come true?

As you’ll see in the graphs below, it’s been a drastically different market than the one experienced in 2022. While we expected some normalization of pricing and possible coverage contraction, the results through the first six months have been much more favorable for cyber insurance buyers.

Let’s dig into the results of the first half of 2023.

Pricing Trends: Primary and Excess Layers Down

The cyber market has softened considerably in the first half of 2023. While we expected a normalized pricing environment that would remain largely flat throughout 2023, the actual results in the first half of the year suggest buyers may be suffering from whiplash. After two full years of significant increases in pricing, rates have begun to come down on both primary and excess layers of insurance.

Approximately 63% of Woodruff Sawyer clients have experienced a decrease in the cost of their insurance program through the first six months of 2023, with an additional 8% seeing a flat insurance renewal. We expect the price decreases to continue throughout the remainder of 2023, although likely not to the extent that we’ve seen in the first six months.

Many carriers are highlighting the increase in cyber claim activity, specifically around ransomware, and have sounded alarms about the current market conditions being unsustainable. While the actions of underwriters in the market do not yet reflect the level of concern that carriers are expressing, it’s only a matter of time before the results catch up to the rhetoric.

Self-Insured Retention Trends: Retentions Drop

After seeing self-insured retentions climb higher, the softened cyber insurance market has started to slowly bring down the amount of risk companies are required to keep on their own balance sheet. Retentions have steadily been dropping, particularly for companies with $1 billion of revenue or less.

Primary Limit Trends: Most Limits Set at $5M

While there has been an improvement in the overall capacity available for cyber risks in the market, most companies continue to set limits for their primary layer at $5 million. This shows that insurance carriers remain committed to managing the level of risk they’ll accept by limiting the amount of insurance they will provide for any one risk. The exception to this rule is for companies above $500 million in revenue, where we’ve seen more carriers willing to offer a $10 million primary option.

An Update on Hot Topics

We made several predictions about issues that would feature prominently in cyber risk in our 2023 Cyber Looking Ahead Guide. How did our predictions hold up? Here’s an update.

Aggregation Risk

Aggregation risk is most prevalent for service providers—particularly those in the technology sector. This is the risk of a vulnerability in a company’s technology product or service leading to a security incident for all its customers at the same time. We expected that this would be a significant issue for technology service providers in securing errors and omissions and cyber insurance.

This prediction has come true, in that 65% of our technology clients purchase a primary limit of $5 million. Less than 20% of our technology clients across all revenue bands have a $10 million primary limit available to them.

Result: Prediction came true

Widespread Events

Technology supply chain risk is significant for any company that relies on third-party technologies to operate, including relying on outside cybersecurity providers. The risk of a vendor cybersecurity failure causing issues for your company remains relevant—and has unfortunately come to fruition in the first half of 2023.

Ipswitch, Inc’s MOVEit file transfer protocol was found to have a zero-day vulnerability that attackers exploited in May of 2023—and has impacted a still-growing number of victims who use the popular security service.

Result: Prediction came true

C-Suite Liability for Cyber Incidents

While we haven’t seen any further criminal prosecution of C-suite leaders like the Joseph Sullivan case, company executives have hardly skated free in 2023. In June of 2023, the chief information security officer (CISO) and CFO of SolarWinds received notice from the Securities and Exchange Commission (SEC) of potential charges for violations of SEC regulations as a result of its cybersecurity breach in 2020.

While this specific type of SEC violation does not impact a cyber insurance policy, it is an issue that should be front of mind for cybersecurity professionals as they consider their role as a CISO.

Result: Partially true

The War Exclusion and Nation-State Sponsored Hackers

This issue of whether and how the war exclusion applies to nation-state-backed attackers remains complex and decidedly unsettled at the midyear point of 2023. Insurance carriers have yet to come to a consensus on how the war exclusion applies and the implications of a nation-state-sponsored attack. This specific coverage issue is largely being driven by reinsurance carriers at the moment, and we expect this will continue to be a contentious coverage issue for the foreseeable future.

That said, we have yet to see a cyber insurance claim denied due to the war exclusion.

Result: It’s complicated

Privacy Issues: Here Comes the CPRA

This is another hot topic that remains unsettled. We had expected enforcement of the California Privacy Rights Act (CPRA) to begin in July of 2023, but a court decision the day before enforcement was to begin has delayed the enforcement of regulations to May 2024.

Underwriters and cyber insurance buyers have been concerned about broader privacy issues, particularly around BIPA matters and coverage for the wrongful collection of information without consent.

And California is hardly the only state on the cusp of greater privacy regulation—Oregon recently became the 12th state to pass a comprehensive consumer privacy law.

Result: Unsettled

Cyber Risk Is Complex and Constantly Changing

The cyber insurance market is certainly different from when the year began. As we’ve shown, pricing is down considerably, and self-insured retentions have started to creep lower. Yet the cyber risk many companies face remains complex and evolving.

Navigating this part of the cyber insurance market cycle is challenging and, as my colleague David Anderson opines, requires an insurance buyer to act like an adult.

The one constant that we continue to see is that change happens quickly when it comes to both cyber risk and the cyber insurance market.