Does Cyber insurance have a longer tail than expected?

At a recent Lloyd’s and Aon event, Lloyd’s CUO Rachel Turk reported that cyber insurance no longer fits the “short tail” category, because claims are taking longer to manifest and resolve than was previously the case. Establishing and resolving a claim can now often exceed 12 months. This shift stems from what are often the delayed impacts from cyber breaches and, at the same time, increased regulatory scrutiny. She went on to say that underestimated business interruption losses from ransomware are now impacting older years, as far back as the 2019 year of account.

There is a recent ‘Pixel’ issue, which is currently impacting the 2022 and 2023 years. ‘Pixels’, which are computer codes that gather information, are regularly used to collect user data for targeted advertising and have inadvertently (or deliberately) gathered and shared protected health information of patients within the healthcare system, leading to lawsuits under federal and state laws in the US. Notable cases include hospitals and retailers facing class actions for wiretapping or data sharing without consent. In an article on their website, Beazley Plc refer to a recent investigation by The Markup publication, which established that 33 of the top 100 hospitals in the US had used ‘Pixels’ on their websites. Beazley expects the number of class actions to grow in the US, leading to increased claims for the insurance industry.

The recent CrowdStrike event has highlighted that cyber policies are not only impacted by malicious events, but can also be impacted by non-malicious events, which are simply triggered by human error. Whilst CrowdStrike itself was not a large insurance industry loss, it has highlighted that cyber insurance does cover wider scenarios than originally anticipated, which is likely to affect the ongoing pricing of this risk class.

Alpha comment

It is very noticeable that the 10 percentage point deterioration in the latest forecasts for the cyber focussed Beazley syndicate 6107 for the 2022 year of account was due to the need for reserve strengthening for the ‘Pixel’ issue. Beazley believes that they are ahead of the market in reserving for this potential exposure. There are now a large number of syndicates at Lloyd’s that underwrite cyber business and, due to the unproven nature of the class, Alpha has been deliberately cautious in our approach to these exposures, particularly whilst rates have been under pressure and the threat of claims seems to have increased.