US Market Update
Cyber insurance buyers had reason to rejoice in 2024—the soft market conditions that appeared in 2023 continued throughout 2024. Despite some headline-grabbing claims, insurance capacity remained high and carriers largely looked to grow their premium base by writing cyber insurance for more companies. This activity created a competitive market environment that led to nearly two-thirds of our clients realizing cost savings in their cyber insurance programs throughout 2024.
Cost Change in Cyber Insurance Renewals Over the Last 5 Years
of Our Clients Experienced Cost Reduction in 2H 2024
Here are some of the key insurance market themes that emerged throughout the year.
Data is King—But Only When Collected Properly
Carriers Roll Out Security Tools
CISO Coverage Stands Alone
We Need to Talk About Your Vendors
Stocking Up While the Price Is Right
Data is King—But Only When Collected Properly
It’s no secret that many companies are leveraging data to help customize their products or services to customers or enhance their employee experience. But large amounts of data can carry a large amount of risk when that data is considered personal information. Plaintiffs’ firms continued to be active in bringing allegations of privacy law violations in 2024, particularly under laws like the Video Privacy Protection Act.
Cyber insurance coverage for wrongfully collected information—collecting personal information without the individual giving proper consent—is unsettled at best. This became the most consistent coverage aspect that needed negotiation throughout 2024 and will likely continue to be contested in 2025.
Carriers Roll Out Security Tools
Coming off the hard market years of 2021–2022, cyber insurance carriers have continued their strong focus on specific cybersecurity tools to minimize cyber risk and the chances of a company facing a financial loss. In 2024, multiple carriers started offering some of these tools directly, positioning their cyber insurance product as a backstop to protecting your business. These tools can range from full-on cybersecurity consulting to active threat monitoring and endpoint detection and response (EDR) tools. This trend has proven valuable for small- to middle-market-sized companies and will continue in 2025.
CISO Coverage Stands Alone
As the SEC enforcement of cybersecurity rules brought more scrutiny to chief information security officers (CISOs) at companies that were the victims of cyberattacks, the insurance market responded in 2024 by providing coverage for CISOs in various places. Coverage for CISO liability can be found in both cyber policies and well-brokered directors and officers (D&O) policies. Some carriers are now offering a stand-alone policy to cover CISO personal liability as it relates to protecting their organization.
We Need to Talk About Your Vendors
Management of third-party risks has become a key focal point for underwriters in 2024 given the volume and impact of claims against the technology supply chain. The CrowdStrike attack in July 2024 was the latest in a notable string of incidents targeting technology companies to get access to or disrupt their customer networks. Cyber insurance carriers are looking for clients to have a robust third-party risk management program. This program should include:
- Strong contractual language requiring a vendor to indemnify and hold your organization harmless in the event of an incident
- Cybersecurity certifications and attestations from vendors
- Requirements for vendors to purchase cyber or technology errors & omissions insurance
Stocking Up While the Price Is Right
Everyone loves buying when prices are discounted, and cyber insurance is no exception. Many companies that may have reduced limits during the hard market of 2021–2022 or that did not purchase higher limits as their cyber risk has grown have decided to reinvest the savings from their cyber insurance renewal in 2024 into higher limits for the coming policy year. Cyber risk is not going away soon, and we continue to see companies dedicate resources to properly managing the risk, including purchasing additional cyber insurance limits when the market conditions are ripe.
