KEY TAKEAWAYS FROM FY21: Q4?
Following significant re-alignment of premiums over the past three renewal cycles, the public company D&O insurance market now sits in a more sustainable position. The regulation of litigation funders’, proposed changes to continuous disclosure laws, and the Federal Court dismissal of the Worley Case are all positive developments. We now see signs of recovery with new capacity and fresh entrants offering competitive options for our ASX clients.
After several years of portfolio remediation, insurers underwriting financial institution risks now have more clarity on their underwriting appetite. Some insurers have even made aggressive client acquisition plays by way of targeting well-performing sectors, particularly Australian Financial Services Licence (AFSL) holders providing products and services to wholesale clients.
Companies offering lending products and services continue to experience supply and demand issues. Such issues are largely due to capacity constraints and reduced limits being offered by insurers still willing to provide Professional Indemnity (PI) cover, particularly ACL holders supplying products and services to retail clients.
All Australian Law Firms renewed their top-up PI insurance on 30 June. This sector continues to be challenged by the aftermath of the Lloyds Decile 10 Review (a focus on their poorest performing businesses), which had a significant impact on capacity, particularly for Firms looking to purchase large PI limits. Replacing capacity on these programs is now far more costly.
The most topical class in Q4 has been cyber insurance, which has experienced hardening conditions due to the increased severity of attacks, particularly ransomware events. Industry data shows business email compromise and ransomware are the most frequent cyber-attacks, with ransomware causing the highest severity of losses. The professional services sector has been most affected by cyber incidents. Real estate, non-profit, and healthcare also experienced notable increases in cyber incidents.
Supply chain attacks targeting Managed Service Providers (MSPs) and technology clients have triggered large losses globally and these risks continue to be a major threat for insurers. This was highlighted by the recent Kaseya ransomware event which spread quickly across the globe. The threat actors used patches to Kaseya software to install malware on client systems. Experts predict this will be the largest supply chain loss globally. Currently, up to 1,500 organisations are believed to have been impacted, but how many will ultimately be affected remains unclear. The hackers (believed to be Russia-based REvil Corp) have issued a demand for US$70,000,000 in return for a universal decryption tool for all victims.
We expect Australian MSPs and their customers to be impacted by this event, resulting in an increase in claims activity.
KEY MILESTONES / CONSIDERATIONS FOR CLIENTS FOR THE NEW QUARTER (FY22-Q1):
We encourage Insureds to continue to work with their brokers in identifying their risk tolerance and agreeing on what will be acceptable from a coverage, price, limit, and risk retention perspective.
As a result of the increase and severity of cyber-attacks, we expect cyber underwriting practices to evolve from narrowly focusing on risk factors such as revenue, the number of employees, Personally Identifiable Information (PII) count, and industry class, to a wider underwriting lens. We anticipate greater reliance on loss modelling tools and continual system scanning, utilising both in-house and outsourced IT security resources as underwriters evaluate prospective Insureds.
As always, we encourage clients to begin the renewal process early and proactively supply insurers with information that improves the perception of their risk exposures.
ANY INDUSTRY TRENDS YOU CAN SEE ARISING IN FY22?
The Federal Government is considering measures whereby businesses and Government agencies would be required to notify the Australian Cyber Security Centre (ACSC) before paying a ransomware demand. The Bill has introduced penalty measures for entities that do not comply with the reporting framework will be subject to fines of up to $222,000.
There is considerable public discussion about whether ransomware payments should be payable by insurers. Some insurers are now introducing policy conditions requiring Insureds to contribute towards ransomware payments to encourage better risk management and prevention strategies.
Discover more market updates from this edition of HoneIn.