Fitch Ratings announced that underwriters are anticipating favorable premium growth and underwriting results through 2023, and they expect that pricing increases will continue to moderate, thanks to several positive developments in the market. Fitch reports that annual renewal rate increases have decelerated, meaning that the push for higher rates is beginning to run out of steam. Renewals in Q4 of 2022 saw a 15% increase over the year prior, which is a vast improvement over the 34% increase year over year that the market underwent in Q4 of 2021. Fitch also estimates that total direct written premiums for Cyber were up by over 50% in 2022, clocking in at $7.2 billion. 

Fitch notes that the spike in total premiums was fueled not just by rate increases, but also by increased awareness of the cyber threat on the part of businesses, which is boosting the demand for coverage. More premium dollars coming in, coupled with a reduction in claims, has led to improved loss ratios for underwriters. For standalone cyber coverage, loss ratios dropped from 68% in 2021 to 43% in 2022. 

This is quite a turnaround for a risk that some experts declared was on the verge of becoming uninsurable. While the war in Ukraine has certainly sidetracked some bad actors, the improved loss ratios are also attributable to increased scrutiny of the risk by underwriters. They have expanded the types of controls they are requiring of businesses to qualify for the coverage. In doing so, they are helping to incentivize better cybersecurity. Not only will this enable insureds to better manage risk; it will ensure the sustainability of the Cyber product.

The Takeaway

The past few years have been challenging for buyers of Cyber insurance, as they found themselves having to adapt to stricter underwriting guidelines. Now that the marketplace has stabilized, insureds deserve to see the fruits of their labor as well. The time is right to roll back recent efforts on the part of underwriters to narrow the scope of coverage. Specifically, brokers should revisit some of the sub-limits and coinsurance provisions that have been tacked on to policies, so that policyholders can fully recover on their losses and the coverage remains fit for purpose. This is especially true for ransomware, as those limitations can ripple through all the first-party coverages, leaving insureds without an adequate risk transfer solution. 


Merck & Co. v. Ace Am. Ins. Co., Nos. A-1879-21, A-1882-21, 2023 N.J. Super. LEXIS 43 (Super. Ct. App. Div. May 1, 2023).

A state appellate court has affirmed a lower court’s ruling that an exclusion for “hostile or warlike actions” under a pharmaceutical company’s Property policy did not apply to the 2017 malware attack known as “NotPetya.” That attack, which had originally targeted accounting software in Ukraine, ricocheted around the world and struck many businesses as collateral damage, including the insured. The malware spread to thousands of the pharmaceutical company’s computers. The insured filed a claim under their Property insurance program, which was denied under the so-called “war exclusion.” Coverage litigation ensued.

In its decision, the court stated that, “in considering the plain language of the exclusion, and the context and history of its application, we conclude that the Insurers did not demonstrate that the exclusion applied under the circumstances of this case.” Both the United States and British governments have blamed the NotPetya attack on Russia, but the court did not base its holding upon any indicia of state sponsorship. Rather, the court considered the absence of a physical, military conflict between the alleged perpetrators of the attack and the ultimate victim in question. Rejecting the notion that the insurers’ interpretation of the exclusion was the only logical one, the court refused to apply it to the claim in question.

The Takeaway

One more avenue of appeal remains for the insurers, although it is not clear whether they will pursue it. Regardless, this case is yet another example of why policy wording matters. It bears noting that around 2020, insurers began tightening up their exclusions for cyber matters on Property and Casualty forms, meaning that policyholders should not presume that a similar claim would yield the same result today. A dedicated Cyber insurance policy is a company’s best defense against a cyber-related loss.