After several years of competitive pricing and expanding coverage, cyber insurers are now reassessing the breadth of their policies, with a particular focus on privacy coverage.
At Zywave’s Cyber Risk Insights conference in New York this week, experts confirmed that insurers are increasingly restricting coverage, especially regarding privacy risks. Beth Gidicsin, regional cyber practice leader at Lockton, explained that many insurers are reconsidering the broad privacy and wrongful-collection coverage they previously offered.
“Many insurers had been offering broad privacy coverage, but now there is growing caution,” Gidicsin said. “Some are introducing exclusions in their policies, although clients may be able to add coverage back in—if insurers are willing to underwrite it.”
The shift, according to Gidicsin, is primarily driven by the rise in privacy litigation, spurred by regulatory changes both in the US and internationally. Traditional cyber policies, which typically responded to breaches and related regulatory fines, were not designed for the broadening scope of privacy risks. With new regulations in place, privacy litigation can now occur even without a data breach.
While she continues to advocate for expansive privacy coverage for her clients, Gidicsin acknowledges that insurers will need to adjust their underwriting practices to address the evolving risk landscape.
The issue of coverage gaps extends beyond privacy concerns. The cyber insurance industry continues to grapple with whether certain cyber-related property damage should be covered under cyber or property policies. This long-standing question may soon be addressed with new product innovations.
Additionally, insurers are experimenting with new endorsements related to AI and exploring solutions for cyber-triggered property damage. Business interruption has also emerged as a key focus, especially in light of recent non-IT-related system failures that have disrupted business operations.
“Given the cloud-dependent landscape, we have to ask: is what we have now enough?” Gidicsin questioned.
David Derigiotis, president of RT Specialty Detroit and EVP of ProExec Practice Group, suggested that there is still room for insurers to negotiate and expand coverage where necessary. “Wrongful collection is a big one. The privacy side of cyber policies is a very significant issue,” he noted.
However, he added that coverage should be tailored to the specific risk of each client. “You can’t offer the broadest coverage to every client every time—that’s when problems arise,” Derigiotis cautioned. “It’s essential that the right policies are matched with the right clients.”
Lori Bailey, head of global cyber and technology at Axis, agreed, emphasising that the industry is moving away from a one-size-fits-all approach. “The goal is to provide tailored coverage that meets the specific needs of different market segments,” she said.
Derigiotis concluded by stressing the importance of understanding the regulatory landscape to avoid coverage gaps. “The worst thing is to buy a policy and then find out it doesn’t cover a claim,” he said. “Insurers need to stay ahead of regulatory changes and understand their impact on policyholders.”