Johnty Mongan: Cyber insurance harder to secure after shift in market

Cyber insurance has become harder to afford for businesses post pandemic – and amid uncertain economic times, some businesses could be considering ditching the product

That is according to Johnty Mongan, global head of cyber risk management at Gallagher, who tells Insurance Times that the cyber insurance market had changed dramatically since the pre-Covid era.

Figures from Marsh’s Global Insurance Market Index, released in April 2023, revealed cyber insurance pricing increased by an average of 11% across Q1 2023.

While this was lower than 28% increase across Q4 2022, Mongan says there has been a “shift” in the market compared to when insures wanted to create a “frictionless approach into buying a policy”.

He highlights that insurers were formerly providing cyber cover policies after asking around four questions that only gathered basic information about a company.

“That was pretty much how [cyber] insurance was underwritten – and that’s not an exaggeration,” he says.

“It was real basic questions because the insurance market just wanted clients.”

Mongan adds that without extra information from further questions cyber insurers ”had a lot of people claiming” on these policies. 

”From an insurance perspective, if too many people are claiming, you’re losing money,” he explains. 

“So, you then have to have a reset – to get insurance, we need [customers] to be at a much higher bar [in terms of risk profile].”

Stricter terms

As a result of the cyber insurance market maturing, Mongan says insurers have become stricter with policy terms and premiums have risen, something that companies may have not budgeted for.

“In 2022, after the insurance market learnt that you can’t just ask those basic questions, they went from four to about 40,” he adds.

“This was a real shift because people were like ‘this is now really difficult to get cyber insurance.’

“Coupled with that, the premiums went from say £10,000 on a £2m limit for a medium sized client up to about £80,000.”

He adds that with companies having to spend a “fortune” on new technology to be insurable, they may begin to question whether they need the cover at all.

And due to the current state of the economy, Mongan feels some companies could “shy away” from cyber insurance in favour of implementing their own risk management systems.

This would include putting in their own controls and policies, training staff and carrying out relevant simulations to prevent a cyber attack.

“I would say that the bulk of clients are still going for cyber insurance because I think it’s still believed that’s the best way to do it,” Mongan says.

“But, if you were to compare 2022’s clients to 2023’s that are saying ‘should we just do risk management’, you’re having more of those this year than ever, because it’s expensive and people are looking to save money.”

What next?

Mongan says that the cyber insurance market is softening as insurers demanded better risk mitigation from customers, with there now being fewer claims and more “money in the pot”.

And as businesses consider going down the risk management solutions road, he said insurers are now providing either bursaries or other value add services to encourage customers to take up their insurance policies.

“When you look at every capacity provider now, they’re all trying to provide insurance plus something else,” he says.

Mongan highlights Gallagher’s cyber defence centre as an example, which is a wraparound service that goes with any insurance policy.

He feels the cyber insurance market has changed from “a bit of a wild west to the smart cyber insurance race”.

“So, the whole conversation around cyber has matured from four questions and you get a policy, to now this is a daily thing that you’re going to have to do maintenance on, no different to a fitness plan or a training plan.

“If you want to stay in shape, you have to put effort into that – IT security is no different, threats change every day.”