A Q&A with Arch’s Marcus Breese

Marcus Breese, head of cyber and technology at Arch Insurance International, discusses his company’s cyber growth strategy and provides his views on trends including fluctuating rates and increased data privacy regulation.

You joined Arch in 2019. How has the build-out of the cyber business gone since then?

The growth of our cyber portfolio has been considerable over the last four to five years. Arch is now one of the largest global providers of cyber insurance. From a London market perspective, we have almost quadrupled the size of our portfolio, establishing ourselves as a prominent player in an increasingly competitive marketplace.

Our strong performance stems from the commitment of Arch’s leadership to growing this line of business. We developed a clearly articulated growth strategy, invested in market-leading cyber talent and established cyber teams across Arch’s international network.

In addition to strengthening our underwriting expertise, we have also bolstered our technical cybersecurity capabilities by appointing a cybersecurity risk engineer, James Ingram, who joined us last year from the Ministry of Defence. In this role, he works closely with our underwriting teams as well as our brokers, assessing individual risks, meeting clients and providing unique insights into evolving cyber dynamics and mitigation strategies.

We have also expanded our cyber offering over this time period, in particular writing more primary coverage. We can provide primary and excess coverage, on a lead or follow basis, across a broad range of geographies and industry types.

How would you characterise Arch’s cyber appetite and targeted clients?

We operate a well-diversified portfolio and have a broad risk appetite. We provide coverage on a worldwide basis across cyber, media E&O and tech E&O for a broad range of industries. These include energy and utilities, financial services, healthcare, manufacturing and retail.

Over the last few years, we have expanded our product offerings, lowered our attachment points and introduced more substantial limits to respond to the needs of our clients. We have also increased the percentage of primary business we write and have developed our own primary wordings. We see this as a key area of growth and are able to provide greater coverage flexibility for clients.

At Arch, our overall approach is based on being solution-led and working collaboratively with our brokers. Our scope of expertise and ability to flex our coverage parameters means that we are able to consider most risk scenarios across most industry sectors.

What are your key markets geographically, and how do you see that evolving in the next few years?

US-domiciled risks form a large part of our current cyber portfolio and we continue to see opportunity in this region. However, we are also undergoing a marked expansion of our international book of business. In addition to writing more UK-based risks, we have also recently established cyber operations in Spain and France. We have four cyber underwriters responsible for growing our European cyber insurance portfolio, writing primary and excess coverage for multinational organisations across a broad range of sectors.

We have also expanded our cyber underwriting capabilities in Australia and the Pacific region after launching a new cyber insurance practice last year. In this region, we offer primary and excess coverage in the mid-market and large corporate segments, where we feel we can add real value for our clients.

Our strategy to expand our geographical footprint in the cyber space very much reflects Arch’s ongoing commitment to the class.

What would you say are the biggest cyber issues for the London market in 2024?

There is no question that the challenges surrounding cyber war exclusion clauses created a level of market uncertainty in 2023. However, the market by its very nature is adaptive and greater clarity is being established on this matter, which is positive.

Fluctuations in cyber rates continue to be an area of focus for the London market, as we have seen significant rate movement in recent years in response to an increasingly volatile risk environment and evolutions in modelled data.

Despite advances in cyber modelling, as a sector we need to be able to analyse greater amounts of loss information in a more meaningful way to improve our risk understanding. For example, the need to harness the power of claims data more effectively is a key area of focus for the LMA’s Cyber Claims Group.

From an exposure perspective, AI and generative AI within the digital ecosystem could have a considerable impact on the market. AI offers great opportunities for companies to automate processes. However, it also brings with it a lot of data collection, use and privacy implications. It is a technological shift that the insurance market is monitoring very closely.

What are some of the unique characteristics of the UK cyber insurance market, compared with other markets?

The UK cyber insurance market has not yet achieved the same level of maturity as the US market, but this is changing.

Over the last 12 months, we have seen an increase both in the number of UK-based companies purchasing cyber-related insurance as well as an uptick in the limits being purchased by existing buyers.

The awareness of GDPR is also growing and larger corporates in the UK are increasingly looking to transfer information security risk as well as manage it digitally. This is creating a ripple effect through the supply chain, as third parties process large amounts of data. This digital interconnectedness through the supply chain means it’s important for organisations to understand how third parties’ infrastructure works with their own, how data is protected and how exposures are being managed.

What are some of the regulatory challenges that cyber underwriters are facing, such as those for privacy?

The marked increase in the range of data protection and data privacy regulation has had a significant impact on the market. The cyber insurance product itself has evolved from being initially designed to address malicious or accidental data breaches to one which is now in many ways a data privacy liability solution.

The requirements being placed on organisations in terms of how they collect, process, protect and dispose of personal data are becoming increasingly onerous, and as a result the potential for companies to fall foul of data-focused legislation is rising.

This creates a challenging operating environment for companies given the fact that while regulation tends to be geography or region specific, the transfer of data is not. Therefore, it can be complex to address instances of data breach or data protection failings where you may have the data-handling company domiciled in one country and its data stored on servers located in another country or multiple countries.

If you look specifically at the US, much of the data-related regulation is developed on a state-by-state basis with limited overarching federal law in place. The complexity of the environment is heightened further by the varying cyber-related regulatory bodies that exist in the region and regulate different industries and areas.

Given the level of uncertainty that the vast amount of data privacy regulation is creating, there is a greater need for companies to make cyber insurance a more prominent component of their data compliance and cybersecurity strategies.

How can the market help ensure greater sustainability and accessibility of cyber insurance?

There is certainly an opportunity for the industry to provide greater clarity around the scope of its cyber insurance solutions. In an increasingly digitised operating environment, demonstrating more effectively the intrinsic value of cyber policies is key.

It is vital that cyber insurance becomes an integral part of the information security posture of companies. What insurers are providing goes far beyond the basic promise to pay – we are selling a service-led solution that extends across all aspects of the cyber proposition from mitigation through to response during and after an incident.

There also needs to be greater pricing stability moving forward following a period of major upward rate movement in recent years. While we are seeing evidence of rates moderating, we are also seeing a rise in claims relating to incidents such as ransomware, which could put further pressure on pricing.

Finally, greater collaboration between all stakeholders within the market – carriers, brokers, policyholders and even the public sector – is an important part of ensuring the sustainability and accessibility of cyber insurance. Not only will this create greater clarity of coverage and consistency of wordings, but it will also unlock more creativity and innovation as we respond to the evolving needs of our clients.

What is your outlook for cyber pricing, and what capacity trends are you seeing?

While there has certainly been a moderation in rate developments over the last 12 months, we are seeing a market-wide uptick in cyber-related claims activity with numerous reports highlighting a rise once again in ransomware-related attacks.

Another area that requires scrutiny is the long-tail component of the risk. There is increasing focus on potential longer-tail liability issues particularly given the hike in regulatory requirements that are starting to crystallise.

From a capacity perspective, we continue to see the cyber market attracting new players into the space. In tandem, the flow of capital from the capital markets is increasing and this is likely to continue as the market’s understanding of the exposure environment continue to grow.