Cyber insurance future and dynamics have shifted significantly over the last 12 months. After a period of upheaval – characterised by a rapidly deteriorating loss environment, highly constrained insurance capacity, rising demand globally and a major pricing correction – market conditions are stabilising off the back of much improved underwriting results.
According to Howden’s report, pricing has plateaued, or fallen in some territories (albeit from elevated levels), limits are increasing and competitive forces are yielding more tailored underwriting decision-making that reflects companies’ risk profiles.
The turnaround correlates directly to better cyber security as well as to the initial fallout from the Ukraine war and the attendant drop-off in ransomware activity, although, as shown earlier, this is now reversing.
Risk transfer has proved to be an important enabler to the first point, with insurers’ capacity deployment strategies incentivising more robust risk controls (see about War Exclusions in Cyber Insurance).
Strengthened cyber resilience is paying dividends for policyholders now that the threat environment is ramping up. Despite the marked increase in ransomware activity so far in 2023, underwriting performance appears to be holding up relatively well.
Cyber insurance growth profile
With existing carriers looking to increase capacity deployments, boosted further by a number of new entrants, the foundations for a more mature cyber market are now in place.
After a period of upheaval, market conditions are stabilising due to much improved underwriting results
The cyber market remains the fastest growing area of insurance by some distance. Annualised growth of 30% over the last decade compares to the single-digit percentage range of the broader P&C insurance sector.
Premiums are a product of exposures and pricing, and whilst both combined in unison to drive growth up to 2020, the pricing environment precipitated a notable shift in 2021, when high double- or even triple-digit price increases more than offset underwriting actions and the ensuing reduction in overall exposures (see How Insurers Can Expand the Cyber Insurance Market?).
Cyber global gross written premium
Sustaining this level of expansion will require close collaboration across the market in confronting issues like systemic risk, capital inflows and global uptake (more on these shortly). The pedigree is strong given how far the market has come in such a short space of time.
The cyber market hard reset
According to Beinsure Cyber Insurance Trends, the cyber market is the latest example of what the insurance sector has done so well many times over: innovating and developing solutions for the changing needs of clients. Wide-ranging cyber coverages have been developed in relatively short order and the market has maintained a strong claims payment record despite the highly dynamic threat landscape.
The correction that started in 2020 nevertheless represented a watershed moment for cyber insurance.
Prior to this point, a relatively benign loss environment had fed abundant capacity, expanding coverage terms and favourable pricing.
What followed led to the highest annual rate increases across the entire insurance market. Risk appetite and perceived price adequacy for cyber exposures were reset, with carriers reacting swiftly to get ahead of spiralling loss costs.
Using U.S. supplemental filings data, survey shows how claims have trended in the U.S. market since 2015, with both standalone and packaged policies seeing a surge in the number of first-party claims from 2019/2020, due almost exclusively to escalating ransomware attacks.
Reported cyber claims for U.S. standalone and packaged policies
The frequency of first-party claims nevertheless levelled off in 2021 and 2022 whilst the quantum of third-party claims remains modest in comparison, although this could of course change.
Return of data privacy
For all the well-founded focus on first-party (ransomware) claims in recent years, as well as the cyber aggregation issue, an older risk (data privacy) merits close attention following recent rulings in certain U.S. states around the Biometric Privacy Data Act (BIPA) that have revealed huge potential exposures.
Companies that collect and retain biometric data such as fingerprints and face scans without obtaining proper consent face the risk of significant penalties given damages accrue per scan and can date back as far as five years.
With BIPA carrying a penalty of up to USD 1,000 for each negligent violation and USD 5,000 for each reckless or intentional violation (plus fees and costs), the dollars at stake in terms of damages are potentially substantial.
A number of judgements have already decided in favour of plaintiffs – one high profile (jury-led) settlement landed at over USD 200 million – and with little visibility around how many U.S. companies are potentially exposed to BIPA, not to mention the relatively long tail associated with such claims, the issue represents one of the more impactful known unknowns confronting the cyber insurance market.
Easing cyber data pressures
Bringing considerably higher premiums into the equation, underwriting results were much improved for U.S. cyber insurers last year, with most carriers comfortably back into profitable territory.
When looking at data in aggregate for standalone cyber policies specifically, the sector’s performance was strong in 2022, with the loss ratio falling to 44% from 65% in 2021.
Significantly increased premium flow into the U.S. market last year (up 60% year-on-year) had a strong bearing on results, as losses and defence costs remained relatively stable.
Loss ratio for U.S. standalone cyber insurance policies
These underlying trends are being replicated (and amplified) outside of the U.S., including France, where the loss ratio fell to an even more favourable 22% last year.
There was considerable variability within this overall figure, however, with the loss ratio for large companies (with >EUR 1.5 billion turnover) sitting at 16% compared to 100% for medium-sized companies with turnover of between EUR 10 million and EUR 50 million.
Performance of France cyber insurance market
Improved cyber hygiene has been a decisive factor in delivering improved underwriting performance post-2020. The investments companies have made in getting to this point have been considerable, but hardened cyber defences have left companies less vulnerable to prolonged disruption or outsized losses in the event of a breach.
The cost of insurance cover is also more commensurate with attritional loss costs. Having sustained one of the most painful market corrections in recent times, conditions are now relenting and buyers that have the necessary risk controls in place are being rewarded with more favourable pricing and terms.
Cyber insurance fulfilling the potential
This puts the market on a sound footing for profitable growth. Should current growth trends be maintained for the remainder of this decade, an ambitious but feasible scenario given the high level of demand globally and the amount of capacity returning to the market, GWP could exceed USD 50 billion by 2030, rivalling the scale of other major P&C lines of business such as D&O.
Gross written premium projections for global cyber insurance market
Whilst the U.S. will remain the biggest cyber market by some distance, Europe, starting from a much lower base, is expected to close the gap somewhat during this time. Territories seeing particularly robust growth include France, Germany, Israel, Scandinavia and the United Kingdom.
Market size projections by 2030 – cyber vs D&O
The growth potential for cyber insurance is unparalleled. The realisation of this potential is tied in part to external factors such as geopolitics and macroeconomics, but by focusing on key issues within its domain – including penetration, tail-risk management and reinsurance capacity – the market can overcome potential growth limitations and secure long-term relevance.