The cyber insurance market has seen significant changes during 2023, with the segments within the market being more distinct and nuanced than previously experienced. The analysis is based on our own observations of the market and uses WTW proprietary data unless otherwise stated.
Digitalisation is advancing in every area of the economy and society. For the insurance industry, it is therefore vitally important to continue to tailor the range of cyber products to customer requirements and increasing digital dependencies.
Insurers offer protection and thereby support the productivity and capabilities of insureds.
To achieve this, the industry must ensure a balance between offering customers attractive solutions and maintaining the necessary sustainability and profitability in the volatile cyber business.
Ransomware and cyber-attacks on both supply chains and critical infrastructures pose a greater threat than ever to companies and society.
Systemic risks and accumulation scenarios require a clearly defined risk appetite, in order for innovative and sustainable protection to be offered to insureds. An adequate level of cybersecurity increases insureds’ resilience and, at the same time, is a prerequisite for access to the insurance market.
Cyber insurance market capacity
We are seeing an increasing number of insurers willing to increase their available capacity where the characteristics of the risk match their underwriting strategies.
According to Beinsure Data, demand for cyber insurance is currently growing more steadily than the capacity on offer. In particular the loss-exposed sectors require proper risk coverage: healthcare, services, retail, the manufacturing sector, government institutions including the education sector, as well as financial services providers.
Making ransom demands is not the sole motivation of attackers of critical infrastructure. Such actors are often motivated politically or otherwise to cause maximum disruption or even the destruction of processes and systems, in order to trigger economic and political instabilities. Some criminal perpetrators also cooperate with state actors.
According to Munich Re Report, the insurance industry’s focus lies on clear wording, an adequate level of security and comprehensive transparency on risk information. In order to ensure the sustainability of cyber insurance, applicants must provide proof of their security standards. For example, access to the insurance market requires fundamental resilience-enhancing measures, such as access management, robust network security, the continuous patching of vulnerabilities and the presence of backups.
The global cyber insurance market is projected to grow from $7.60 billion in 2022 to $36.85 billion in 2028 at a CAGR of 25.3% in forecast period, 2022-2028
To underline this, insurance capacity availability within the first USD/GBP/EUR50m layer has increased compared to Q1, particularly for the most attractive segments of the market (Previously less attractive/appreciated segments are also starting to see interest from insurers (focused on GBP1bn plus revenue accounts) who are increasingly showing interest in middle-market business where clients can tell a positive story and present the risk as high quality.
- Q2 2023 has delivered generally improving trading conditions, especially for core enterprise-scale clients
- Capacity stabilising for most market segments and improving in some generating increased competition
- Focus on sustainable pricing, not a default of significant further increases
- Insurer’s focus on sustainable policy retentions/excesses remains
- Policy coverage remains under very careful review
- Continuing acute focus on war and terrorism exclusionary language
- Detailed underwriting information, and specifically context, remain key
New insurance capacity has entered the wider market during Q1, with more likely to follow in Q2. For example, we are monitoring InsurTech insurers who have quickly established themselves in the US cyber market and may well have their eyes on competing in the middle-market space (see Cyber Insurer Perspectives on Ransomware).
In addition, a leading global cyber insurer has now launched an Environmental, Social & Governance (ESG) based syndicate, potentially augmenting the capacity they are already offering. Not all segments of the cyber market will benefit equally from this additional capacity.
Clients still need to show good level of risk control in order to secure capacity, however insurers are increasingly demonstrating flexibility where clients can provide the necessary context to explain their risk acceptance rationale.
Insurers will have particular areas of focus and clients will need to demonstrate strong control measures in those areas. Unsurprisingly Insurers are keen to understand the business impact of events such ransomware attacks and extortion demands.
Insurers remain cautious where clients could be at risk from the Russia/Ukraine conflict, and this particularly applies to organisations in telecommunications, financial institutions and critical national infrastructure. It does seem that the level of concern is receding .
Cyber insurance premiums & self-insured retentions
Premium increases in Q2 2023 are far more variable than in recent quarters, as the result of insurers focus on pricing adequacy. Clients with similar profiles may receive different levels of premium increases, the key being whether their insurer feels the expiring premium levels are sufficient.
In this respect, a small but increasing number of clients received a pricing reduction compared to 2022, often where a segment most impacted by 2022 capacity challenges then benefits from increasing competition in that segment.
In the same period, some accounts are still receiving increases of 50% or more, usually where their premium levels are significantly lower than their peers, demonstrating an out-performance of 2021 market conditions.
Insurers remain focused on self-insured retentions, but we are pleased to say that for an increasing percentage of accounts renewing in Q2 2022 they are seen to be adequate. We should add that clients are also considering increasing the level of self-insured retention as they plan their cyber insurance purchasing strategies.
Cyber insurance policy coverage
Insurers remain very focused on systemic risk. It is common in segments with more clients and so volume sales (such as the mid-market)that insurers offer less capacity per client than they would to large enterprises of £1bn or more, who are fewer in number and so present a lower accumulated risk.
Unsurprisingly the Ukraine/ Russia war has made Insurers nervous. Many insurers quickly reviewed their contract language relating to War and Terrorism exclusions and are mindful that Cyber-attacks have become a modern warfare tactic.
During Q2, insurers approach to this language continued to fall into the following categories:
- Sticking with the N.M.A. 464 War and Civil War Exclusion Clause – with various amendments / cyber terrorism cover ‘carved-back’
- Drafting an updated exclusion based (to some extent)on N.M.A. 464 or drafting a new exclusion all together
- Considering using one of the four model clauses proposed by the Lloyds Market Association LMA),predominantly LMA5567
Insurers continue to utilise ransomware coinsurance and/or sub-limits where they are not satisfied that a client’s security meets the insurer(s) own minimum standards. Some insurers are not willing to consider offering cyber coverage unless certain standards are met. Insurers views on required minimum controls are increasingly varied and more flexibility. This gives clients, with the support of their broker, the opportunity to advocate for their approach.
Cyber insurance claims & notifications
Ransomware risk is a significant one and likely to result in significant financial losses beyond a ransomware demand itself. That said trends suggest that less ransomware demands are being paid.
Here are some highlight statistics regarding Ransomware from two vendors supporting businesses impacted by ransomware incidents.
- In Q1 of 2019, 85% of the cases Coveware handled ended in the cyber-criminal receiving a ransom payment. For years later, that number is down to 46% in Q1 of 2023.
- Data theft without encryption results in no operational disruption, but preserves the ability of the threat actor to extort the victim. Coveware expects this shift from BigGame Hunting to Big Shame Hunting to continue.
Nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection – how can you give insurers comfort that your organisation sufficiently protects credentials, particularly privileged credentials?
Key considerations for insurance buyers
Insurers are continuing to take a careful approach when considering new or existing risks. Clients are routinely asked to provide evidence of sufficient cyber security controls before a risk will even be given consideration.
Addition written submissions Insurers are increasingly required with a focus on Ransomware controls. Insurer presentation meetings are also commonplace.
AUTHORS: Martin Berry – Director Client Relationship Management Willis Towers Watson, Dean Chapman – (Cyber Risk) Lead Consultant, GB Cyber Risk Solutions WTW, Matt Ellis – Divisional Director, FINEX GB Cyber WTW, Adrian Ruiz – Director – FINEX GB Cyber & TMT Willis Towers Watson