Cyber insurance is at a decisive moment in its growth journey. Conditions are stabilising and by tackling key challenges around distribution, tail-risk and capital the market is on the cusp of transformational growth. According to Howden’s report, a few areas of re/insurance get as much attention as cyber. There are several reasons for this – the pervasive threat environment, its interactions with technology and geopolitics, the inherent unpredictability, the exciting growth potential but, above all, its relevance to clients worldwide.
Ransomware frequency in 2023 is up nearly 50% compared to the corresponding period last year
Businesses in all regions continue to rank cyber as one of their most pre-eminent risks, a seemingly well-founded view considering the myriad of shocks companies and insurers have faced in the last three years alone, from rapid digitalisation post-COVID (and the proliferation of attack surfaces) to rampant ransomware and the war in Ukraine (see Cyber Insurance, Ransomware & Hybrid Warfare Outlook).
- Future growth and relevance now centres around three key themes: penetrating new markets (particularly SMEs), addressing systemic risk and expanding available capital
- Given the highly volatile geopolitical climate, Howden backs efforts to get ahead of the cyber warfare issue by proactively providing clarity to clients and investors around the scope of cover
- Cyber insurance pricing increases that have driven the growth of the cyber insurance market in recent years are now receding
No other line of business has such a dynamic risk landscape on the one hand, and such growth potential on the other.
Strengthened cyber resilience is paying dividends, as improved underwriting results yield positive outcomes for insurance buyers
These dynamics continue to play out in the market. Following a major market correction off the back of surging ransomware claims in 2020 and 2021 (see Global Cyber Insurance Claims Report), which led to the cost of cyber cover more than doubling, conditions started to stabilise last year as activity relented and more robust risk controls deterred or mitigated attacks.
Global cyber insurance premiums
The size of the cyber insurance market could reach $50 bn by 2030, though the realisation of this potential is tied to three key factors: distribution, tail-risk management and attracting capital.
If these challenges can be navigated successfully, the cyber market is on the cusp of potentially transformational growth
Following a major market correction off the back of surging ransomware claims in 2020 and 2021, conditions started to stabilise last year as activity relented and more robust risk controls deterred or mitigated attacks.
Growth potencial of cyber insurance market up to 2030
H1 2023 saw a significant rise in ransomware attacks, but disclosures from a number of carriers in 1Q23 suggest this has not been accompanied by a corresponding rise in claims
This points to the efficacy of risk controls in making companies more resilient and supporting a more stable cyber insurance market. Conditions are now relenting, and buyers that have the correct risk controls in place are being rewarded with more favourable pricing and terms.
By overcoming potential limitations around systemic risk, penetration and capital, the cyber insurance market has an unparalleled opportunity to grow.
Having navigated the early phases of development that often come with new, fast-growing lines of business, the cost of cyber insurance is now more commensurate with loss costs following the recent correction
Dan Leahy, Associate Director, Howden
Whilst the first half of 2023 has seen pricing decline, the sustainability of this trend remains uncertain given the pervasive threat environment.
Rates nevertheless cannot be relied upon to drive market expansion to the extent that they have recently, requiring ambitious plans for exposure growth. Penetrating new territories and company demographics is therefore pivotal to realising the full potential of cyber insurance.
Strengthened cyber market resilience
Strengthened cyber resilience has continued to pay dividends into 2023, as resurgent ransomware activity in the first half of the year has so far not been accompanied by a corresponding rise in losses or claims (see How to Increase Resilience of Cyber Market?).
Concomitant benefits to underwriting results are yielding positive outcomes for insurance buyers, with programmes renewing flat or even with decreases as pricing comes off recent historical highs.
The war exclusions issue is centre stage currently, as the Ukraine war and rising geopolitical tensions elsewhere have prompted certain markets to look to clarify their positions around what is insurable (see Cyber Security Top Trends & Cyber Attack Threats). Cybersecurity has become a more dynamic field, rapidly adjusting and shifting to keep apace with business inventiveness.
Ransomware incidents vs insurance premium increases
The introduction of new war language was always going to be contentious, but clients are increasingly recognising the importance of proactively scoping out the parameters of cover for cyber warfare, both for their own benefit and for providing underwriters and investors with the confidence needed to commit to the market.
Maintaining clients’ confidence in the product during this process is pivotal to realising cyber’s growth potential, as is the need to penetrate into new territories and company demographics.
Achieving relevance requires insurers and brokers to find better ways to bring small and medium-sized enterprises (SMEs) into the cyber market. Attracting capital will be crucial to achieving all these goals, a task which should not be underestimated given the difficult macroeconomic backdrop and capital constraints in the reinsurance market currently.
The direct market’s use (or reliance) on reinsurance is the single biggest differentiator between cyber and any other class of business.
Cyber insurance & Rampant ransomware
Cyber rarely stands still and developments in the first half of 2023 point to a nuanced marketplace, with optimism around more favourable supply dynamics for buyers tempered by signs of resurgent ransomware activity and ongoing concerns around how the market should manage potential systemic losses. Conditions in the reinsurance market also remain challenging.
Frequency and severity of ransomware incidents
The war in Ukraine has highlighted the unpredictability of the cyber threat landscape, with reduced claims activity in 2022 refuting expectations that the conflict would trigger more frequent and severe attacks.
The situation nevertheless remains volatile, with the war’s reach and duration profoundly affecting global cyber security.
Geopolitical risks have increased elsewhere too, with tensions mounting between China and the United States as well as within the Middle East.
Concern and scrutiny around state-sponsored activity has moved certain markets to update war exclusions and clarify their applicability to highly destructive but remote cyber scenarios, including Lloyd’s insurers.
U.S. cyber insurance market
Little surprise then that executives continue to rank cyber and business interruption as two of the most significant risks facing corporations today, according to Allianz Risk Barometer.
Even as cyber lives up to its dynamic reputation, businesses are now better prepared to deal with the fallout. Insurance is proving to be critical to this fightback by indemnifying losses, incentivising better cyber hygiene and strengthening resilience.
Allianz Risk Barometer
Responding to ransomware attack
Cyber risk has undergone several episodes of change in its relatively short history, but escalating ransomware frequency and severity in 2020 and 2021 was unlike anything experienced previously.
The availability of turnkey (and low cost) ransomware kits – otherwise known as ransomware-as-a-service – drove the proliferation of incidents during this period whilst tactics such as double or triple extortion – where gangs threatened to publish stolen data or even launch distributed denial-of-service (DDoS) attacks in the event of non-payment – saw costs spiral.
Frequency index for ransomware vs data breach incidents
U.S. ransom payments and average downtime duration
Fears that Russia’s invasion of Ukraine in early 2022 would fuel already elevated ransomware activity proved to be unfounded (initially at least), as both warring sides, host to some of the worst offending ransomware gangs, refocused their efforts and resources on conventional warfare.
Data from Chainalysis shows that revenue generated by threat actors from ransomware fell significantly in 2022 compared to the elevated levels of the preceding two years.
Economic sanctions, increased pressure on gangs from Western law enforcement and attendant disruption to the franchise model led to less successful extortion campaigns last year, even if frequency and severity remained elevated relative to 2019 levels.
Revenue received by ransomware attacks
Improved cyber hygiene has also made companies less susceptible to material impacts, rebalancing cost-benefit considerations for some over whether to pay ransoms.
Data from Coveware shows a decreasing trend in paid ransoms between 2019 and 2022 (averaging close to 40% last year compared to 70% in 2020).
Organisations with cyber insurance remain more likely to pay ransoms than those without cover, with separate data from Sophos showing 58% of companies with standalone cover paying ransoms versus just 15% with no cyber insurance at all.
Proportion of ransomware victims paying a ransom
Resurgent ransomware
Ransomware is likely to continue to dominate the cyber loss landscape in 2023 and there are already signs that the relative stagnation of activity may be unravelling.
Following early signs in 4Q22 that ransomware frequency was rebounding, the first five months of 2023 have seen a significant increase in attacks.
Figure below compares cumulative ransomware activity in 2022 and 2023, with the latest data from NCC Group in May showing frequency up 48% compared to the corresponding period last year.
Disclosures from a number of insurance carriers in 1Q23 suggest this has not (yet, at least) been accompanied by a corresponding rise in claims, pointing to the success of risk controls in making companies more resilient and supporting more stable insurance market conditions this year despite higher ransomware activity.
Cumulative global ransomware activity by month – 2023 vs 2022
Established gangs (starved of funds following the drop in revenues last year), along with the emergence of new groups, are driving the acceleration in frequency.
Companies across a wide spectrum of sectors and geographies (albeit U.S. predominantly) are being targeted, with mid-sized organisations in particular experiencing a high number of attacks as gangs weigh up ability to pay against security measures in place.
Ransomware victims by geography, sector and revenue
Threat actors’ tactics are also shifting. In addition to double or triple extortion, certain groups are now accessing networks to change or even destroy data and then demanding ransoms to disclose what has been targeted. There have also been growing instances of physical threats made to company executives and their families or broader contacts to force victims into negotiations.
According to Sophos, average ransom payments in early 2023 were close to double those paid in 2022, with 40% of companies surveyed reporting payments of USD 1 million plus compared to just 11% last year.
All of which is indicative of resurgent ransomware severity following last year’s lull. Some extreme ransom demands this year have exceeded the USD 100 million mark.
Distribution of ransom payment amounts
Identifying vulnerable companies
Ransomware is back and businesses are at renewed risk of being targeted and suffering major disruption.
It is essential in this environment that companies have robust processes in place to identify and remediate vulnerabilities that pose the greatest potential for exploitation by threat actors.
Alex Tenenbaum, Director of Services at cyber analytics firm CyberCube
Despite an ever-changing and complex threat landscape, a select few threat actors remain responsible for a disproportionate number of breaches and losses. According to Abnormal Security, the five most active ransomware groups were responsible for more than half of all related attacks from mid-2020 to mid-2022.
Using forensic analyses of past attacks, as well as intelligence from the broader cyber threat research community, it is possible to apply a framework to identify vulnerable companies.
First, organisations using technologies known to be targeted and exploited by top ransomware groups are inherently at higher risk, as exploiting digital supply chains is a route for breaching a company.
Threat actors are also likely to have identified weakness(es) in technologies that they target repeatedly. For example, Windows Operating Systems 8.1 and earlier are no longer supported, and nor are Windows Server 2008 and earlier.
Secondly, companies that have security signals or security control deficiencies commonly exploited as part of threat actors’ playbooks are at heightened risk.
If companies have multiple security lapses, they are at greater risk given the higher likelihood of hackers successfully progressing along each killchain step to achieve their objectives.
Combining these two concepts can help identify companies most at risk from predominant threat types (including ransomware), as well as the groups behind the majority of attacks. Carriers are increasingly utilising these types of insights for underwriting decision-making and it is critical that companies work with their intermediaries to address any relevant red flags before they engage with their insurance partners.
Cyber insurance market has the potential to scale
This puts the market on a sound footing for growth, but the report shows that more work need to be done if it is to meet the growing demands of clients worldwide. By overcoming potential limitations around systemic risk, penetration and capital, the cyber insurance market has an unparalleled opportunity to grow.
1. War exclusions
The introduction of new war language has been contentious, but clients are increasingly recognising the importance of proactively scoping out the parameters of cover for cyber warfare, both for their own benefit such as minimising the potential for coverage disputes, and for providing underwriters and investors with the confidence needed to commit to the market.
Getting this right is crucial for the sustainability of the cyber market. By providing a framework designed specifically for cyber’s unique risk profile, clients will be offered more certainty around the parameters of cover and what is insurable and what is not.
Sarah Neild, Head of UK Cyber Retail Howden
The process of defining the limits of cover specific to cyber acts of war will help to fulfil the potential of this market, but only if the clauses are fit for purpose and clients’ needs are met.
With one of the largest global reinsurers steadfast on the application of their war language, wider adoption seems inevitable, despite carriers’ disparate views on what adoption should look like. Increased uniformity on this topic would ultimately help the market secure relevance for the long term.
2. Increasing penetration
Pricing increases in recent years, from 2020 onwards especially, have driven the growth of the cyber insurance market, but these tailwinds for insurers are now unwinding or even reversing in certain areas.
Whereas annual rate increases of more than 100% were recorded during the first half of last year, the corresponding period in 2023 has seen flat renewals or even decreases in recent months as pricing has come off historical highs.
Having navigated the early phases of development that often come with new, fast growing lines of business, the cost of cyber insurance is now more commensurate with loss costs following the recent correction.
Dan Leahy, Associate Director Howden
Whilst the first half of 2023 has seen pricing decline, the sustainability of this trend remains uncertain given the pervasive threat environment.
Rates nevertheless cannot be relied upon to drive market expansion to the extent that they have recently, requiring ambitious plans for exposure growth. Penetrating new territories and company demographics is therefore pivotal to realising the full potential of cyber insurance.
Howden’s Global Cyber Insurance Pricing Index
3. Reinsurance Capital
The direct market’s use of reinsurance is the single biggest differentiator between cyber and any other class of business. With approximately 45% of cyber premiums ceded to reinsurers currently, broad capacity constraints and price corrections in the reinsurance market present potential limitations.
If the cyber market is to scale up to rival other major lines of business, cyber reinsurance supply will need to increase significantly in order to meet demand between now and 2030.
Whilst cyber reinsurance premiums are currently in the range of USD 6 billion, they would need to increase more than three times over in order to fulfil growth expectations by the end of the decade.
Such high levels of growth would be ambitious during favourable market conditions, let alone when supply is as constrained as it is currently in the reinsurance market.
Further innovative thinking around matching risk to capital is needed to realise the full potential of cyber (re)insurance from here. Growing consensus on risk definitions, alongside product innovation around systemic exposures in particular, are already attracting third-party investors. Maintaining focus and momentum in this area will be crucial to seeing alternative capacity becoming an integral part of the cyber market’s capital structure.
Growth potential of cyber insurance and reinsurance markets up to 2030
Ensuring that cyber insurance is relevant to clients of all sizes is paramount to improving access in new territories and across different sections of the economy.
Attracting capital is also crucial to this goal, a task which should not be underestimated given current macroeconomic challenges and capital constraints
Shay Simkin, Global Head of Cyber, Howden
Systemic cyber exposures present challenges for an insurance market built on underwriting mostly geographically contained and uncorrelated (physical) risks, and being guided in the process by historical data to help manage aggregations, estimate potential losses and price policies.
Business interruption is one of the more dominant exposures associated with large-scale cyber attacks, and COVID-19 offered a glimpse into how borderless and non-physical threats have the potential to see losses spiral quickly.
Cyber incidents, including WannaCry, NotPetya, SolarWinds, Microsoft Exchange, Colonial Pipeline, Kaseya and Log4j, highlighted the potential for systemic losses, even if the quantum ultimately ended up being manageable for the insurance market. The recent MOVEit hack is another reminder of how companies need to manage supply chain risk, even if losses from this particular incident are unknown at this stage.
……………….
AUTHORS: Julian Alovisi – Head of Research Howden, Shay Simkin – Global Head of Cyber Howden, Sarah Neild – Associate Director Howden, Daniel Leahy – Head of Cyber Retail Howden, Ben Geffen – Associate Director Howden.
Expert contributors: Alex Tenenbaum – Director of Services CyberCube, Jonathan Hatzor – CEO Parametrix Insurance, Milo Wilson – Lead Intelligence Analyst XCyber
