A slowdown in price increases and companies hardening their cybersecurity defenses will help expand the cyber insurance market, according to S&P Global.
The recent moderation of cyber insurance price increases could pave the way for new buyers to enter the cyber market and make life easier for existing customers.
Digitalisation is advancing in every area of the economy and society. For the insurance industry, it is therefore vitally important to continue to tailor the range of cyber products to customer requirements and increasing digital dependencies (see Top Cybercrime Predictions for 2024).
Cyber Insurance prices stabilizing
Cyber prices stabilizing in the second half of 2022 and the first half of 2023 has resulted in an improvement for those clients renewing their cyber cover, and really good news in terms of being able to bring new buyers in and grow the market (see about Future of Global Cyber Insurance Market).
The cyber market has big aspirations for growth that are only achievable if new buyers come in.
For existing customers, the rate increases and coverage restrictions that insurers were imposing when the hard market was in full swing wasn’t sustainable in terms of clients continuing to see the value of the cover. Some things had to change there, which fortunately they have.
Prices were soaring by 150% heading into 2022 but are now ticking up by 10% to 15% on average, according to Marsh. In some cases, reductions ranging from 10% to 25% are being seen. It’s stabilizing to the point where clients can actually budget and plan for the cost of it.
Pricing has also become more predictable. Sudden price changes two weeks before renewal were not unheard of in the past, but now, insurers can have formal discussions three-to-six months out again.
Hard cyber insurance market has been painful
While the hard cyber insurance market has been painful for coverage buyers, it has resulted in risk profile improvements. The cyber insurance market has seen significant changes during 2023, with the segments within the market being more distinct and nuanced than previously experienced.
In addition to price increases and tighter terms, insurers have been demanding higher levels of cyber resilience from clients before they will cover them, which has bolstered their defenses and made them more insurable. Ransomware and cyber-attacks on both supply chains and critical infrastructures pose a greater threat than ever to companies and society.
More buyers will come into the market, and that some of them will have already improved their cyber security defense measures before buying insurance cover.
Over the last two years, insurers have seen clients improve their security maturity, and I would say that cyber insurance has played a key role in the security efforts.
The hard market has also spurred new ways of thinking about ways of tackling cyberrisk beyond traditional insurance.
- Future growth and relevance cyber insurance now centres around three key themes: penetrating new markets, addressing systemic risk and expanding available capital
- Cyber insurance pricing increases that have driven the growth of the cyber insurance market in recent years are now receding
Cyber insurance is at a decisive moment in its growth journey. Conditions are stabilising and by tackling key challenges around distribution, tail-risk and capital the market is on the cusp of transformational growth.
According to Howden’s report, a few areas of re/insurance get as much attention as cyber. There are several reasons for this – the pervasive threat environment, its interactions with technology and geopolitics, the inherent unpredictability, the exciting growth potential but, above all, its relevance to clients worldwide.
Cyber insurers continue to be selective
Some cyberrisk has been pushed to captive insurers or parametric products, which pay out automatically when certain triggers are hit.
Price increases may have eased, but insurers continue to be selective about the risks they underwrite. Adequate cybersecurity measures are key to buyers getting the cover they need.
There will be capacity available if clients can comply with the minimum standards that are required. If not, clients may face coverage restrictions, higher deductibles or no cover at all.
Strengthened cyber resilience has continued to pay dividends into 2023, as resurgent ransomware activity in the first half of the year has so far not been accompanied by a corresponding rise in losses or claims (see How to Increase Resilience of Cyber Market?).
Cyberthreat environment is changing landscape
The cyberthreat environment also continues to evolve. Ransomware, which triggered the hard market, has not gone away.
Cyberattack frequency is starting to creep up after a large drop-off following the onset of the Russia-Ukraine war, according to Warszona, although the attacks are not war-related. War in Ukraine Slows Growth of Global Re/Insurance Market. The year 2022 can be characterized as one of the most challenging years in recent decades from the social, financial, political environment points of view, the word “crisis” characterizing better than ever a period of twelve months.
Ransomware itself is evolving. Leemans said there were now triple ransomware attacks, where hackers demand money to unlock systems they have encrypted, and then from both the targeted companies and their customers to prevent the release of stolen data.
The recent MOVEit attack, which is now thought to have spread to hundreds of companies,”is a great reminder that it’s still out there.
Russia-Ukraine Cyber War
Since the war began, governments, companies, civil society groups and countless others have been working around the clock to support the Ukrainian people and their institutions.
Cyberwarfare has provided just a handful of notable skirmishes in the Russia-Ukraine War. But fears linger that the scale and frequency of digital attacks on financial, industrial, and state targets in Ukraine, and among its allies, could escalate.
Realization is changing the dynamic of cyber risk management, pushing damage limitation to the forefront and, as a result, turning the spotlight on attack detection.
Risk management, including cyber risks, is considered within our ratings process, weak governance protocols can lead to a lower rating than pure financials might otherwise indicate.
Issuers that quickly detect an attack afford themselves a chance to break the attack lifecycle at an early stage and thus limit financial damage and potential credit quality impacts. An attacker doesn’t gain access to a target’s systems until step three of five (exploitation) in the attack lifecycle.
The war exclusions issue is centre stage currently, as the Ukraine war and rising geopolitical tensions elsewhere have prompted certain markets to look to clarify their positions around what is insurable (see Cyber Security Top Trends & Cyber Attack Threats). Cybersecurity has become a more dynamic field, rapidly adjusting and shifting to keep apace with business inventiveness.
AUTHOR: Ben Dyson – S&P Global
Quotes: Vanessa Leemans – head of cyber, UK and Lloyd’s, at AXA XL, Glyn Thoms – head of cyber and technology, media and telecoms for UK at Willis Towers Watson, Brian Warszona – UK deputy cyber practice leader at Marsh, Mark Rubidge – director in the major risks practice at Arthur J. Gallagher