Risk management is the process of identifying, assessing and responding to/mitigating risk events. Organisations must understand the probability and potential severity of loss events to determine their acceptable level of risk. Based on their tolerance, they can choose to avoid or accept certain risks, and take steps to mitigate or transfer the resulting exposures.
In the cyber context, organisations must manage the vulnerabilities of their computer and network systems. They must also train employees to identify threats, stay abreast of privacy laws and navigate a risky geopolitical environment.
Efforts to manage the risks emanating from third-party liability, ransomware claims and supply chain/critical infrastructure threats have been ongoing since the 1990s. Since then, the scope of cyber threats has reached new levels and overall awareness has increased.
The private and public sectors have responded with more risk management efforts and investment in cyber security, and by growing the cyber insurance market.
Companies retain a greater share of cyber risk than property and other liability risks. This partly reflects the relative novelty of the digital economy. In 2022, only 16.6% of digital and other intangible assets were insured, compared to 58% of tangible assets. But the cyber insurance market grew rapidly in 2021, driven by the rise in ransomware and first-party losses, while at the same time also seeing increased third-party claims. We expect strong growth will continue in the coming years as cyber risks are better understood.
Insurance plays a key role in improving cyber security beyond its core function of risk transfer. Following the recent spike in malware attacks, the industry has tightened underwriting standards, contributing to a temporary decrease in the frequency and severity of ransomware attacks and claims in 2022.
Beyond creating financial incentives to improve security protocols and mitigate vulnerabilities before the policy period, cyber insurance is a valuable input to the risk management process by pricing the risk, which provides a financial basis for framing decisions; monitoring, which can reduce vulnerabilities during the policy period; and claims payments and response support, which improve resilience and can mitigate losses following a cyberattack.
Cyber: outpacing growth in other insurance lines
The cyber insurance market has grown with the digitalisation of the economy. Cyber insurance originated in the mid/late 1990s in the US, evolving from professional liability policies such as E&O.
The policies indemnified companies for third-party privacy/ security claims post data breaches that affected customers, employees, investors and/or business partners. Coverage for first-party losses was introduced in the mid-2000s but given US data privacy regulations, third-party liability remained the main catalyst for product innovation.
By the 2010s, the cyber insurance market expanded beyond the US. Developments such as the implementation of GDPR in the EU in 2018, increased investments in digital infrastructure and rising awareness of cyber threats have helped spur global market growth.
A main driver of cyber insurance market growth has been rising frequency and severity of cyberattacks, which in turn have raised awareness of the risk. In the US, the largest cyber market, premiums grew by 74% in 2021.
Standalone policy premiums increased 92%, driven by rate increases after ransomware incidents led to a spike in loss ratios in 2020. We estimate that global cyber insurance premiums reached USD 10 billion in 2021 and we forecast 20% annual growth to 2025, with total premiums rising to USD 23 billion.
That said the market has significant growth potential beyond these projections.
Given estimates of annual global cyber losses at USD 945 billion, nearly all of the risk remains uninsured. One estimate puts the protection gap at 90%.
According to a recent study, only 55% of polled businesses have insurance, and less than one-fifth have ransomware cover limits above USD 600 000, the median of the losses resulting from such attacks.
US standalone loss ratio and rate and exposure growth
Global cyber insurance premiums, USD bn
Cyber insurance market: evolution and structure
We estimate that two-thirds of current global cyber-insurance covers are written for US clients, and the majority of those by US-domiciled insurers. The top 10 direct cyber insurers account for 57% of the US market.
The market is less concentrated than personal lines such as auto and homeowners, but more concentrated than large commercial lines like workers’ compensation and general liability.
For insurers with sufficient capacity to increase market share and knowledge of the risk, cyber insurance offers a compelling growth opportunity.
Largest US cyber insurers, by direct premiums written (USD million, based on NAIC cyber supplement data)
|Company||2021 DPW||2020 DPW||Growth||Cumul. share|
|Industry||4 827||2 774||74%||100%|
The competitive landscape comprises direct writers, managing general agents (MGAs) and managing general underwriters (MGUs). We estimate that 40-50% of global cyber insurance premiums are ceded, well above the 15% commercial lines average.
This provides potential for new entrants to gain a foothold in the market. Even with that, however, capacity at the industry-wide level remains constrained primarily due to the potential for large systemic loss events.
Cyber insurance coverage can be provided on a standalone basis or packaged within an existing commercial multi-peril policy.
The standalone market developed in response to the introduction of cyber exclusions in other policies and, in terms of direct premiums written, has grown to nearly twice the size of the packaged cyber market.
These covers can include:
1) all losses resulting from a cyberattack;
2) liability related to data breaches;
3) losses related to data restoration.
Standalone policies are typically purchased by larger firms with more data and financial resources at risk. Based on the cyber supplement filed with the NAIC, the average premium for standalone policies written in 2021 increased to USD 12 161, compared with an increase to USD 480 for the cyber component of packaged policies, such as financial (D&O) or professional lines (tech and miscellaneous E&O).
Around 259 000 standalone policies were reported in force at year-end 2021 compared with 3.5 million packaged policies. Ninety-four percent of the standalone policies were classified as claims-made rather than occurrence. There was a near even split in packaged policies.
Total DPW (USD mn) reported in the cyber supplement filed with the US National Association of Insurance Commissioners
Average premium (USD) by policy type)
Product trends: strong demand for first- and third-party insurance coverages
As ransomware attacks have increased, so too have first-party coverages, with corporations focused on protecting data and preventing business interruption. The NotPetya attack in 2017 marks the start of the shift from third- to first-party as the dominant coverage. In contrast to earlier class action lawsuits, claims filed for the NotPetya attack were not for data breach losses but the financial and operational harm caused by the malware attack.
By 2019, with the proliferation of ransomware-as-a-service and the increased sophistication of criminal hacking groups, companies faced significant exposure to first-party losses.
Alongside the surge in ransomware claims and associated measures, recent privacy rules and rulings could also provide a renewed catalyst for demand for third-party covers such as fines, legal fees and privacy and network security liability.
The outcomes of existing cases will set precedents for corporate and insurer exposures under data protection rules such as the EU’s GDPR, the California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, and the China Personal Information Protection Law. In addition, companies must monitor new rules and understand their potential exposures.
For example, under the American Data and Privacy Protection Act, introduced in the US House of Representatives in June 2022, firms will need to implement security practices to protect and secure personal data against unauthorised access, and individuals will be able to bring civil actions for violations of the Act.
Claims trends: systemic risks drive strong rate increases
The upshot is increased demand for cyber insurance and heightened awareness of the potential for systemic losses. This surge in demand has met with restricted capacity, pushing prices higher, with some brokers reporting triple-digit year-over-year increases in 2021.
The momentum has continued into 2022, but with some deceleration. In the Council of Insurance Agents and Brokers’ second quarter 2022 survey, 85% of respondents reported an increase in demand for cyber coverage, and 64% reported an increase in claims.
These numbers are less than in 2021 but indicate persistent elevated demand and adverse loss experience. Supply remains constrained, with nearly 80% of survey respondents reporting a decrease in capacity in the first quarter of 2022. In addition to double-digit rate increases since late 2020, underwriters have included sub-limits for ransomware covers, co-insurance of up to 50% for ransom payments, and a revamped application process.
Percentage of respondents indicating an increase in claims demand vs decrease in capacity
Standards for loss mitigation become a prerequisite to underwriting risks
Clients in the US and globally now need to showcase their preparedness for a ransomware attack. Insurers or associated analytics firms review exposure with scanning technology, emphasising business continuity/disaster recovery planning, privileged access controls, multi-factor authentication and pro-active scanning/testing.
Typically, a supplemental ransomware application is required as a part of the application or renewal process, and if the answers are unsatisfactory the policy is either not written or non-renewed.
For insureds, the expenses of implementing required security measures to meet the baseline level of cyber hygiene can be more than offset by premium savings. The application and underwriting process can therefore motivate a business to focus on risk assessment, ultimately incentivising implementation of risk-based security measures to minimise insurance costs. Coverage encourages greater precaution and thus reduces the probability of loss.
The American Property Casualty Insurance Association has described cyber resilience as “a societal obligation.” Because of the borderless nature of the cyberspace, companies that lack appropriate digital defences put themselves and the broader economy at risk.
After high-profile cyberattacks such as the one on Colonial Pipeline’s IT systems, policymakers have started to push for increased mandates.
The new strategy in the US includes rules mandating that organisations meet minimum cybersecurity standards, partnering with the private sector and stricter enforcement of any new rules.
To the extent that cyber insurance provides financial incentives aligned with market and public authority cyber deterrence objectives, it can limit the need for mandates and promote productive cooperation between the private and public sectors.
Underwriting criteria and data sources
Public and private entities can also improve cybersecurity by coordinating on processes such as “design and testing”. Similar to building codes for earthquake or fire and crash-tests for cars, hardware and software could be tested and officially validated before release. One example is a recent initiative in the US modelled after Energy Star, a labeling program used to promote energy efficiency.
Insurance clients can also benefit from ancillary services
Re/insurers often work with cybersecurity companies to develop customised products for clients, especially in the critical infrastructure sector. The cybersecurity companies have teams with strong technical capabilities and can either steer the project or act as service providers and risk consultants.
The engagement of cybersecurity companies expands the capacity to undertake pre-underwriting examinations and offer holistic cyber solutions, including ongoing cyber risk monitoring.
Cyber insurers can extend beyond their risk mitigation and transfer function when an attack occurs. The insurer may provide claims services and loss compensation, while the cybersecurity company evaluates the losses.
Emergency assistance, loss control and data recovery are also available to clients. In some countries, re/insurers and cybersecurity companies work with the public sector to develop a more holistic picture of the risk. These forms of cooperation can expand the scope of business for re/insurers but also require investment to develop the necessary skills and partnerships.