Few lines have been talked about in recent years much like cyber. Accenture has predicted $ 25 billion in growth in annual cyber premiums globally by 2025 – or a 500% increase over today’s $ 5 billion GWP. Demand has never been higher. Nor have prices. And society continues to digitize rapidly. But is it really that simple for cyber insurance companies that these factors make them look like?
To reverse the saying: with great reward comes great risk. So while cyber promises guarantees both attractive scale and attractive margins, it can easily be their biggest challenge ever from a product perspective. The exposures are new and complex. The ghost of catastrophic loss casts a shadow on the book. And volatility threatens to stifle the market.
Cyber is at a crossroads, but there is a profitable path to growth – for the benefit of insurance companies, their customers and the entire digital economy. To find out how the industry best unlocks this opportunity, stay with us for this short series or download our new cyber insurance report.
Draws tomorrow’s hyperlinked cloud economy
Like everyone who stands at a crossroads, the first question that cyber insurers need to ask themselves is why. Why cyber insurance?
Centuries ago, our transition from local to international trade was signed by insurers – providing the insurance necessary for individuals to engage in the global economy, free from the risk of losing everything. Today, our societies are undergoing similar monumental changes, as the physical economy turns into a digital one. Valuable loads are delivered not only to remote physical locations but also to virtual ones.
For this reason, the digital economy needs a strong cybersecurity insurance sector in the same way as the physical economy needed to guarantee shipping. Cyber insurance not only provides a safety net for individual companies on the wrong side of a cyber attack, it promotes inclusion in the digital economy more generally — something that will surely help, not hinder, our attempts to solve the biggest problems we face as a species. And that need is already apparent today.
Cyber incidents have increased in recent years, including ransomware, hacking and denial-of-service attacks, many of them carried out via phishing techniques. Ransomware in particular has seen an escalation in both frequency and severity, inflated by perverted ransomware-as-a-service models and new attack methods such as double blackmail.
Source: Unit 42 Ransomware Threat Report 2021 (Palo Alto), SonicWall Cyber Threat Report 2021, Business Insider; data on redemption sizes are only for the USA, Canada and Europe
Cyber risk has long been considered a niche issue facing only the world’s largest companies. But its potential to influence smaller players has come into sharp focus during the COVID-19 pandemic, and it is without a doubt the biggest systemic threat. If the future is a “Cyber Wild West”, then the survivors will be big companies, not small companies.
Smaller companies have already proved less well prepared to deal with a remote workforce and the growing cybersecurity issues. By 2020, around 40% of UK medium-sized companies (50-250 employees) were duly aware that their cyber risk had increased since the start of the pandemic (GlobalData). And the long-term trend towards teleworking – and thus remote access to systems – will only continue.
The future is truly a one-way street for all the basics of cyber risk. The manual folds for digital, 4G to 5G, Internet of Things to Internet of Everything. More and more data is flooding into the cloud. Corporate insurance companies also play their part here, writing indirect cyber impacts – including property damage and liability – out of standard policies and leaving them nasty. In a future with autonomous vehicles, factories and logistics, this “silent cyber” exposure is beginning to look particularly frightening to smaller players.
Cyber insurance and the tough market
Given these growing risk factors and the risk for insurers to address them, it is hardly surprising that interest in cyber insurance coverage has swelled. However, losses have swelled even faster, exceeding premiums and prompting major price adjustments, especially in the United States.
While the average payout on a US stand-alone cyber insurance was $ 140,000 in 2019, this had dropped 150% to $ 350,000 by 2020 (Fitch Ratings). Continued heavy claims have pushed the books further into the red in 2021, with various major players now reducing their exposure – making it difficult to come up with the capacity to write new cyber risks.
The result, as in most commercial lines at the moment, is a tough market. This is certainly not a bad thing in itself; a healthy market must offer both sellers and buyers something, and this is evident – unevenly, of course – through the action of the insurance cycle. But what is happening in cyber can really be described as a tough market within a tough market, with price increases developing their own momentum.
Source: Marsh Global Insurance Market Index 2020-21
You can have too much of the good. While the players who are still standing can expect impressive margins in cyber right now — albeit while risking massive losses — the few short-term gains may not be in the long-term interest of many. The current price environment, which can last for several years, prices new target markets at a time when the cyber sector was ready for breakthrough growth.
This is especially true for small and medium-sized businesses. Smaller companies, which have finally overcome their long neglect of cyber issues, are finally turning to their brokers and insurers for help – only to find that cyber protection is unavailable or unaffordable.
It is true that there are other factors involved here; For example, many small businesses reduce their insurance budgets and cancel non-compulsory insurance due to financial hardship. However, we expect these factors to improve in time, especially as economies recover to pre-pandemic levels. What is less clear is whether the cyber insurance sector can recover quickly enough to take advantage of it.
Normally, in a tough environment, it would simply be to wait for the insurance cycle to go its way — eventually getting lower prices, and thus growth, in price-constrained sectors. But the level of difficulty in today’s cyber-hard market points to deeper structural issues.
There is an ongoing failure to understand and price cyber risk – the players who now have a chance to make good profits do so speculatively and only because so many have already blown their books. When it comes to ransomware insurance, it is not even clear how insurable the risk is in the long run, especially since there is coverage for both incentives and ultimately financing attackers. Overall, high-risk prices appear to be a feature rather than a bug.
At the same time, although it has achieved good premium growth in recent years, cyber has struggled to expand its capital base. And this despite the high-and-rising capital requirements that it must meet as a Cat type.
So while much of its catastrophic potential — such as large aggregations and maximum limits — can be relinquished to reinsurance companies, this reinsurance pool still boils down to just a handful of providers, all in turn wary of their combined exposures. This increases volatility. It also sets a natural ceiling for the amount of capacity insurers can create, undermining long-term affordable rates.
Efforts to scale the product into its existing form therefore prove to be self-limiting. Maximizing growth destroys profits; maximizing profits destroys growth. And if they are unable to establish a large and stable customer base to begin with, cyber insurance companies will find it more difficult to iterate and renew themselves out of the current stalemate.
One result is a product that forever sticks to the second base: a high-risk, high-yield alternative sold by a handful of specialists to a handful of mega-companies. And the broader digital economy is getting poorer for it. The alternative is simple: insurers need to find a way to grow the line profitably. The question is how.
A profitable path to growth for cyber insurance companies
What insurers are facing right now is a sales-related problem: a product design challenge with both front-end and back-end consequences. It will not be easy, but at least the ball is in their court.
By constructing risks, correcting their exposures and, in the longer term, increasing access to capital, insurance companies – and their reinsurance companies – can achieve a sustainable product market that fits into cyber. Actuaries, insurers, claims teams, software companies and industry consortia must work together in some or all of the following areas:
Take advantage of an industrialized answering service
Create a ransomware-focused claims service
Use integrated warranty to price dynamically
Encourage insured persons to increase their cybersecurity hygiene
Learn from Insurtechs
Maintain discipline on the course
Follow personal lines
Help customers before and after intrusion
Pursue ecosystems and alliances
Focus on skills development and acquisitions as well as retention
Focus on innovative technologies such as real-time analytics and IoT
For more information on the challenges for cyber insurance companies – as well as our 11-point program for achieving profitable growth- download our newly published report. To discuss any of the ideas in this series or report, please contact us.