Reshaping the Cyber Insurance Narrative
Despite both increased awareness and preparation in recent years, global cybercrime costs are expected to reach $10.5 trillion annually by 2025, as reported by CyberVentures. That amounts to approximately 30,000 websites hacked daily and a new cyberattack somewhere in the world every 39 seconds. Not surprisingly, the value of cyber insurance mirrors this trend, and the necessity for companies to embrace it has never been more crucial. But hesitation remains. Which begs the question(s): amid such unsettling times, why are companies so skeptical of cyber insurance; and critically, has cyber insurance evolved enough to put their fears to rest?
In recent years, cyber insurance providers have had to rapidly adapt to the market’s needs and implement programs that elicit both confidence with insureds and stability within the overall industry. All the while, those providers have had to balance an additional reality: both the market and the industry are influenced by voices that criticize cyber insurance.
But it’s clear today that insurers are immensely more prepared to provide quality cyber coverage than even five years ago.
It’s been quite a journey. The cyber insurance industry went from a loss ratio of around 32% in 2017 to around 73% in 2019. As losses exploded, the industry went from $3 billion in total written premiums in 2018 to $7.8 billion in 2020—with projections of up to $20 billion by 2025.
This flipped the script on how we underwrite cyber. Top cyber carriers began to experience losses, and, in partnership with actuaries, have been placing emphasis on stemming those losses. Additionally, we’ve seen the rise of insurtechs—combined with advanced technology (including artificial intelligence) and human-based underwriting.
The result? A better controlled insured and a more responsible insurance carrier. The days are gone where anyone and everyone gets a $10 million limit. Rates are continuing to increase, and we are seeing limit deployment come down—and believe that this trend is only going to continue.
In 2021, we saw premiums increase and limits decrease, alongside increased requirements for controls. And we expect 2022 will lay out in similar fashion on some levels. But the difference is we’re on a pattern for aggressive growth. Customers have begun to implement better cyber-hygiene strategies. Industry leaders have become more aware of cyber risk. And while cyber is often portrayed as a big, scary monster, the relationship between cyber insurance and cybersecurity grows stronger every day—witnessed by increased utilization of controls such as multi-factor authentication and data backups being encrypted and stored offline.
As a result, the future looks extremely bright.
As for the rate environment, history tells us this will eventually lead to a soft market. The industry won’t sustain extreme rate increases; however, it will be in a position going forward to act responsibly, and year over year, will produce more modest rate increases.
With limit management and deployment, we are no longer seeing multiple large towers, with numerous aggregate limits, being deployed by one carrier—with many taking limits down on both a per-risk and portfolio profile. This provides a unique opportunity for a better spread of risk, and a significant number of excess opportunities.
With the rise in limit management measures and ancillary coverage restrictions from carriers, we’re starting to see a reduction in severity of events. And soon (in some cases, we’re already seeing it), language will be deployed in the market that addresses large-scale events.
So, in answer to that question we’ve been getting—how do you stop a massive attack from happening? We cannot prevent a cyber event. However, the industry is in a significantly better position to respond as a result of underwriting diligence, technology deployment, and a consciousness of risk aggregation. It’s the principle that seatbelts save lives, not prevent car accidents.
Requirements for business continuity/incident response plans, vulnerability scans, and tools for active monitoring are also emerging. These tools are designed to not only give value to the end-insured, but also provide greater visibility into the security of SMEs, allowing the underwriting process to mirror that of larger insureds.
Carriers now use a pretty broad range of scanning tools, and while we’ve come a long way in a short time, this will only improve. That’s really what we focus on now. Obviously, losses will occur, but the goal is to reduce the severity. And that’s what we’re doing with limit deployment and security deployment overall.
Much better for it
Looking ahead, there are two key truths: 1. Cybercrime will continue to evolve alongside us, constantly exploring, probing, and even penetrating when the opportunity arises. 2. However, we’ve got the knowledge, the controls, and the policy language in place to respond to cybercrime effectively—and much more strategically than just a few years ago.
Today, as an industry, we are more equipped to respond robustly to cyber threats and can be more confident at the insurance carrier level that cyber insurance is going to respond “in kind,” and in line with the profitability goals of the organization. Will we have to consistently adapt and evolve? Yes. Will it be easy to stay in front of the threats? No. Will there be missteps and/or learning opportunities? Absolutely. But it’s no longer like it was, and we’re all much better for it.
To that end, we can likely expect a hard market for the next one to two years, with insurance companies continuing to tighten controls, cut limits, and experience double-digit rate increases. Capacity is also still going to be a challenge as a whole. That said, loss ratios of existing portfolios should begin to see improvement, and a continued focus on the SME profile should yield advantageous results.
Ultimately, it's time to lean in to cyber insurance, and recognize it for what it has become: smarter, more robust, more comprehensive, and altogether more reliable. Together, we can create an even greater system and safety net, all while reshaping the cyber conversation so that it benefits us when we need it most. At the end of the day, it’s on us to make it happen.