Demand has never been higher. Neither have rates. And society continues to digitalise apace. But are things really as straightforward for cyber insurers as these factors make them appear?
To invert the adage: with great reward comes great risk. So, while cyber promises underwriters both attractive scale and attractive margins, it could easily be their greatest ever challenge from a product perspective. Exposures are new and complex. The spectre of catastrophic loss casts a shadow on the book. And volatility threatens to stifle the marketplace.Cyber is at a crossroads, but there is a profitable path to growth – for the benefit of insurers, their customers and the whole digital economy.
Underwriting tomorrow’s hyperconnected cloud economy
Like everyone standing at a crossroads, the first question cyber insurers need to ask themselves is why. Why cyber insurance?
Several centuries ago, our transition from local trade to international trade was underwritten by insurers – providing the necessary assurance for individuals to become involved in the global economy, free from the risk of losing everything. Today our societies are going through similar monumental change, as the physical economy transitions to a digital one. Valuable cargoes are delivered not just to far-off physical locations but to virtual ones too.
For this reason, the digital economy needs a strong cybersecurity insurance sector in the same way as the physical economy needed to underwrite the safety of shipping. Cyber insurance doesn’t just bring a safety net for individual firms on the wrong side of a cyber-attack, it promotes inclusion in the digital economy more generally – something that will surely help, not hinder, our attempts to solve the greatest problems we face as a species. And that need is already palpable today.
Cyber incidents have surged in recent years, including ransomware, data breach and denial-of-service attacks, many of them executed via phishing techniques. Ransomware in particular has seen an escalation in both frequency and severity, buoyed by perverse ransomware-as-a-service models and new methods of attack like double extortion.
Cyber risk was long regarded as a niche problem faced only by the world’s largest companies. But its potential to impact smaller players has come more sharply into focus during the COVID-19 pandemic, and this is arguably where the greatest systemic threat resides. If the future is a “Cyber Wild West”, then the survivors will be large corporates, not small businesses.
Smaller businesses have already shown themselves less well prepared for managing a remote workforce and the increased cybersecurity issues that brings. In 2020, around 40% of UK medium-sized businesses (50-250 employees) duly felt their cyber risk had increased since the start of the pandemic (GlobalData). And the long-term trend towards remote work – and, with it, remote systems access – is only set to continue.
Indeed, the future is a one-way street for all the fundamentals of cyber risk. Manual is giving way to digital, 4G to 5G, Internet of Things to the Internet of Everything. More and more data floods into the cloud. Business insurers are also playing their part here, writing indirect cyber impacts – including property damage and liability – out of standard policies, leaving them uncovered. In a future of autonomous vehicles, factories and logistics, this “silent cyber” exposure starts to look especially daunting for smaller players.
Cyber insurance and the hard market conundrum
Given these waxing risk factors and the potential for insurers to address them, it’s hardly a surprise that interest in cyber insurance cover has swelled. However, losses have swelled even faster, outpacing premiums and prompting major pricing adjustments, especially in the United States.
While the average pay-out on a US standalone cyber insurance policy sat at $140,000 in 2019, this had leapt 150% to $350,000 by 2020 (Fitch Ratings). Continued heavy claims have pushed books further into the red in 2021, with various major players now reducing their exposure – making capacity for writing new cyber risks hard to come by.
The result, as in most commercial lines at the minute, is a hard market. This is certainly not a bad thing in itself; after all, a healthy market must provide something for sellers as well as for buyers, and this emerges – unevenly, of course – through the action of the insurance cycle. However, what’s happening in cyber could really be described as a hard market within a hard market, with price increases developing a momentum all of their own.
You can have too much of a good thing. While those players still standing can expect impressive margins in cyber right now – admittedly while running the risk of massive losses – the short-term gain of those few may not be in the long-term interest of the many. The current pricing environment, which could endure for several years, is pricing out new target markets just at a time when the cyber sector was poised for breakthrough growth.
This is especially true in the case of small and medium-sized businesses (SMBs). Smaller firms, having finally overcome their long neglect of cyber issues, are finally turning to their brokers and insurers for assistance – only to find cyber cover is unavailable or unaffordable.
It’s true there are other factors involved here; for example, many small businesses are reducing their insurance budgets and cancelling non-mandatory covers out of financial distress. However, we expect these factors to improve in time, especially as economies recover to pre-pandemic levels. What’s less clear is whether the cyber insurance sector can right itself quickly enough to take advantage.
Cyclical issues mask deeper structural flaws
Normally, in a hard environment, it would simply be a case of waiting for the insurance cycle to run its course – eventually bringing lower prices, and therefore growth, in price-constrained sectors. However, the severity of today’s cyber hard market points to deeper structural issues.
There is an ongoing failure to adequately understand and price cyber risk – those players who now have a chance to make good profits do so speculatively and only because so many have already blown their books. In the case of ransomware insurance, it’s not even clear how insurable the risk is in the long run, especially since the existence of cover both incentivises and ultimately funds attackers. All in all, high-risk prices look to be a feature rather than a bug.
At the same time, even if it has achieved good premium growth in recent years, cyber has struggled to build out its capital base. And this despite the high – and rising – capital requirements it must contend with as a Cat-type line.
So, while much of its catastrophic potential – like big aggregations and maxed-out limits – can be ceded to reinsurers, this reinsurance pool still boils down to just a handful of providers, all in turn wary of their aggregate exposures. This cranks up volatility. It also puts a natural ceiling on the amount of capacity insurers can create, undermining long-term affordability.
Efforts to scale the product in its existing form are therefore proving to be self-limiting. Maximising growth is destroying profits; maximising profits is destroying growth. And if they can’t establish a large and stable customer base to begin with, cyber insurers will find it harder to iterate and innovate their way out of the current impasse.
One outcome is a product eternally stuck at second base: a high-risk, high-return option sold by a handful of specialists to a handful of mega-corporations. And the wider digital economy will be the poorer for it. The alternative is simple: insurers must find a way to grow the line profitably. The question is how.
A profitable path to growth for cyber insurance companies
What insurers face right now is a sell-side problem: a product-design challenge with both front-end and back-end implications. It won’t be easy, but at least the ball is in their court.
By engineering down risks, rightsizing their exposures and, longer-term, expanding access to capital, insurers – and their reinsurers – can achieve sustainable product-market fit in cyber. Actuaries, underwriters, claims teams, software firms and industry consortia must work together in some or all of the following areas:Leverage an industrialized response service
- Leverage an industrialized response service
- Create a ransomware-focused claims service
- Use integrated underwriting to price dynamically
- Incentivise insureds to boost their cybersecurity hygiene
- Learn from Insurtechs
- Maintain discipline on rate
- Pursue personal lines
- Help customers pre-breach as well as post-breach
- Pursue ecosystems and alliances
- Focus on skills development and acquisition as well as retention
- Focus on innovative technologies like real-time analytics and IoT