Mature Cyber-Insurance Market Needs Better Modeling, Policy Language

Cyber insurance is the fastest-growing segment of the insurance market, but many insurers and reinsurers are increasingly unwilling to underwrite larger cyber risks, according to S&P Global Ratings.

In a new report, titled Cyber Risk in a New Era: The Rocky Road to a Mature Cyber-Insurance Market, S&P notes that much of the growth in the cyber-insurance market is, in fact, being driven by a substantial increase in cyber-insurance premiums rather than the size or volume of cyber-insurance contracts.

Some insurers and reinsurers have chosen to decrease their cyber-risk appetite in the face of the increased frequency and severity of cyber attacks and greater systemic vulnerabilities, S&P says.

The report notes that insurers and reinsurers wrote more than $9 billion in cyber-insurance premiums in 2021, according to Munich Re. S&P says it expects that premium figure to increase 25 percent per year to about $22.5 billion by 2025.

With that growth being driven largely by premium increases rather than the size or volume of cyber-insurance contracts, however, changes are needed if future growth in the cyber-insurance market is to reflect more than just price increases, according to S&P.

"Improvements in risk modeling will be necessary if further growth is to reflect increased market capacity, driven by (re)insurers' greater risk appetite, rather than still higher rates underpinned by a supply-demand mismatch due to a reluctance to take on new risk," the report says.

The report notes the growing awareness of cyber risks, citing a Munich Re survey that found that 38 percent of C-level managers are extremely concerned about cyber risks, up from 30 percent in a prior survey. Adding top executives who are "concerned" about cyber threats, the total in the recent Munich Re survey reached 70 percent, S&P says.

"Those growing concerns have come with a parallel increase in mitigation efforts, and thus increased investment in cyber-risk management, including in cyber insurance," the S&P report says. "Such insurance policies have become a central component of companies' cyber-risk management, offering a route to recovery from a cyber attack or data breach via financial compensation for costs associated with IT services, digital forensic analysis, business interruption, equipment damage, legal costs, and fines."

But the significant cyber-insurance price increases in recent years have led some buyers to see the coverage as unaffordable, S&P says, particularly among small and midsize businesses. In response, some businesses and public entities have chosen to drop cyber coverage, a choice that could make their recoveries from future cyber attacks more difficult.

The S&P report suggests that price fluctuations are likely to be an ongoing characteristic of the cyber-insurance market. "These will arise from the emergence of new risk differentiation models and variable pricing that incorporates emerging cyber-security standards and improvements in cyber-security systems," the report says.

That risk differentiation has become an essential element of insurers' and reinsurers' efforts to create sustainable cyber-insurance products, S&P says, and has also led to some cases of contract cancellations when policyholders failed to meet cyber-security standards mandated by insurers and reinsurers.

The report notes that cyber insurers have also revised contract terms and conditions, increased required policyholder retentions, and imposed sublimits for some types of loss, particularly regarding ransomware or business interruption.

"Those changes partly derive from the significant number of insurers whose loss ratios have sharply increased, mainly due to larger and more frequent ransomware-related claims," S&P says.

Cyber insurers will continue to face challenges in trying to make consistent profits, the report says. It notes their worse-than-expected results in 2021, which led to greater reluctance to underwrite larger risks and reduced risk appetites among some cyber insurers. "That caution, and the resultant shift in underwriting strategies, has been exacerbated by the Russia-Ukraine conflict, and concerns that it could lead to an uptick in cyber attacks, even if that has not materialized yet," S&P says.

In the current climate, it's become common for insurers to deny requests for cyber coverage from prospective buyers lacking comprehensive information technology (IT) system backups, endpoint detection technology, IT system patching protocols, defined cyber-attack response plans, or multifactor authentication, the report says.

Meanwhile, cyber insurers have also begun real-time monitoring of new threat actors and emerging cyber-attack tactics. "This monitoring now regularly feeds into the standardized information and system security questions that are used by insurers to assess risk," S&P says. "We regard this favorably and believe it should enable better assessment of the underlying risk dynamics of policyholders and potential clients."

Dynamic contract conditions are likely to prove an ongoing feature of the cyber-insurance market, S&P says. Meanwhile, clear and precise policy wording is essential to the market's sustainable development.

"The need for clearer terms in contracts has been highlighted in recent months by the threat of spillover (deliberate or accidental) from cyber attacks linked to the Russia-Ukraine conflict," the report says. "At the heart of the issue are so-called war exclusions, which were designed to exclude claims arising from physical or kinetic war, but which have proven ill-suited to the context of cyber warfare."

The July 26, 2022, S&P report suggests that a stable cyber-insurance market is in the interests of both policyholders, who would benefit from greater coverage certainty and lower costs, and insurers, who would be better able to match cyber-insurance products to their risk appetites while reducing return volatility.

"We believe clearer policies will be at the forefront of those efforts, but that it will also necessitate a deeper understanding of how ransomware drives losses, improvements in scenario modeling, better management of risk accumulation, and disciplined underwriting," the S&P report says. "Insurers that aggressively expand in the cyber market without that expertise will expose themselves to increased capital and earnings volatility that could lead us to change our assessment of their operations."