Questions Remain as Cyber-Insurance Market Grows, Matures

While cyber-insurance premiums and demand for cyber insurance are growing, a recent report notes that questions remain about the extent of some cyber risks, the growth of a cyber-protection gap, and insurers' own cyber-risk management efforts.

Growing awareness of the expanding scope of cyber threats, increased dependence on technology, and the complexity of the cyber-threat landscape are all contributing to increased demand for cyber insurance, the International Association of Insurance Supervisors (IAIS) says in a new report.

The report, Global Insurance Market Report (GIMAR) Cyber Special Topic Edition, notes that gross written premiums for stand-alone cyber insurance are reported to have grown in 2021, likely driven by both risk-adjusted rate changes and organic growth.

The cyber-insurance market has also seen significant changes in underwriting controls, including tighter terms and conditions and stricter risk selection and underwriting standards, the IAIS says, making it harder for buyers not reaching minimum cyber-hygiene standards to secure coverage in 2022.

"These market dynamics reflect market hardening following an increase in ransomware claims in recent years," the report says.

The April 21, 2023, IAIS report suggests that the combination of premium growth and underwriting changes seems to have improved cyber insurers' profitability. Given the relative youth of the cyber-insurance line, however, most of the premiums and claims reported were concentrated in a small number of insurers and jurisdictions, according to the IAIS.

The IAIS reports that approximately 40 percent of all global cyber premiums flowed into the reinsurance market, a higher portion that the 25 percent of nonlife premiums ceded to reinsurers across the group of insurers the IAIS studied. "This high level of ceded premiums is not unexpected for a new class, as new entrants seek to partner with a reinsurer to better understand the risks, diversify exposure, gain experience, and collect data," the IAIS says.

While there was activity aimed at transferring cyber risk using the insurance-linked securities (ILS) market in 2021, the volume of such activity was low and the capital available limited, the report says.

The report notes that there remains a considerable degree of uncertainty around cyber-catastrophe risk and what a cyber-tail event would look like, with that level of uncertainty being greater than for other perils. One loss estimate for a 1-in-250-year event affecting the US stand-alone affirmative cyber-insurance market is in the neighborhood of $30 billion, the IAIS says.

The IAIS cites 2017's NotPetya attack as the largest cyber event to date, resulting in $10 billion of losses of which $3 billion has been covered by insurance thus far.

Insurers are looking at a variety of ways to address nonaffirmative or "silent" cyber coverage including the exclusion of some cyber risks from all-risk property-casualty policies, affirmatively covering other cyber risks by endorsement, and/or offering stand-alone cyber insurance policies. The IAIS found that some insurers indicated they've dealt with the silent cyber issue in 95 percent of their business at renewal.

"However, it is important to recognize that newly introduced exclusionary language may not have been tested in courts," the IAIS report says. "It is also critical to note that this assessment of nonaffirmative coverage applies only to the subset of insurers that took part in the IAIS data collection."

The report also cites the existence of what seems to be a growing cyber-protection gap as cyber insurance covers only a small percentage of potential economic losses that could result from cyber events. The extent of that gap varies across jurisdictions, the IAIS says.

The report notes that along with the broader business world, insurers' exposure to cyber risks continues to grow. Insurance operations continue to be digitalized to achieve economies of scale and improve customer experience, the IAIS says, but those digitalization efforts add complexity to information technology systems and increase the potential cyber-attack surface available to cyber criminals.

"Most insurers in the sample reported that they have cyber-security frameworks, risk assessment processes, and incident response plans in place," the IAIS report says. "Additionally, these insurers reported that they have implemented essential risk controls. However, the data that were collected were not sufficient to assess the effectiveness of these cyber-security frameworks, risk assessment processes, response plans, and risk controls."

The insurance industry is also affected by the shortage of cyber-security professionals, the IAIS says. "Insurers in the sample reported that it takes longer to fill security positions, the recruitment process has become more expensive, compensation packages have increased, and employers have to offer greater flexibility," the report says. "This shortage of talent could lead to a greater reliance on third parties, or employee burnout when resources are overstretched."

While most insurers surveyed reported following cyber-security standards, it wasn't clear whether those efforts led to certifications, the IAIS report says, making it impossible to determine how well those standards were followed. "Certifications can help supervisors assess the level of cyber hygiene of a company, but overreliance on certification could also lead to complacency," the IAIS says. "Standards chosen by a firm should fit their business needs and their cyber-security risk appetite."

The IAIS report is a special topic edition of the organization's regular GIMAR report, which presents the outcomes of the IAIS's Global Monitoring Exercise (GME). The GME is the IAIS's framework for monitoring risks and trends in the global insurance sector and assessing possible buildups of systemic risks. Such special topic editions of the GIMAR take a deeper look at relevant topics emerging from each year's GME.

The cyber-special edition reflects data the IAIS collected on insurers' underwriting activities and cyber resilience through its 2022 GME data collections, covering year-end 2021 data.