Reinsurance Remains Essential to Cyber-Insurance Market's Growth

Cyber insurance with woman in white shirt and various digital icons

September 06, 2023 |

Cyber insurance with woman in white shirt and various digital icons

After 2 years of rate increases and tightening of terms and conditions, the global cyber-insurance market has returned to profitability, according to S&P Global Ratings.

In a new report, titled Cyber Insurance: Reinsurance Remains Key to Growth, S&P says that cyber insurance remains the fastest-growing subsector of the global insurance market. Annual cyber-insurance premiums reached about $12 billion at the end of 2022, and the rating agency expects cyber premiums to increase by 25 percent to 30 percent yearly to about $23 billion by 2025.

"Cyber insurance relies to a great extent on reinsurance protection, and we believe reinsurers remain critical to the sustainable growth of the market," the August 29, 2023, S&P report says.

The S&P report says that the frequency and severity of cyber claims—particularly those stemming from ransomware attacks—have undermined the profitability of the cyber-insurance market in recent years. That's led (re)insurers to reduce their exposure, increase rates significantly, and tighten policy wording. As a result, much of the recent increase in cyber-insurance premiums was due to substantial rate increases, rather than underlying growth in the size or volume of cyber-insurance contracts, S&P says.

"However, we believe the industry will need to encourage more sustainable underlying growth that is not largely led by rate increases," the S&P report says. "This growth will depend heavily on market participants addressing systemic cyber risk, more insurers providing coverage with the support and expansion of the reinsurance, retrocession, and insurance-linked securities markets, as well as more small-to-midsize enterprises purchasing cyber insurance."

While the United States is responsible for most cyber-insurance premiums, the Latin American and Asia-Pacific markets are showing the fastest premium growth over the past 5 years, S&P says. The reason for the lower growth rates in North America and Western Europe is that those cyber-insurance markets are larger and more mature, the report says.

Roughly 56 percent of gross premiums written for affirmative cyber insurance—coverage explicitly covering cyber risk—are generated in North America, S&P says, with 37 percent originating in Europe, the Middle East, and Africa; 6 percent in the Asia-Pacific region; and 1 percent in Latin America.

The S&P report emphasizes reinsurers' important role in the cyber-insurance market.

"In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market," the report says. "Cyber insurers use a significant amount of reinsurance."

Primary cyber insurers ceded 50 percent to 65 percent of cyber-insurance premiums to reinsurers in 2022, S&P says, with the amount varying by region. "The reinsurance market and, eventually, the retrocession market will therefore be extremely important in providing capital and capacity to support further (gross premiums written) growth," the report says.

In addition to the risk-taking capacity they offer, reinsurers also provide underwriting and modeling expertise that is helping develop the cyber-insurance market, S&P says. "In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focuses on risk differentiation, strong underwriting, and the provision of assistance services along the lines of prevention measures, crisis management, and data recovery," the report says.

S&P says that changing cyber-insurance claims patterns, increased cyber threats, and a huge accumulation of risk all create opportunities to increase cyber-reinsurance capacity, and the number of reinsurers offering cyber coverage is growing as a result.

The report says that many reinsurers are nearing the limits of the cyber exposures they can and want to take on, and suggests that the cyber-reinsurance market isn't likely to soften.

S&P expects more rate increases for cyber-reinsurance business this year. "However, we believe primary cyber insurance underwriters can absorb the increases without passing them on to policyholders," the report says. "This may be vital in the development of a sustainable cyber insurance market."

Meanwhile, on the primary cyber-insurance side, rate increases have been decelerating, S&P notes, the result both of increased competition as more insurers offer cyber insurance and the steps insurers have taken to improve their risk-return profiles by reducing exposures and increasing rates.

While primary cyber insurers have seen their rate increases and tightened terms and conditions pay off in the form of improved combined ratios, their profitability will likely remain volatile due to the "dynamic nature of the threat landscape," S&P says. "Furthermore, many insurers are still building their exposure to cyber insurance, optimizing their reinsurance structures, and diversifying and scaling their portfolios by region and industry to improve their risk-return profiles."

The S&P report also noted that insurers and reinsurers themselves aren't immune to cyber attacks on their operations. Any service disruptions or data breaches caused by cyber attacks would likely affect their bottom lines and, potentially, their capital positions, the rating agency says.

Huge amounts of sensitive and confidential data make (re)insurers vulnerable to cyber attacks, S&P says.

But, sophisticated enterprise risk management, robust capitalization, and insights gained through their own cyber-insurance underwriting should position most global multiline insurers and reinsurers to manage their own direct cyber-risk exposures, the S&P report says.

Analysis of cyber-exposure data from cyber-security specialist Guidewire suggests that, on average, global multiline insurers and reinsurers rated by S&P could withstand a direct cyber attack on their organizations with only a limited impact on their capital positions. "However, a direct cyber attack could hit the earnings of some insurers significantly," the report says.

September 06, 2023