US Cyber Insurers' Performance Improved in 2022 Amid Favorable Trends

A Glowing Fingerprint Is Displayed on a Lit-Up Circuit Board Depicting Cyber Security

September 27, 2023 |

A Glowing Fingerprint Is Displayed on a Lit-Up Circuit Board Depicting Cyber Security

US cyber insurers' performance improved in 2022, with cyber-insurance written premiums increasing 50 percent to $7.22 billion, while cyber insurers' loss ratio decreased 22 percentage points to 45 percent, according to a new report from Aon.

The Aon report, titled U.S. Cyber Market Update: 2022 U.S. Cyber Insurance Profits and Performance, says the decrease in the US cyber-insurance industry's loss ratio was driven by a significant increase in premium per policy and a decline in loss frequency. Meanwhile, though cyber-loss severity continued to increase, the change was more moderate than in prior years, Aon says.

Data in the Aon report is based on the National Association of Insurance Commissioners (NAIC) statutory filing supplement.

The Aon report notes that despite US cyber insurers' improved performance in 2022, those insurers will need to overcome headwinds this year to maintain those gains. Among those forces are increases in ransomware incidents, increased competition that's prompting rate decreases, and increased scrutiny on wrongful data collection claims, Aon says, adding, "Monitoring of risk will continue to be mission-critical."

In its new report, Aon quotes from last year's report, which was based on 2021 data and largely addressed business written in 2020 and 2021. In the 2022 report, Aon says, "while there is still work to be done to bring loss ratios down to levels seen in 2019 and prior, the rise in industry loss ratio has moderated."

In this year's report, Aon says that 2022 data reveal the progress of that work, with 2022's 45 percent loss ratio the same as the loss ratio for 2019.

"As the business continues to be dynamic, it is too soon for the cyber insurance industry to rest on its laurels; the next challenge is for insurers to match or improve their performance in light of headwinds in the market," Aon says.

According to Aon, 2022 data shows some insurers performing much better than the industry average while others did notably worse. The median loss ratio for the year was lower than the industry average, the report says, indicating that the average loss ratio is skewed upward by cyber-insurance companies with higher loss ratios.

As in its prior report, Aon broke down the US cyber-insurance market into micro, small/medium (SME), and large insureds. Micro cyber-insurance buyers continue to perform at lower loss ratios than the other groups, Aon says, though notable improvement was seen in the loss ratios for both the SME and large groups. Large insureds demonstrated a particularly large drop in the average loss ratio as a result of premium per policy, the report says.

Aon found a total of 213 US insurers reporting direct cyber-written premium to the NAIC in 2022, down from 214 a year earlier.

While total US cyber-insurance premiums increased 50 percent in 2022 from a year earlier, the rate of growth for stand-alone cyber-insurance products was even greater with a 62 percent increase from 2021 versus a 27 percent increase for cyber-insurance as part of package policies.

According to the Aon report, stand-alone US cyber-insurance business has seen both policy count and written premium per policy increasing since 2020. Both continued to grow in 2022, with stand-alone cyber policies increasing 32 percent and written premium per stand-alone policy increasing 22 percent.

At the same time, package policies saw growth coming primarily from premium per policy, Aon says, with the number of policies only increasing 2 percent in 2022 from the prior year while written premium per policy increased 24 percent.

The Aon report notes that while stand-alone and package cyber insurance had similar loss ratios in 2021, stand-alone business outperformed package offerings in 2022. Stand-alone US cyber-insurance coverage posted a 43 percent loss ratio in 2022, versus 48 percent for package. But the loss ratios for both stand-alone and package cyber-insurance policies decreased in 2022, Aon says, drawing closer to their 2019 levels from the peaks seen in 2020 and 2021.

Earned premium per policy increased for both stand-alone and package cyber-insurance policies in 2022, Aon says. Stand-alone coverage saw a 45 percent increase in earned premium while package coverage saw a 49 percent increase.

Frequency, measured as claim count per policy, decreased for both stand-alone and package cyber coverage in 2022, the Aon report says. Stand-alone frequency decreased 12 percent during the year, while package frequency dropped 7 percent.

It was the third consecutive year of declining frequency for stand-alone cyber coverage in the United States, Aon says, after significant frequency increases were seen in 2018 and 2019. Meanwhile, it was the first time since the NAIC began publishing its cyber supplement in 2015 that a decrease in frequency was seen in package cyber coverage.

Average claims size increased 7 percent for stand-alone cyber coverage and 13 percent for package coverage in 2022, Aon found. The 7 percent stand-alone claims size increase came after increases of 66 percent in 2020 and 25 percent in 2021, the report says, while the 13 percent increase in package claim size followed a 33 percent increase in 2020 and a 29 percent increase in 2021.

For US cyber insurers, the challenge in 2023 will be to maintain favorable trends in the face of various challenges. Among those challenges is that with the rate of increase in written premium per policy beginning to slow, cyber insurers must maintain pricing and underwriting discipline, Aon says.

"So far in 2023, Aon has observed rate change pressure and softening terms and conditions in the market," the report says.

In addition, while the volume of ransomware claims declined in 2022, the course of the war in Ukraine and a rising cost of living that might lead some individuals to look for additional sources of income could prompt threat actors to return to ransomware as a service this year, reversing some of the favorable ransomware trends seen last year, Aon says.

"Data sources have observed ransomware incidents being on the rise in 2023, although it is too soon to know how this will translate into claim activity," the Aon report says.

September 27, 2023