By 2025, some experts predicted the cyber reinsurance market to be worth at least $25 billion, likely more. But we’re not even close – so what happened?
Three years later, we are witnessing a continuing capacity crisis, with prices skyrocketing thanks to a deep imbalance between supply and demand.
Commercial rate hikes of more than 300% are not uncommon, according to a Lloyd’s broker. And currently, in 2022, the total size of the global cyber insurance market is estimated to be less than $10 billion.
feel the sting
Stung by the frequency and severity of major claims, many insurers withdrew. Ransomware was a particular problem, responsible for three-quarters of cyber claims in 2020, according to AM Best and likely the costliest loss event category in 2021, according to WTW.
In response, carriers have backed down while reassessing their appetite, formulations, and overall capacity, and meanwhile, demand for the product is only growing.
There are fears of spillover from state-sponsored attacks from Russia or China (which have collectively sponsored more than 50 so far in 2022, according to Atlas VPN). Attacks targeting critical infrastructure, for example, have risen from fewer than ten in 2013 to nearly 400 in 2020, according to Lloyd’s.
Add to all this concerns about the potential systemic nature of the threat and it’s not hard to see why insurers and reinsurers have hit the pause button.
The acceleration of digitization and reliance on cloud technology during the COVID crisis, events such as SolarWinds and Kaseya, served as a warning of how a buildup could unfold. These are no longer vague scenarios.
“Traditionally, regardless of technical price, the market as a whole has proven to be very profitable before 2019 – and it has continued to grow,” says Daniel Carr, head of cyber at Ariel Re.
“It’s flipped 180 degrees since 2019 when we saw the first major deterioration in results and we’ve seen the elasticity of this process go back and questions being asked about what is actually the right price?”
“At the same time, there is a natural growth in demand from the end-buyer population. Now everyone wants the product and you are on the other side where capital that was once very eager to give it away is now a little more hesitant to do so.
Cover, but at what cost?
To grow the market, cyberinsurers need access to greater reinsurance capacity, and that remains stubbornly elusive unless you’re a cedant willing to pay more than the odds. For some, there is little choice in the matter.
“More purchases and additional capabilities are sought in the market as awareness of systemic cyber events increases and the size of cyber wallets increases, largely due to the current pricing environment,” explain Anthony Cardonnier and Erica Davis, Global Co-Heads of Cyber at Guy Carpenter. .
“Many carriers are reducing exposed capacity,” they continue. “Incumbent reinsurers, due to capacity constraints, may seek to reallocate capacity to transactions perceived to have a higher margin.
“Some carriers reduce ransomware coverage (or offer no coverage at all) for customers who lack adequate controls.”
Many buyers have had no choice but to keep more of the risk on their own balance sheet. And as a result, they take a more technical approach.
“We expect the actions of the primary market (both from a rating and underwriting perspective), and its subsequent turnaround in profitability will lead to greater comfort from reinsurers, which will in turn attract additional capital to the class and relieve some pressure on terms and conditions in the upcoming reinsurance cycle,” Cardonnier and Davis add.
Addressing systemic fears
Realistic catastrophe scenarios can help re/insurers assess and manage risk based on known unknowns, but they go no further with respect to the potential for accumulation.
Whether it’s a cloud outage, mass malware, or another cyber event that affects multiple organizations around the world, the ability to better model tail risk is key to unlocking the market.
“The cyberreinsurance market is a really immature market and we’re only scratching the surface,” says Jose Seara, founder and CEO of DeNexus, a cyber risk modeling firm.
“Without a real real understanding of risk, it’s impossible for the market to grow and for entities that buy risk and invest their capital to buy much more, because they don’t really understand what they’re buying.”
“The market is not sophisticated enough to differentiate between the different ‘flavors’ of cyber, and that’s one of the problems for the market to evolve,” he continues.
“It’s like talking about natural disaster risk: Florida hurricane risk has nothing to do with earthquakes in California, other than the fact that they’re both natural disasters.”
Isolated catastrophic scenarios
For the market to get back on track, feel comfortable with risk, and deliver meaningful capacity, the cybermarket will need to better segment the risks presented and better manage large-scale events.
If vanilla-type exposures can be treated separately from risks that have catastrophic potential, the primary market and the reinsurance market will begin to gain comfort and should increase the size of their lines.
Some markets are starting to tackle it. Chubb, for example, now distinguishes between “limited impact events” and “widespread events” in its approach to cyber risk. This allows policyholders to tailor coverage levels based on the exposures they care about, whether it’s ransomware encounters, overlooked software capabilities, or something more systemic.
Beazley is also considering how to protect its exposure in the event of a cyber disaster.
“Whereas before 2019 you had an insurance product that tried to do all the cyber stuff, now it’s starting to flip the other way,” Carr says. “It’s about really understanding the different problem spaces within the broader cyberdomain, and then aligning different products and expertise with them to deliver a more effective marketplace.”
While the tightening of cyber tariffs is expected to continue through 2023, DeNexus’ Seara is optimistic about the market potential beyond that. “Most of the stakeholders we engaged are now taking a proactive approach to trying to understand the risk and developing new products that better meet customer needs.
“I hope this will bring additional capacity to the market in the years to come through a better understanding of risk and a better product offering.”