With cyber cover premiums ‘up almost 200%’ in aggregate, cyber insurance could be a profitable area for insurers willing to dip their toes into constantly choppy and changing waters
By Editor Katie Scott
The cyber insurance market is certainly one that is keeping insurers and brokers on their toes.
This was clearly evidenced by our roundtable with professional services firm RSM last month (26 January 2023), where attendees flagged broker training and cyber competency, cheaper cyber cover options for SMEs and confusion over physical losses linked to cyber events as some of the key issues this nascent market is grappling with.
With my head full of these findings, I tuned in to S&P Global Ratings’ 2023 cyber outlook webinar on 2 February 2023 to see whether the credit rating agency was picking up on similar or different trends.
Listening to Simon Ashworth, head of analytics and research, insurance at S&P Global Ratings, my main takeaway was that the cyber insurance market is still being treated with kid gloves by insurance firms – despite the fact that it is “one of the key growth” markets for the future.
Describing the cyber insurance sector as still being “very much in its infancy”, Ashworth explained that “insurers and reinsurers are grappling with questions about how and even if they want to play in this space”.
Part of this debate is centred around the issue of untangling potential silent cyber insurance, where “cyber coverage can sometimes be implicitly covered, unbeknownst to insurers themselves, within existing [non-cyber] insurance coverage”.
Ashworth continued: “We really think that for a sustainable market to develop, [cyber insurance] needs to be segmented and really clearly attributable.”
‘Huge’ protection gap
Although Ashworth indicated that he had seen a market-wide reluctance or nervousness around fully embracing the evolving cyber insurance market, he did emphasise that the sector was a land of opportunity too.
He explained: “If we look at the economic costs from cyber [events], they dwarf any comparable other economic cost in economic loss information - even compared to perils such as natural catastrophes. So, the potential for this market is huge.
“And, in terms of [the] insurance coverage of cyber economic losses, we’re talking about 1% of [these] economic losses are currently covered, so [there is] a huge insurance protection gap at the moment.”
He added that pre-pandemic, the cyber insurance market was “one of the most profitable” fields for insurers and reinsurers “partly because there weren’t too many insurers or reinsurers willing to supply [this cover] and partly because of the absence of larger or more frequent loss events”.
A lot has changed in the last few years, however, and I suspect that these “extreme levels of profitability” have been somewhat dented by the proliferation of cyber attacks that were instigated by the pandemic’s homeworking environment.
For example, in April 2020, the UK’s National Cyber Security Centre (NCSC) issued a warning that it had “detected more UK government branded scams relating to Covid-19 than any other subject” and that there was “a growing use of Covid-19-related themes by malicious cyber actors”.
It continued: “The surge in homeworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organisations”.
This trend is also borne out by the government’s Cyber security breaches survey, which was published in July 2022. This found that 32% of UK businesses identified a cyber attack in 2019 – pre-pandemic – while 46% recorded a cyber attack the following year in 2020, when Covid-19 hit the UK.
Ashworth added: “Excess profits don’t last for too long.”
Premiums are ‘big pill to swallow’
Another reason why the penetration of cyber insurance could be a bone of contention for brokers is around increasing premiums – Ashworth noted that these costs are now “up almost 200% in some cases in aggregate”.
He continued: “We’ve seen those premiums go up maybe 30% to 50% compound each year for the last few years. So, that’s a big pill for buyers of cyber insurance to swallow.”
However, Ashworth added that the uptick in premium prices is simply a reflection of the growing risk cyber attacks pose and the “uncertainty” around new types of attacks – as well as the fact that “insurers and reinsurers themselves need to make some return on capital”.
He explained: “I don’t think [premium increases are] really linked to insurers not being able to price the risk itself. Insurers are well used to attempting to price very niche and bespoke risks on a very daily basis.
“It is fair [to say] that [insurers’] models are evolving with respect to cyber all the time, but the underlying chunk of the premium increases has been due to [the] underlying risk.”
For Ashworth, the main way to mitigate high cyber insurance premiums is for clients to highlight “that they are good risks or better risks”.
He explained: “It’s really incumbent on corporates and entities themselves to demonstrate to their cyber insurers the depth of their risk management processes to really reduce premium quotes.
“Attempting to highlight [that] you’re [a] relatively good risk will limit [premium increases] and trying to squeeze cyber insurers [as well] to understand what additional services they can help you with on that de-risking journey so it’s not always just about the cost of insurance.”
Scott Crawford, research director of the information security channel at 451 Research – part of S&P Global Market Intelligence – added that insurers are already asking businesses whether they have “specific types of controls” in place in order to “demonstrate their cyber security posture”.
In turn, this enables insurers to “get a handle on their loss ratios and continue to capitalise on the opportunity cyber insurance presents”.
The controls insurers are asking about include anti-phishing initiatives, multifactor authentication, system backup and recovery resilience, tested response plans and email infiltration training.
S&P Global Ratings’ webinar emphasised that cyber threats are not going to disappear, so risk management functions cannot afford to rest on their laurels or work in isolated silos.
The panellists sought to drive home the message that cyber risk management must be the responsibility of all staff within all businesses – Sudeep Kesh, chief innovation officer at S&P Global Ratings, described cyber risk management as a “team sport” that is the “secret sauce” for staying on top of cyber risks.
The pandemic years have seen an undulating rise in a variety of new cyber crimes, which have been further escalated and cemented by actions undertaken as part of the Russia-Ukraine war.
Although cyber risks are constantly evolving, they have been doing so for a while now – it is important that insurers and brokers master these ebbs and flows by working closely with cyber security and risk management experts.