Cyber losses could shift to hit reinsurance costs as insurers embrace standalone products over packages to mitigate silent cyber risks

A leading analyst has warned that cyber insurance is set to see price hikes and a tightening of terms as underwriters look to recoup the spike in ransomware losses.

Gerry Glombicki, director in the insurance division at Fitch Ratings, said underwriters had been badly hit in 2020 by the rise in both the number and scale of cyber attacks.

Speaking during an online seminar this month as part of the credit rating firm’s Monte Carlo Reinsurance Rendezvous 2021 series, Glombicki said the figures outlining the cyber threat were now significant.

Citing computer security software company McAfee, Glombicki noted that the costs of cyber crime were $1tn (£733bn) for last year - up 50% on McAfee’s figure for 2018.

Furthermore, McAfee’s data – published in December 2020 – showed that the average cost of a cyber crime event in 2020 was $4.2m (£3m). Around 85% of attacks had a human element in its cause, with 61% of incidents involving the use of employees’ credentials by hackers.

Glombicki said the level of ransomware attacks had increased by 400% last year and the resulting claims costs have badly impacted underwriters’ loss ratios – therefore, underwriters were taking swift remedial action.

“It is not only the incidents but also the costs of the attacks,” he explained.

The total of cyber premiums in the US last year amounted to $2.7bn (£2bn), added Glombicki - just under half of this figure refers to packaged products.

At present, 50% of the global cyber market is controlled by the top five insurers, with the top 20 accounting for 85% of the premiums.

Silent cyber awareness

The claims of last year have prompted an immediate and ongoing response from the market, Glombicki noted. Rates increased by 11% in the last three months of 2020, a further 18% in the first quarter of this year and increased 26% on average between April and June 2021.

“While there is no specific evidence, the analysis we have been able to carry out has found that the level of ransomware attacks has been a driver in underwriters’ desire to increase rates,” said Glombicki.

“We are also seeing terms and conditions tightening as the market looks to redress the loss ratios and we expect these conditions to continue until those loss ratios are rebuilt.”

He added: “We are seeing a growth in standalone cyber cover and a move away from the products which open the market to silent cyber risks, with underwriters being more prescriptive with their exclusions.

“Leaving it to the courts to decide whether a risk is covered is poor risk management.”

Glombicki said that the cyber insurance market has seen some withdrawals. Others in the sector have significantly changed their pricing or their terms and conditions in an effort to reflect the rising loss levels.

“However, we have to recognise that 50% to 60% of the risks are transferred to the reinsurance markets and, as the losses flow into the reinsurance coverage, the costs of reinsurance will rise.

“It has created a situation where insurers are having to ask themselves how much of the business they are willing to write.”

Preventative measures

Fitch Ratings has teamed up with speciality research firm SecurityScorecard to examine the rating issues around cyber risks for insurers - Glombicki revealed that the firm would be releasing new analysis examining the impact of the cyber market on the insurance sector in the coming weeks.

He added that Fitch Ratings is discussing with its rated insurers their views around cyber risk and how they will manage it.

If an insurer suffers a cyber attack, Glombicki said Fitch Ratings would assess the impact on its environmental, social and governance (ESG) elements. This would include looking at the way the insurer’s governance structures have reacted and how the insurer has safeguarded customers’ welfare.

The partnership with SecurityScorecard will rate insurers on a range of cyber issues. Glombicki said Fitch Ratings will look to engage with any firm that has a fail against any of the components raised.

“We would look to see why any poor scores have been delivered,” he said. “If they are proved to be correct, we will not only ask why but also what the firm is doing about it.”