Skip to main content

Article

Cyber Insurance Market Overview: Fourth Quarter 2021

The cyber risk insurance market is at an inflection point, presenting an opportunity to embrace a paradigm shift.

Is there a new cyber risk paradigm?

The cyber risk insurance market is at an inflection point, presenting an opportunity to embrace a paradigm shift. Attritional losses and concerns pertaining to systemic risk are driving up the price of cyber insurance. Digitalization is bringing businesses new opportunities, and new threats. Companies are facing increased regulatory scrutiny. And society at large is struggling to counter the rising impact of cyber incidents, particularly ransomware. Organizations seeking cyber insurance are asking, what’s next? Examining why a new perspective is required can help your organization understand cyber risk’s future and better plan investments for 2022 and beyond.

Market overview

Cyber insurance pricing in the US increased an average of 96%, year-over-year (see Figure 1), in the third quarter of 2021 as organizations faced a daily onslaught of cyberattacks. The third quarter increase was a 40 percentage point rise over the prior quarter, and the largest since 2015. Prices rose even as more than 60% of Marsh clients increased their retentions in an effort to minimize increases.

The increasing rates are primarily due to:

  • Loss environment: Over the last 18 to 24 months, a number of insurers have experienced a significant increase in loss ratios — with a corresponding deterioration of profits — due to the rising frequency and severity of ransomware claims.
  • Systemic risk concerns: Insurers are paying closer attention to the risk that a single cyber event could affect a considerable number of insureds simultaneously. Scenario modeling, influenced by regulatory scrutiny and the need for improved portfolio management, suggests that a systemic cyber event could cost multiples of the estimated size of the current cyber market. This has led to a significant increase to the catastrophe load as part of overall premiums charged.
  • Reinsurance: Reinsurance costs are increasing, thus adding to cyber insurance pricing. The demand for reinsurance capital remains greater than available supply.
  • Available capital: The pool of capital available to clients from insurers is dwindling, meaning the total amount of cyber premium that insurers are collecting is potentially insufficient to fund for a catastrophic loss. Some insurers are exiting the cyber market due to the concerns noted above. Meanwhile, others are reducing the amount of capital deployed on any given risk in order to limit their own portfolio’s exposure.

Ransomware continues to drive an increase in frequency and severity of claims

Since 2018, cyber incidents and losses have escalated noticeably (see Figure 2), driven in large part by the rapid digitalization of businesses. This was accelerated by the pandemic and the increase in the number of organizations buying cyber insurance, meaning, more cyber events were insured.

Ransomware is now entrenched as a dominant threat, rising in frequency and severity and deepening insurance market concerns over attritional losses, accumulation and systemic risks (see Figures 3 and 4).

Purchasing trends

The current volatility within the market is causing organizations frustration as they use a variety of levers — including adjustments to retentions and limits — to address concerns over pricing, available limits, and terms and conditions (see Figures 5 and 6).

Some are reducing policy limits, driven in part by budget constraints, but also due to limited insurer appetite for risk where certain security controls and corporate governance appears to be lacking or insufficient. Others are increasing their limits, and paying a higher price to do so. This is generally because they either have new or increased cyber exposure (often due to increased digital transformation), and/or have a deeper understanding of the magnitude of the existing risk. That said, most clients, regardless of which scenario they face from a capacity perspective, are taking higher retentions to manage costs and/or maintain insurance market support.

Defense in depth

One positive output of the otherwise adverse impact of the accumulation of attritional losses has been the identification of correlations between certain controls and corresponding cyber incidents. Through root cause analysis and the continuous examination of relevant data points, the underwriting community, brokers, and other stakeholders now have a better appreciation for the technical steps that organizations should take to build cyber resiliency.

Insurers are increasingly tightening underwriting requirements and stipulating that organizations adopt security controls that can make a measurable positive impact on their exposure to cyber risk. With their potential insurability on the line, organizations are placing more emphasis on controls than ever before. Marsh recommends organizations implement a number of cyber hygiene controls (see Figure 7).

Of the 12 controls in Figure 7, five have been shown to have the greatest positive impact on reducing cyber risk exposure:

  1. Multifactor authentication (MFA): Requiring at least two pieces of evidence to validate a user’s identity helps prevent unauthorized entry into an organization. This control is a top weapon in an organization’s arsenal to thwart ransomware attacks, especially in relation to remote access and the management of administrative accounts.
  2. Endpoint detection and response (EDR): The continuous monitoring and analysis of endpoints can help deflect attacks. In the event of an attack, it can also enable a more efficient response.
  3. Secured, encrypted, and tested backups: The proliferation of ransomware attacks has placed additional emphasis on a sound organizational backup strategy and implementation. Restoring from backups is one of the ways organizations attempt to recover data, recover from an attack, and avoid dealing with the difficult decision of paying the ransom demand.
  4. Privileged access management (PAM): This is designed to ensure that employees have only the necessary level of access — not additional — to perform their jobs. This control also helps security teams identify abuse of privilege.
  5. Email filtering and web security: Email filtering identifies and blocks malicious emails and attachments, whereas web filtering blocks inappropriate sites. These tools are primarily used to help block the spread of malware.

While not exhaustive or foolproof, the adoption and proper implementation of these controls can add a layer of security to help prevent or mitigate typical attacks.

Cyber insurance market through the lens of property insurance history

It’s been nearly 30 years since Hurricane Andrew tore through South Florida, upending lives and businesses in what at the time was the costliest US natural disaster in terms of deaths and physical damage to property. The storm was an inflection point that fundamentally changed the property insurance market.

Hurricane Andrew hit a full five years before insurers issued the first standalone cyber policies. Why do we invoke a natural catastrophe when discussing cyber risk and insurance? There are some parallels worth noting between Hurricane Andrew’s impact on the property insurance market and the current state of the cyber risk insurance market. For example:

Property insurance post-Hurricane Andrew Current cyber risk insurance market

A predictable retraction of insurance capital followed Hurricane Andrew as eight insurers became insolvent and more sought funds from parent companies to satisfy claims. It was then that insurers introduced self-adjusting deductibles, which ultimately meant insureds took on a greater proportion of the loss. This helped mitigate the price of risk.

In the cyber insurance market over the past few years, a number of insurers have required that insureds take on higher retentions (similar to deductibles), and others are applying co-insurance on some or all elements of coverage, notably for ransomware.

Following Hurricane Andrew, reinsurance became a larger part of the equation as the market sought to spread the risk of future storms, offset some risk for individual insurers, and reduce volatility to earnings.

In the current cyber market, reinsurance is experiencing an increase in demand and is actively shaping the market via treaty terms and modelling.

Hurricane Andrew was a major impetus for the use of catastrophe models, which had not previously been widely used, and those in use were not predictive. As a result, risk was underestimated, and undervalued/priced.

In today’s world of cyber risk management, predictive models are increasingly important.

Following Hurricane Andrew, building codes and enforcement were strengthened, not only in Florida, but throughout the US.

Now, the increasing frequency and severity of cyberattacks is prompting a variety of changes to regulations and best practices in cyber security hygiene and cyber risk management.

While there is some utility to be derived from drawing parallels between the lessons learned in the property market post Hurricane Andrew, and the current cyber market, there are some significant differences with material implications. Notably, while many organizations are not exposed to natural catastrophes, the same cannot be said for cyber-attacks. As such, applying property insurance tactics to the cyber insurance market is, in some respects, not suitable.

Conclusion

It is clear that cyber risk is different from traditional risks. As such, we need to shift our perspective toward a new cyber risk paradigm. Just as other parts of the insurance market have undergone significant shifts — think property post-Hurricane Andrew — cyber risk is constantly evolving. Consider that:

  • In a technology-driven world, cyber risk is woven into the fabric of society. As the dependence on digitalization of the business world increases, so does the breadth and scope of cyber risk.
  • Cyber threat actors are active adversaries, constantly adapting their tactics, techniques, and procedures to cause harm.
  • Cyber risk can never be “removed” by simply moving physical location or strengthening defenses. It constantly evolves and thus, it cannot be fully solved for. Organizations should strive to manage it to an acceptable level of residual risk.
  • The cyber risk underwriting process is evolving at an accelerated pace, informed by a growing body of data based on root cause analysis on a portfolio of losses.

The price that organizations are currently paying for cyber insurance is in part reflective of the financial fundamentals of increasing combined ratios, and at the same time, behavioral economics. The current marketplace reflects increased frequency and severity of attritional ransomware losses through changes to underwriting and increases in pricing, as well as the concern of a systemic event. Marsh, along with many other stakeholders, including insurers, continue to refine cyber risk models, thus improving predictive analysis. Insurers are revising their strategies, including operational and tactical actions, such as changes to risk appetite, composition of the product, and supporting services offered to insureds.

At Marsh, we believe the cyber risk paradigm reflects the need for organizations to become more comfortable with the reality that the connective tissue of modern business is digital. As such, organizations will need to adopt new methods of understanding, measuring, and managing cyber risk on a continuous basis. With the discipline, foresight, and agility to shift focus, we can help your organization achieve improved outcomes, and support you as we collectively embrace the new cyber paradigm.