06/29/2022 · 6-minute read
For the past two years, the cyber insurance market has been characterized by a high volume of claims, severe losses, climbing rates, reduced insurer appetite, and an increased focus on accumulation risks. But as we look ahead at the rest of 2022, there is reason for cautious optimism that rate increases will stabilize and insurers will reward strong cyber hygiene controls.
Heightened geopolitical tensions, digital interconnectivity, and the adversarial nature of cyber threat actors have shifted insureds’ perception of cyber risk. More than before, there is now recognition among insureds of the increased potential that they could be at the receiving end of a cyberattack.
And with major cyber events no longer considered one-in-100-year events, insurers too are changing their outlook. Many have adjusted their pricing to reflect the increased frequency and severity of the risk. And market conditions are expected to remain challenging for the foreseeable future given ongoing accumulation and systemic risk concerns.
But there is an increasing sense of cautious optimism that the steep rate increases of the past several quarters are moderating as attritional losses are better controlled and premium growth exceeds incurred losses. This is happening at a time when many organizations, affected by steep pricing increases and restricted capacity, have focused on strengthening their cyber hygiene controls.
As underwriters gain more confidence in pricing cyber coverage following a period of adjustment, there is increased competition and interest from new entrants, increasing the likelihood of rate moderation.
And while the market remains challenging, demand for coverage is high with a continued increase in first-time buyers in the US (see Figure 1). Canada has also seen a considerable increase in new buyers, with overall clients purchasing cyber coverage through Marsh going up from less than 5% in 2014 to more than 20% last year.
The frequency and severity of claims reported by Marsh clients remained high in the first quarter of 2022, a trend that has remained constant for several quarters (see Figure 2 for claim frequency).
Companies in the healthcare sector and communications, media, and technology companies were among the main targets in 2021, accounting for nearly a third of total cyber claims reported by Marsh clients. But more industries are being impacted, underscoring the need for increased protection — both in the form of improved cyber hygiene and risk transfer programs — across the board, which could, in turn, improve overall pricing.
Persistently high claims rates have accelerated pricing pressures, and even clients with no losses and good cyber hygiene controls have seen rate increases during the past several quarters. Yet, while rate increases are still challenging many clients, we are starting to see a consistent downward movement from the record rate increases of December 2021 for clients both in the US and Canada, fueling optimism that the market is entering a time of rate stabilization (see figure 3). Note, however, that lower increases typically are only offered to companies that can demonstrate strong cyber risk controls as underwriters become more selective about the risk they are willing to cover.
Companies that have not made the cybersecurity improvements deemed necessary by underwriters are still facing challenges to secure coverage, and when they do this tends to be significantly more expensive and subject to more restrictive terms and conditions, such as co-insurance, restricted ransomware and contingent business interruption coverage, and sub-limited or excluded coverage. Increased insurer scrutiny has been a catalyst for companies to focus more on their cyber hygiene, with 41% of respondents to the 2022 Marsh and Microsoft Global Cyber Report saying that insurers’ requirements influenced decisions to augment existing controls or adopt new ones.
The elevated risk landscape has increased client demand for cyber risk transfer solutions. However, faced with the dramatic rate hikes seen in the past 18 to 24 months, many companies have had to make difficult choices and reconsider the levels of risk they can retain, manage, and transfer. In addition, limited insurer appetite has, at times, prompted clients to lower limits and increase retentions. But, while almost a third of Marsh clients reduced cyber limits in the first two months of 2022, these numbers have gone down sharply during March and April, again signaling a positive shift (see Figure 4).
Still, increasing limits remains difficult considering the high prices and still limited capacity. Less than 10% of Marsh clients increased their cyber coverage limits during the first four months of the year; for those that did, the decision was typically fueled by increased management concern surrounding the current threat level.
Clients are also using their retention levels as a lever to help offset increasing program costs. A significant percentage of clients continued to increase their retentions in the first quarter of this year (see Figure 5), a reflection of the persistently challenging market. While some clients are being forced to increase retentions due to limited coverage availability, others are choosing to do so to manage their premium cost. In Canada, mid-size companies are more likely to have to increase retentions while this remains mostly a voluntary choice for bigger organizations.
Increased prices and difficulty securing coverage have also driven some companies to seek alternative sources of coverage. Captives have increased in popularity, especially in the healthcare, financial services, retail, and manufacturing industries. The number of captives writing cyber more than doubled at Marsh in the past five years as clients continue to look at different ways to utilize them to best fits their needs. Some are using captives for retention purposes when buying larger limits, while others are using it to offset a significant rate increase or fill in missing capacity in a program.
The cyber insurance market is still adjusting to today’s more intensive threat landscape and insurers have expressed that they remain significantly concerned about the possibility of accumulation risks following a catastrophic event. Further, many insurers see the relatively short history of cyber threats and the fast-evolving nature of cyber risk as a hindrance to understanding the frequency and potential cost of a major attack and their ability to price coverage appropriately.
But after two years of premium increases, it appears rates are starting to moderate, contributing to the sense of cautious optimism about the future of cyber coverage. Attritional losses seem to be under better control, with the cyber market’s premium growth now exceeding incurred losses. As companies continue to focus on and improve their cyber hygiene controls, insurers can be expected to calibrate their underwriting and pricing strategies on an account-by-account basis — rather than on a portfolio-basis — and reward clients with strong cyber hygiene.
Amidst a still challenging insurance market, our mission at Marsh is to protect and promote possibility, by helping our clients protect their balance sheet and help them manage risk responsibly. We continue to advocate on our clients’ behalves during our discussions with insurers and other market participants, including asking for more clarity. We remain committed to providing innovative products and services that support cyber resiliency as we seek to reduce uncertainty and ambiguity and help our clients maximize the value of cyber insurance products. To learn more, please contact us at firstname.lastname@example.org.
Watch the replay of our cyber market update webcast, where Marsh cyber leaders explore the state of the cyber insurance market. You will gain insight into current market conditions, market drivers, and the outlook for the remainder of the year.