Cyber risk continues to drive innovation within the wider insurance market – particularly since the watershed era of 2019. Estimated to be valued at $11.9 billion globally, the cyber insurance market helps insulate organisations from the impact of cyber-attacks. In this article by Hugh Mulligan, Senior Associate within S-RM’s Cyber Advisory team, we look at the evolution of cyber insurance, the current state of the market and the industry’s move to examine cyber risk at a systemic level.
Cyber insurance policies were awarded with little scrutiny before 2019. Cyber risk had not yet risen to the prominence it currently holds across the majority of companies’ risk registers, so demand for coverage was relatively low. There was an absence of market forces to compel carriers to develop insurance packages bespoke to cyber, and insurers were lenient when picking which organisations they would grant cyber coverage to.
However, threat actors and criminal organisations continued to innovate within the space. The sophistication of attacker methodologies and tooling is constantly improving. A consequence to this is that the level of expertise required for criminals to execute sophisticated cyber-attacks gradually lowers year on year. Correspondingly, the total population of criminal organisations capable of performing these attacks grows each year.
Towards the end of 2019, the bar to successfully execute less sophisticated ransomware attacks lowered to the point where global ransomware attacks spiked and sent ripples through the corporate world. The volume of claims for cyber insurance policies sharply rose in response to this surge in the number of attacks. Insurers saw large hits to their revenue as they were forced to pay out the limits they’d previously written. Loss ratios skyrocketed during this era, meaning insurers were retaining significantly less of the money they made from insurance premiums.
The result of this was a so-called “hard market” – a period within a mature insurance market’s wider lifecycle where premiums grow higher, coverage terms became more restricted, and the total capacity of money available for insurers to deploy across their insureds is significantly lower. Consequently, it becomes much harder for organisations to acquire coverage. This current market state has persisted for the last 3-4 years and is the first significant hard market the cyber insurance sector has encountered since its inception in 1997.
Current State of the market
As of 2023, trends indicate a gradual stabilisation of the market, although perhaps not yet a softening. Loss ratios plateaued in 2022 and excess layers of insurance (layers which only pay out during a claim when the first layer, or primary layer, of coverage is exhausted) are becoming increasingly competitive, driving down prices. In the wild, total numbers of ransomware attacks fell in 2022, as did revenue earned by ransomware gangs. Insurers have reviewed their internal underwriting processes and taken a more proactive approach to appraising cyber risk. New market segments, particularly mid-market organisations (those with revenues between £100M – £1B), are being eyed as lucrative ground for carriers to expand into as their aversion to risk shrinks.
Organisations are increasingly investing resources towards insurance application and negotiation strategy preparation, drawing on third-party expertise to support their in house teams where specialist support is needed. The highly competitive nature of this hard market has forced companies to seriously reconsider how to put their best foot forward to better guarantee themselves coverage.
1. Preventative insurance products
As the market matures, it will continue to innovate. Many insurers already offer preventative coverage products (or “active insurance”), which marry cyber underwriting with the deployment of conventional security tooling. In this model, insurers offer their customers the option to opt into introducing new controls to their organisation in exchange for some sort of benefit, such as a credit to the premiums they pay.
The level of integration this model offers between an insurer and its customers varies between products. This could range from high level organisational controls, such as conducting regular gap assessments or staff security training, to much more invasive controls. This latter group could include rigorous vulnerability scanning or 24/7 monitoring via an MDR product, and provides insurers with a much more granular understanding of the state of its customers’ controls.
These types of products are primarily geared towards the SME market, because organisations at the lower end of the revenue ladder are less likely to have a full suite of security controls in place. They offer several advantages, in that they give insurers more confidence when appraising the cyber risks present in a company, allowing them to model their prices more accurately and pass some of the benefits onto the customer. They also provide a strong opportunity for customers and insurers to become more integrated, allowing the two to communicate more regularly and frame risk in a way that both parties can understand.
2. The insurance market lifecycle
The state of any insurance market is affected by a multitude of factors, with changes being drawn out over time. A true “softening” of the cyber market will likely be prolonged over multiple years. However, from a premium perspective, customers are seeing lower rate increases in 2023 than previous years. Even flat renewals, which have been practically unheard of since 2019, are being enjoyed by some customers. Larger companies, which seek to gain more cyber coverage than any individual carrier would be comfortable providing, are negotiating for excess layers of coverage with particularly low rate increases – a good early indicator that rates will continue to drop across the entire tower.
The total amount of capacity available for companies will continue to grow as long as the demand for it exceeds the current supply. As insurers look to size up areas to expand into, such as the mid-market, they are also giving a second look to organisations with controls which don’t meet their gold standards. More stringent policy wording in the form of exclusion clauses and subjectivities allow insurers to be more comfortable with the risk being signed off on these companies. For instance, if an organisation were deploying a SIEM tool during the period they’re looking to gain coverage for, an insurer might introduce a clause into their policy stipulating that the SIEM must be up and running before a certain milestone within that period (typically three or six months into the policy). At the macro level, this means that more companies are eligible for cyber insurance (albeit without “full” coverage).
Future Cyber Risks
Cyber risk is frequently described as one of the most dynamic risks within the market. Unlike many other risks, it is driven by human ingenuity as attackers constantly aim to get the upper-hand over companies and governments. Because of this, the cyber threat landscape evolves and changes at a rate potentially unlike any other within the insurance market. These shifts must be accounted for by underwriters, meaning that the factors they assess their customers against are in a constant state of review.
This landscape is not limited to individual companies, either. In our modern and interconnected world, companies are becoming increasingly dependent on their supply chain. Utilities, critical infrastructure, as well as large scale IT suppliers, such as Google and Microsoft, service enormous segments of industry. The impact of a cyber incident on these key entities would have wide-ranging implications for almost every company and, therefore, insurers’ portfolios.
Because of this, insurers are increasingly looking at cyber risk at a systemic level. This is not an easy process, as modelling for this type of risk requires accounting for interdependencies between companies and critical infrastructure, as well as the potential for cascading consequences that could lead to a wide-spread cyber incident. As a relatively new line of insurance, cyber underwriters don’t have the historical context of many previous systemic cyber events to build more accurate models from compared to other lines of insurance. In the short term, insurers may attempt to mitigate this with more stringent wording in their policies to exclude coverage for events which they deem to be downstream of perceived systemic risks. For example in August 2022, Lloyd’s of London issued a market bulletin requiring firms to exclude liability for losses arising from state backed cyber-attacks, citing concerns over exposure to systemic risk.
What Lies Ahead?
Like all other lines of insurance, the cyber insurance market will continue to boom and bust as part of its broader lifecycle. The end of the previous decade ushered in a hardening of the market, but early thawing signs are becoming more apparent. Cyber insurance will continue to innovate in lockstep with its underlying subject matter. The market will produce new and competitive products for insureds across industries and revenue brackets to use. Companies must continue to adapt to these trends and navigate the underwriting process as best they can – using either in-house expertise or trusted third parties to maximise their chances of achieving favourable premiums in comparison to the rest of the market. These factors, as well as ongoing geopolitical and technological developments, will guarantee the market’s continued growth, as well as its utility to the wider cyber community.