While the cyber insurance market has been growing rapidly with estimated annual premiums of more than $5B, structural issues may slow or stall growth in the near term if losses begin to exceed premiums. Around 50 companies are reported to have cyber insurance in excess of $500m, and to collectively pay an estimated $250m in premiums. Approximately 200 companies are reported to have cyber insurance policies covering between $200m—$499m, and collectively pay an estimated $900m in premium.
One survey by insurer Hiscox reports that cyber losses amongst a group of 5,569 companies across 8 countries increased 50% in 2019 to $1.8B, even as the proportion of businesses suffering attack fell from 61% to 39%.
As the cost of cyber breaches — particularly ransomware — is increasing exponentially (Hiscox reports that the median cost of all cyber incidents and breaches increased 5x in the US from 2019 to 2020, and 8x in Germany), insurers risk huge losses well in excess of their aggregate premiums collected if several large clients experience expensive breaches. An estimated 40% of cyber insurance premiums are currently passed on to reinsurers, but they are reportedly not deploying more capacity to more cyber risk, which may cause underwriters to slow their growth, despite clearly rising demand.
The article rightly calls attention to structural challenges but misses some of the most important ones. We recently discussed the problem of the inaccuracy of cyber risk pricing models used by insurance companies and the discrepancy between the actual economic and financial impact of breaches and companies’ cyber insurance coverage.
As the surge in breach costs are resulting in a rapid rise in claim amounts, insurers profitability is being strained. Importantly, this big increase in claim amounts is occurring even as the true cost of cyber incidents is increasing even more rapidly than headline figures report.
Therefore, the squeeze is on both insurers who are faced with increased ‘direct cost’ claims and the insured breached companies who are faced with increasing indirect costs which insurers will hesitate to reimburse. In this environment, insurers and reinsurers will be loath to increase more capital exposure at current premium prices.
The key to addressing these challenges is twofold: Enterprises need to recognize the necessity of better cyber governance and implement cost effective improvements to their cyber defense posture, and the insurance industry needs to have more accurate cyber risk pricing models, models that only Cyberhedge has transparently proven to have. Without these, the cyber insurance industry overall will continue to struggle to price and supply sufficient coverage, and companies will be increasingly vulnerable to ever widening gap between financial and economic damage caused by attacks and existing coverage that falls well short.
The result is more cases like ISS World where ransomware attacks inflict serious damage on corporate financials that will take a year or more to recover from, in part because losses far exceed any coverage the company may have.
As the structural changes will likely take time, well-executed digital transformation matters more than ever as threats persist. And the divergence in performance between companies that are top-rated in cyber governance and those poorly rated in cyber governance will likely continue.