Cyber: Hitting pause

By 2025, some experts were predicting the cyber re/insurance market would be worth at least $25 billion, probably more. But we are not even close - so what happened?

Three years on we are seeing a continued capacity crunch, with prices skyrocketing thanks to a profound supply and demand imbalance.

Commercial rate rises of over 300% are not uncommon, according to one Lloyd’s broker. And currently, in 2022, the total size of the global cyber insurance market is estimated at below $10 billion.

Feeling the sting

Stung by a frequency and severity of large losses, many underwriters have retrenched. Ransomware has been a particular problem, responsible of three quarters of cyber claims in 2020, according to AM Best and likely to have been the costliest loss event category in 2021, according to WTW.

In response, carriers have pulled back while reassessing their appetite, wordings and overall capacity, and meanwhile, demand for the product only continues to grow. 

There are the fears of spillover from state-sponsored attacks from Russia or China (which have collectively sponsored over 50 so far in 2022, according to Atlas VPN). Attacks targeting critical infrastructure, for instance, rose from less than ten in 2013 to almost 400 in 2020, according to Lloyd’s.

Add all this to concerns over the potential systemic nature of the threat and it is not hard to see why carriers and reinsurers have hit the pause button.

The acceleration of digitisation and reliance on cloud technology during the COVID-crisis, events such as the SolarWinds and Kaseya, have served as a warning of how an accumulation could unfold. These are no longer vague scenarios.

“Traditionally, irrespective of technical price, the market at large proved to be very profitable pre-2019 - and it continued to grow,” says Daniel Carr, head of cyber at Ariel Re.

“That has flipped 180 degrees since 2019 when we saw the first major deterioration in results and we’ve seen elasticity in that process shoot back and questions are asked about what actually is the right price?”

“At the same time, there’s natural growth in demand from the end purchasing population. Now everybody wants the product and you’re on the other side where capital that was once very hungry to give it, is now a little bit more hesitant to do so.”

Cover, but at what cost?

To grow the market, cyber underwriters need access to more reinsurance capacity, and this remains stubbornly elusive, unless you are a cedant that is willing to pay over the odds. For some, there is little choice in the matter.

“More purchases and additional capacity are sought in the marketplace as awareness of systemic cyber events grows and cyber portfolios increase in size, largely driven by the current pricing environment,” explain Anthony Cardonnier and Erica Davis, global co-heads of Cyber at Guy Carpenter.

“Many carriers are reducing capacity exposed,” they continue. “Incumbent reinsurers, due to capacity constraints, may look to reallocate capacity to perceived higher-margin deals.

”Some carriers are scaling back ransomware-related coverages (or not offering coverage at all) for clients that don’t have don’t have adequate controls.”

 Many buyers have had little choice but to retain more of the risk on their own balance sheets. And as a result, they are taking a more technical approach.

“We expect the primary market’s actions (both from a rating and underwriting standpoint), and its subsequent profitability turnaround will lead to a greater comfort from reinsurers, which will in turn attract additional capital to the class and relieve some pressure on terms and conditions in the coming reinsurance cycle,” add Cardonnier and Davis.

Tackling systemic fears 

Realistic disaster scenarios can help re/insurers price and manage the risk based on known unknowns, but they only go so far when it comes to accumulation potential.

Whether it is a cloud outage, mass malware or some other cyber event that impacts multiple organisations globally, the ability to better model tail risk is key to unlocking the market. 

“The cyber re/insurance market is a really immature market and we are just scratching the surface,” says Jose Seara, founder and chief executive of DeNexus, a cyber risk modelling company.

“Without a true real understanding of the risk there is no way the market can develop and no way the entities buying the risk and putting their capital can buy significantly more, because they do not really understand what they are buying.”

“The market is not sophisticated enough to differentiate between the different ‘flavours’ of cyber, and that is one of the problems for the market to evolve,” he continues.

“It’s like talking about natural catastrophe risk: Hurricane risk in Florida has nothing to do with earthquakes in California aside from the fact that they are both natural catastrophes.”

Ring-fencing catastrophic scenarios

For the market to get back on track, gain comfort with the risk and offer meaningful capacity, the cyber market will need to better segment the risks presented and get a better handle on wide area events.

If plain vanilla-type exposures can be catered to separately to risks that have a catastrophic potential, both the primary and reinsurance market will begin to gain more comfort and should increase their line sizes.

Some markets are beginning to tackle this. Chubb, for instance, now differentiates between ‘limited impact events’ and ‘widespread events’ in its approach to cyber risk. This allows policyholders to tailor coverage levels depending on the exposures they are concerned about, be it ransomware encounters, neglected software abilities or something more systemic in nature.

Beazley is also exploring how to ring-fence its exposure in the event of a cyber catastrophe.

“Whereas pre-2019, you had an insurance product that is trying to do all the cyber things, now it is beginning to flip the other way,” says Carr. “It’s about really understanding the different problem spaces within the wider cyber domain, and then aligning different products and expertise to them to deliver more efficient marketplace.”

While cyber rate hardening is likely to continue into 2023, DeNexus’ Seara is feeling optimistic about the market’s potential beyond that. “Most of the stakeholders we have engaged are now taking a proactive approach to try and understand the risk and develop new products that better meet the client’s needs.

”Hopefully this will bring additional capacity into the market in years to come due to a better understanding of the risk and a better product offering.”