S&P Global reports profitability return in global cyber insurance market, as reinsurers emerge crucial for growth

Profitability has returned to the global cyber insurance market following two years of rate increases and tightening terms and conditions, S&P Global outlined in a recent publication. This comes as annual premiums reached about US$12 billion at year-end 2022, and are likely to increase by 25 to 30 percent per year to reach about $23 billion by 2025. It also detailed that reinsurers are essential to cyber market growth, while reinsurers’ rates will continue to increase. 

“Cyber insurance relies to a great extent on reinsurance protection, and we believe reinsurers remain critical to the sustainable growth of the market,” according to research released this week. “The opportunities for reinsurers and insurers (re/insurers) are clear, but how much of an underwriting risk does cyber present? To find out, we surveyed global multiline insurers (GMIs), large primary insurers, and reinsurers underwriting cyber re/insurance to assess market growth, profitability, risk appetite, and the types of reinsurance offered.”

It added that Insurers and reinsurers are not immune to cyberattacks on their operations, and any service disruptions or data breaches will likely affect their bottom lines and potentially their capital positions. “To better understand the impact, we analyzed cyber exposure data from cybersecurity specialist, Guidewire, using its Cyence cyber risk model. We found that, on average, GMIs and the global reinsurers we rate could withstand a direct cyberattack on their organizations, with a limited impact on capital. However, a direct cyberattack could hit the earnings of some insurers significantly.”

“In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market,” according to the research report. “Cyber insurers use a significant amount of reinsurance. Primary insurers ceded about 50%-65% of cyber insurance premiums to reinsurers in 2022, depending on the region. The reinsurance market and, eventually, the retrocession market will therefore be extremely important in providing capital and capacity to support further GPW growth.”

Reinsurers’ expertise in underwriting and modeling is also helping to develop the market, S&P Global reported. “In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focuses on risk differentiation, strong underwriting, and the provision of assistance services along the lines of prevention measures, crisis management, and data recovery. Changes in claims patterns, the rise of cyber threats, and huge accumulation of risk all create opportunities to increase reinsurance capacity. The number of reinsurers offering cyber coverage is rising in response.”

Disclosing that many reinsurers are nearing the limits of the amount of cyber exposure they can and want to handle, S&P Global added that “we don’t expect the market to soften as it has for primary cyber insurance. This is evident from the reinsurance segment’s higher rate adjustments so far in 2023. Reinsurers also need to regain underwriting profitability in their cyber portfolios.”

Reinsurers had a difficult 2022 due to low profitability and even underwriting losses in their cyber portfolios, the report said. “Their gross and net combined (loss and expense) ratios underperformed the primary insurance segment on average. The gross combined ratio was 107% and the net combined ratio 101% in 2022 for global reinsurance groups for the cyber business they reinsured.”

Agreeing with the S&P report, Jose Seara, founder and CEO at DeNexus, wrote in an email to Industrial Cyber, that more than 50 percent of the risk is still ceded to the reinsurance market, “which is both an indication of the need for the underwriters to hedge themselves against a novel risk that they are still getting comfortable with and an indication of the absolute necessity of the secondary market to develop if we want (and in my opinion we need) the primary market to develop.” 

Addressing the capacity of the cyber reinsurance market to grow, Seara said “In my opinion that capacity is limited within the reinsurers’ own balance sheet. Although cyber may bring diversity and consequently a more efficient use of the same balance sheet capacity, we are far from proving that with data. So, tapping into alternative sources of capital, such as ILS investors, is mandatory. But that is not easy either for the same reason, lack of data to support the investment.” 

Another consideration Seara added is the concentration of risk at the reinsurance level and the potential for systemic cyber risk, still not well understood. “Which again brings us to the need of data, that brings understanding and hopefully confidence to put capital behind cyber risks at scale.”

Going back to the S&P report, Seara said he is 100 percent in agreement with the need to develop the cyber reinsurance market, but he added that it is “not clear to me how and when that growth could be fostered while we keep learning about the risk and building the datasets necessary to make real progress in that learning process and replace current guesswork with actuarial evidence-based data.”

The S&P Global report said that it expects more rate increases for cyber reinsurance business this year, as has been seen in the cyber primary insurance segment over the past two years. “However, we believe primary cyber insurance underwriters can absorb the increases without passing them on to policyholders. This may be vital in the development of a sustainable cyber insurance market.”

The report detailed that cyber also presents an operational risk for re/insurers, given the huge amount of sensitive data they handle. “We could change our assessment of a re/insurer’s governance framework if we observe insufficient cyber risk management, including potential inability to identify and detect cyber risks, a lack of prevention measures, and an inadequate cyber-claim response strategy. We incorporate our view of a re/insurer’s cybersecurity into our overall assessment of risk management, looking at how the entity prepares for, responds to, and recovers from cyberattacks,” it added.

It also identified that the frequency and severity of cyber claims, especially those involving ransomware attacks, have undermined the market’s profitability in recent years. “In response, re/insurers have reduced their exposure, increased rates materially, and tightened policy wording. Consequently, much of the recent increase in premiums was due to substantial rate increases, rather than underlying growth in the size or volume of contracts.”

However, S&P Global said in its research report that “we believe the industry will need to encourage more sustainable underlying growth that is not largely led by rate increases. This growth will depend heavily on market participants addressing systemic cyber risk, more insurers providing coverage with the support and expansion of the reinsurance, retrocession, and insurance-linked securities markets, as well as more small-to-midsize enterprises purchasing cyber insurance.”

The U.S. accounts for most cyber insurance premiums, while Latin America and Asia-Pacific show the fastest growth, the S&P Global research disclosed. “In the primary cyber insurance market, Latin America and Asia-Pacific have seen the highest premium growth rates in the past five years. The cyber insurance markets are larger and more mature in North America and Western Europe, which explains the lower growth rates in these markets.”

It added that about 56 percent of gross premiums written (GPW) on affirmative cyber insurance, which explicitly covers cyber risk, are generated in North America; about 37 percent in Europe, the Middle East, and Africa; six percent in Asia-Pacific, and one percent in Latin America.

Another interesting insight that the latest S&P Global report highlighted are rate fluctuations arising from the emergence of new risk-differentiation models and cyber security standards, alongside improvements in cyber security systems. “These underwriting techniques have become a mainstay of insurers’ efforts to create what they deem to be sustainable cyber insurance products. In some cases, it has also led to the cancellation of contracts where policyholders have failed to meet security standards and thus provide an acceptable risk-return profile for insurers.”

Insurers have also adjusted contract terms and conditions; increased retention levels, meaning policyholders retain more risk; and reduced coverage for specific types of loss, especially concerning ransomware and business interruption coverage. Those changes partly stem from the significant number of insurers whose loss ratios increased sharply, mainly due to larger and more frequent ransomware-related claims in 2020 and 2021.

“An unfortunate side effect of the price increases and tightening of terms and conditions over the past two years is the perception of cyber insurance being unaffordable, especially for small-to-midsize enterprises,” S&P Global added. “That, in turn, has led some companies and government entities to eschew cyber coverage altogether. This course of action offers upfront cost savings, but it could also make recovering from a cyberattack more difficult.”

S&P Global underlined that cyber incidents have so far “had a minimal impact on our view of global re/insurers financial strength. However, this situation could change quickly and dramatically. Cybercriminals are rapidly becoming more sophisticated, and insurers possess large amounts of personal information about their customers, which makes them an attractive target.”

The report identified that a cyberattack could lead to a severe financial loss for insurers due to direct theft of funds or ransom demands for stolen data, but also due to business disruption and regulatory fines. “Besides the direct financial consequences, cyber incidents can also result in severe and long-lasting operational issues. The reputational damage may also be substantial, or even irreversible. It could also lead to a decline in new business or stymie access to capital markets. Protecting internal sensitive data from cyber criminality is therefore paramount for insurers.”

“Insurers globally are migrating toward digital channels and focusing increasingly on technology-led customer value chains in an effort to improve customer relationships and offer innovative products,” the report detailed. “Insurers are also working on advanced models and advanced risk management tools to deal with the complexity of cyber insurance products. Streamlining technology by using online policy application tools, digital claims handling, and mobile-based applications is an important part of their strategy. Yet a digital environment also introduces new attack gateways for cyber hackers.”

In conclusion, the S&P Global report says that as the cyber insurance market develops, the cyber reinsurance market will mature as well. “Despite larger reinsurers signaling that they are close to capacity, we see other reinsurers exploring opportunities to increase their exposure to cyber risk. This would help the market expand responsibly, with a diverse range of reinsurers.”

Another mechanism to foster such growth is collaboration among participants in the cyber insurance market. Insurers, reinsurers, brokers, and managing general agents have developed innovative data-rich analytics to enhance their underwriting and aggregation-risk management. The report expects to see increasing numbers of partnerships among these players in the future.

However, the cyber insurance market remains especially difficult for those in the cyber re/insurance value chain, given the enormous potential for economic losses, the report added. “We, therefore, believe re/insurers need to diversify their sources of back-up protection when expanding in the cyber space. With risk-adequate pricing, we see an opportunity for re/insurers to partner with the capital markets and increase their capacity. In our view, despite the many challenges, third-party capital could become a vital component in the development of a mature cyber insurance market.”

Earlier this month, S&P Global published data on new and emerging legislation dictating cyber-related disclosure and governance standards that could weigh on issuers’ financial risk profiles by increasing the likelihood of penalties and by necessitating investment to meet minimum standards.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.