An efficient cyber market is “critical” for tackling emerging threats

The American Property Casualty Insurance Association (APCIA) has argued that an efficient cyber market with “experience, innovation, and collaboration” is needed to sustain growth, which comes against a backdrop of price increases in this line moderating, as well as concerns about systemic risk.

In late October, APCIA published a research paper entitled ‘Elements of an Efficient Cyber Insurance Market’ in partnership with CyberAcuView.

The paper argued that the insurance industry, business community, and government have parallel interests in encouraging stronger cybersecurity and tamping down successful ransomware attacks.

“As cyber threats continue to emerge, an efficient market for cyber insurance products is critical to ensuring that consumer demands can be met. An efficient marketplace benefits from a regulatory structure that provides consistency and an appropriate level of flexibility that is not unduly restrictive or cumbersome for insurers to effectively respond to changing needs, expectations, and risks of their consumers,” the paper said.

One of the most significant cyber threats is the proliferation of ransomware attacks over the past three years. The paper suggested that there must be a comprehensive approach to tackling this that focuses on the core drivers of criminal behavior, utilizing the expertise of all stakeholders.

“Insurance, particularly ransomware coverage, can play an important role in enhancing resiliency, but cannot cure criminal behavior that perpetuates the ransomware problem,” it said.

The US government is taking a “whole of government approach” towards managing the impacts of ransomware and eliminating or reducing the threat of ransomware attacks. It is also seeking to collaborate and partner with the private sector.

“To that end, there is a renewed interest from policymakers to understand cyber insurance and its role in the cyber threat landscape. Additionally, insurers and their customers should look to operate in a cooperative environment when a covered cyber event occurs,” the paper said.

Commenting on the paper, Shelby Schoensee, director of cyber and counsel for APCIA, said that cyber insurance is a developing line of business “and, as it is still maturing, the cyber insurance market needs time to develop further to sustain its growth”.

Strong growth expected but challenges remain

Demand for cyber insurance in the US continues to grow and is predicted to double annually for the foreseeable future.

The paper noted that, while surplus lines insurers have written most of the cyber insurance coverage, “recently there has been a shift to admitted companies”.

Insurers in the past few years have also tightened their underwriting appetite through reducing limits, increasing premiums and reviewing the cybersecurity protocols of their customers.

“Unpredictability of loss trends is contributing to the altered landscape for insurers and policyholders,” said the paper.

In an interview with The Insurer, Tim Francis, enterprise cyber lead at Travelers, said that he “feels good” about the market conditions.

“We did a lot of work over the last 18 to 24 months to make sure that the risks that we were writing, not only did we understand the vulnerabilities that they had but we were giving them access to the tools and the expertise to mitigate those vulnerabilities. That makes them a better risk and provides more value for them to be interacting with us. I think that's done a lot.”

However, he noted: "At the same time, the threat actors are adapting and evolving. And so we're seeing some increase in claims compared to this time last year. But because more of our customers have more of the protections in place, some of those threats aren’t as extreme as they used to be. Now, we still see really bad claims happen frequently but I think we've done a pretty good job at reducing that impact.”

Francis suggested that this speaks to the value of insurance. The cyber product not only pays for losses when bad events happen but also helps prevent them from happening or mitigates their impact.

However, there remains work to be done on improving cybersecurity controls.

The latest Travelers Risk Index released in September showed that cyber threats remain a leading concern for US businesses, but at least a quarter of firms are not even implementing the most basic cybersecurity practices.

The APCIA and CyberAcuView paper noted that the premium stabilization that began toward the end of 2022 has continued into 2023. It cited WTW figures which indicated that buyers are often seeing flat premiums for primary and excess cyber renewals, or even 5 to 10 percent decreases, while capacity continues to broaden.

This contrasts with the 50 to 150 percent increases in premium seen in early 2022.

“Underwriting decisions are heavily influenced by the security controls a company has in place in conjunction with pricing and attachment points,” the paper noted.

A factor cited as a possible reason for the smaller rate increases was reduced cyber claims activity.

Most insurers experienced better underwriting results in 2022, with Fitch reporting that for standalone cyber coverage the direct incurred loss and defense and cost containment expenses ratio improved significantly to 43 percent in 2022 from 68 percent a year earlier.

However, the paper said it may be prudent to exercise caution as the overall claim count (including notices) is now on the rise, with CyberAcuView noting increases over four consecutive quarters from Q1 2022 to Q1 2023, accounting for a total rise of 28 percent.

CyberAcuView reported that industries most impacted by claims count include finance and insurance, professional services, healthcare, information and manufacturing.

Commenting on the pricing environment, Travelers’ Francis told this publication: “If you had asked me six months ago, I might have thought pricing might have come down more. I think pricing hasn't come down as much, because truly claims are increasing, and I think there's a nervousness.

“There are still bad threat actors out there that have virtually no consequence for them trying to commit crimes. And often they're successful at committing those crimes.”

Reinsurers slowly increasing appetite

Another challenge that is limiting capacity and overall market growth relates to concerns about systemic cyber events.

The paper noted that reinsurers have slowly increased their risk tolerance for cyber risk, and some new capacity has come to the market. In addition, alternative capital market deals have been done this year, including by Beazley and Hannover Re.

In September this year CyberAcuView and Perils, which are both industry-supported consortia, announced the launch of a US cyber industry loss index that the paper said might help to “accelerate the growth of the cyber-ILS and ILW markets”.

Systemic concerns have been a big issue this year. Much of the focus has come from Lloyd’s mandating that a compliant war exclusion must be included in policies as of the end of March 2023.

Munich Re – the largest cyber reinsurer – has this year stressed that clarity on cyber war wordings remains one of its top priorities.

Talking to The Insurer in September, Chris Storer, head of Munich Re’s cyber center of excellence, global and North American reinsurance clients, said: “When it comes to cyber war, reinsurers will expect to see progress when it comes to the implementation of new and updated language in underlying policies. We have seen positive developments in the course of this year.”

The executive said there have been “slightly different approaches” in London and the US around event definition.

Cyber executives told this publication ahead of September’s Monte Carlo Rendez-Vous that cyber reinsurance capacity has increased while buying options continue to expand, with event covers emerging and even some alternative capital deals being done.

But they added that reinsurers will be keeping a close eye on cedants’ performance and systemic exposures at the upcoming renewals.

Erica Davis, global co-head of cyber at Guy Carpenter, noted the cyber reinsurance market has largely stabilized and policyholders have improved risk controls.

“In terms of what that means as we exit mid-year 2023 and head to 1.1.2024, there is increased appetite in the reinsurance market,” she said.

“Cyber has been viewed as a favorable trade in 2023, and we expect that to continue at 1.1.2024.”

Munich Re’s Storer identified two key themes ahead of the upcoming 1.1 cyber reinsurance renewals: performance, and the management of systemic risk.

“For this renewal, I think it's all about reconciling short-term performance, profitability, with longer-term sustainability,” he said. “I suspect Munich Re as well as other reinsurers will be quite eager to see how the market has performed over the course of 2023.”

Jonathan Spry, CEO of cyber MGA and modeling firm Envelop Risk, said clients are becoming increasingly sophisticated in the way they are looking to protect their accounts.

“We are seeing clients engage with us in detail to discuss the rating and claims environment, and are increasingly assisting clients with portfolio optimization.”

On rates, Spry acknowledged primary pricing has been under pressure, but he predicted that this would stabilize in 2024, and said cedants also see value in partnering with reinsurers to manage their risk portfolios.

Summing up the cyber insurance market, the APCIA and CyberAcuView paper said it “continues to mature with access to experience data, stronger underwriting, capital market investments, the development of cyber definitions and standards, engagement with law enforcement and other related security agencies to counter cybercrime, and collaboration on systemic risk solutions that will benefit both policyholders and society.”

The paper added: “Experience, innovation, and collaboration will show how far the private sector can take the cyber market for the benefit of all interested parties.”