The future is cyber – can you price the risk?

A spike in claims caused a fall in 2020 underwriting performance, sharply increasing premium rates. Gerald Glombicki of Fitch says this is just the beginning.

Cyber risk has grown into one of the biggest for businesses, institutions and the financial system to consider – and it has barely started. As risk exposures continuously evolve with advances in technology and hacking methods, the demand for protection is only increasing.

Premium rates up

Rates are increasing sharply with around 22 percent direct written premium growth from 2019 to 2020, while loss experience worsened due to an influx of ransomware incidents.

While data breaches continue to be the primary driver of cyber claims exposures, losses tied to ransomware attacks have become more prominent in the last two years. At the same time, larger fines and penalties from cyber incidents have emerged due to tighter privacy and data protection legislation.

In 2020, the direct loss ratio for the standalone cyber market was 73 percent – a huge increase from 47 percent in the prior year and an average of 42 percent from 2015 to 2019. The average paid loss for a standalone cyber claim was $359,000 in 2020 – more than double the $145,000 figure seen in 2019.

Pandemic pitfalls

The move to working from home during the Covid-19 pandemic put a huge strain on companies and sparked concerns around securing extended networks. While it is tough to attack a company through internal routers, hardware and networks, which are designed to withstand them, it is a lot easier to attack the users, as humans are the weakest link.

Cyber attacks at institutions and companies are now so common that governments are starting to play a much bigger role at all stages of their emergence. There is talk of introducing legislation to ban ransomware payments, for example. Already in the US, you cannot pay a ransom to a person who is on the Office of Foreign Assets Control’s restricted list. Elsewhere, national governments and regulators are passing legislation to toughen up their cyber postures and requiring companies to do, as well as disclose, more.

Some companies are certainly further ahead than others on controls around cyber risks, but few are yet where they want to be. We have seen companies overspending on cyber risk protection to get unnecessary bells and whistles, while not focusing on the most basic weaknesses in their systems.

As we start to see penalties increase and the risk of being sued rise, demand to insure against the losses from cyber disasters will further increase.

A new age is coming

However, there are concerns whether underwriters can successfully price cyber business in the longer term, given evolving risk exposures and sources of loss. Cyber liability rates increased by around a third in the first quarter of the year, which shows primary markets are clearly having a tough time and would love to pass the risk onto reinsurers.

We believe the historical model of writing cyber insurance and heavily reinsuring it will be much tougher to pursue going forward as reinsurance rates will clearly have to rise. As losses go up, reinsurers are also becoming more selective in what they will take on.

Primary insurers will therefore be forced to do a much better job of underwriting the cyber risks at the outset. Yet, unlike other more established insurance sectors, there is a lack of adequate historical data to analyse the market, particularly in the US, which is already causing issues. Historically, prices have typically been quoted based on a traditional questionnaire and security scorecard basis.

Encouragingly, we are starting to see more scrutiny and a tightening of terms and conditions to underwrite the right rate for the right risks, but more is needed quickly as we are just at the start of this cyber journey.

You can also view this article in the first weekly edition of #ReinsuranceMonth, which was published on 1 September by The Insurer and is available to download for free at theinsurer.com/reinsurance-month/weekly-editions.