Cyber insurance is harder for businesses to find than it was a year ago — and it’s likely to get even harder. While cyber insurance is increasingly becoming a must-have for businesses, the explosion of ransomware and cyber-attacks means it is also becoming a less attractive business for insurers. The average ransom payment shot up by 82 percent between 2020 and 2021. By the middle of last year, the number of ransomware attacks had increased by more than 150 percent in all of 2020. This has had a direct impact on the insurance industry: the uptick in attacks — and payouts — has led to higher losses for insurers and has dulled their appetite for this emerging and often volatile industry.
For cyber insurance to remain a viable business, insurers and their customers need a new pool of capital to address the risk of major, generally improbable (but possible) cyber disasters — events that affect multiple companies and cost insurers hundreds of millions of dollars. That new pool of capital could help insurers better manage their risks and give them more breathing room to purchase more cyber insurance policies. Insurance-linked securities (ILS) could help the sector grow.
Less protection for more money
While it’s difficult to measure the global sum of premiums that insurers collect for cyber insurance, the PCS team I lead at data/analysis company Verisk estimates the total to be about $5.5 billion, compared to about $5 billion a year ago. It’s cocktail napkin math, but pretty good cocktail napkin math.
Don’t be fooled by the appearance of growth, even if that growth has increased 10 percent year over year. Many companies have had to spend more to buy insurance that covers the same or less than last year, with premium increases of 25-75 percent — depending on the type of business taking out insurance, how much protection they want, and other factors. While that may seem like a growth for insurers, that premium can also carry greater risk. And despite appearances, some insurers have reduced the amount of cyber they will write or even removed it from the market altogether.
As you would expect from the proliferation of ransomware activity (and other types of attacks), the loss environment of the global insurance industry has become more challenging. Data reviewed by PCS from the January 1, 2022 reinsurance renewal cycle shows a significant increase in cyber insurance loss ratios (insured losses divided by premium). After hovering around 60 percent in the past, according to our market sources, it looks like 2021 could hit 80 percent when the dust settles, which could take a while. We continue to see more loss activity reported from 2020, and even some from 2019. Over time, we could see past profitability decline further along with a delayed signal on current cyber insurance loss trends.
For many in the cyber insurance industry, reinsurance has been a bit of a crutch. (Reinsurance is basically the insurance that insurance companies buy.) Insurers have become increasingly dependent on reinsurance as a way to manage their deductibles and capital, and it’s safe to say that the growth in cyber insurance (particularly in 2018) largely fueled by reinsurance. Simply put, reinsurance has made it easier for many insurers to outsource cyber activities because they have a partner ready to share the risk with them. It’s a lot easier to say yes when someone else is sharing the burden.
The share of reinsurers is growing rapidly. A few years ago, insurers relinquished about 45 percent of the cases they wrote to reinsurers. Today it is about 55 percent. This means that insurers are not increasing their commitment to the cyber sector. They will write more as long as someone else (the reinsurer) takes on more and more of the burden. But as losses become more frequent and expensive, many reinsurers are also becoming more cautious.
While the growth of cyber reinsurance has enabled insurers to water, that is not enough in the long run. Part of what’s missing, though, is an increase in protection. Premiums may rise, but companies may have less protection than in the past, potentially leaving them more exposed. Industry growth does not necessarily mean a business environment that is more secure from cyber. We need to see premium growth grow through market expansion, not through higher prices on a shrinking capital base. Currently, reinsurers provide enough support to insurers to keep the cyber insurance market in place, but not enough to grow it.
This stabilization is still important, as a more pervasive and aggressive cyber threat environment could lead many to reconsider whether to purchase cyber insurance at all. The question is now bluntly simple: has the threat become untenable?
How Effects Can Help
It is clear that something needs to be done about the cadence and impact of cyber attacks. Reducing the threat would have the biggest impact on insurers’ ability to launch more cyberattacks. Fortunately, there have been some promising developments, such as the successful diplomatic efforts to get decryption keys without ransom after last summer’s Kaseya attack. However, diplomacy requires a long runway and the industry has to buy time as that process progresses. For now, more capital could make a difference – if it is used to fill the right gaps in the market.
A small corner of the reinsurance industry is ideally placed to help the cyber-insurance industry navigate today’s threat environment: insurance-related securities or ILS.
The ILS sector is made up of fund managers who provide reinsurance through financial instruments designed to bring together capital markets and the insurance industry. According to Artemis.bm, the leading trade publication on the ILS industry, the industry is still small at about $106.6 billion, but it could have a disproportionate impact on the cyber insurance and reinsurance market by writing what is called retrocession, or reinsurance for reinsurers. Several decades ago, ILS funds retrocessioned the real estate disaster reinsurance market (think hurricanes and earthquakes) when there was a shortage of capital, ultimately fueling the growth of both catastrophe reinsurance and ILS. Because they provided protection for large-scale events that are quite rare, they were able to generate sufficient returns for their investors while helping insurers and reinsurers manage their overall risk more effectively. Cyber insurers and reinsurers today need the same help.
There is a similar opportunity with cyber today, but insurers need to make the case and help these funds understand the market.
PCS recently spoke with 24 ILS funds, representing nearly 80 percent of the industry measured by assets under management (AuM). Only two have a mandate that completely eliminates cyber risk. About 20 percent of them have engaged in at least one cyber ILS transaction, although they were mostly smaller, custom transactions intended to mirror traditional reinsurance. What’s more important, though, is the appetite for growth: Thirteen ILS funds, with nearly $60 billion in assets under management, reported an interest in providing cyber-reinsurance protection. Most of them have never done that. Eight of those funds — $41 billion in assets under management — want to offer cyber reinsurance this year.
The first step to getting the ILS market into cyber is retrocession – again, reinsurance for reinsurers. Then reinsurers have more capital to help insurers. Here’s how to get that started:
1) To more effectively raise this capital — and help it achieve the greatest impact — ILS funds need to see cyber ILS transactions that are easy to understand (and explain to their end investors).
2) Commoditizing these easy-to-understand deals is critical, especially when it comes to minimizing friction costs.
3) Deals that are easy to analyze and use a common language are most likely to trigger the first major wave of cyber ILS activity and lay the foundation for the development of an ongoing, reliable and robust cyber retrocession market.
4) Now that reinsurers can insure retrocession, they should be able to commit more capital to the insurers they support, which in turn will allow for a return to growth of the cyber insurance market.
The industry is making progress. ILS funds have shown a notable increase in appetite for cyber risk, especially as protection buyers’ expectations of price have risen. Insurers and reinsurers have seen ILS fund quotes also approach a more realistic level, which is the behavior necessary for the market to reach a clearing price. Once the first trade is completed, most of my clients agree that many more will follow.
Cyber ILS alone will not save the cyber insurance market. Ransomware has become a big problem and it takes more than just insurance to fix it. That said, cyber ILS can help insurers, policyholders, governments and other stakeholders gain the breathing space they need to manage the threat environment and make the cyber world a safer place.
This post The cyber insurance market needs more money was original published at “https://hbr.org/2022/03/the-cyber-insurance-market-needs-more-money”