The cyber insurance market saw substantive changes in underwriting controls, including tighter terms and conditions, and stricter risk selection and underwriting standards in response to higher-than-expected ransomware losses in 2020, notes the International Association of Insurance Supervisors (IAIS).
As a result, clients not reaching minimum cyber hygiene standards found it harder to secure coverage, says the IAIS in the 2023 special topic edition of its Global Insurance Market Report (GIMAR). These market dynamics reflect market hardening following an increase in ransomware claims in recent years.
About 40% of all global cyber premiums flowed to the reinsurance market. This compares to 25% of non-life premiums ceded to reinsurers across the sample. This high level of ceded premiums is not unexpected for a new class, as new entrants seek to partner with a reinsurer to better understand the risks, diversify exposure, gain experience and collect data. While there was activity related to cyber risk transfer in the insurance-linked securities (ILS) market in 2021, volumes were low, and capital availability was limited.
“Cyber risk has become an important area of focus for insurance supervisors as it poses not only an operational risk but also an underwriting one”, said Ms. Vicky Saporta, IAIS Executive Committee chair.
The report shows that an expanding cyber attack surface, growing dependencies on technology, and a complex cyber threat landscape contributed to an increased demand for cyber insurance products, pushing written premiums to record levels in 2021 and improving profitability.
Additionally, the analysis highlights the potential catastrophic dimension that cyber risk can have and how this can pose insurability issues. Despite this, the severity of claims related to large cyber events has been relatively low compared to those arising from natural disasters.
A considerable degree of uncertainty remains around cyber catastrophe risk and what a cyber tail event would look like – more so than for other perils. One loss estimate for a 1-in-250-year event affecting the US standalone affirmative market is in the region of $30bn. The largest cyber event to date was NotPetya in 2017, which resulted in an estimated $10bn in losses, of which $3bn has been covered by the insurance sector to date. To put this into context, an average Atlantic hurricane season has 14 named storms, seven hurricanes and three major hurricanes, causing, on average, $20.5bn in losses per event in the last 40 years.
However, various reports indicate that cyber insurance only covered a small proportion of the potential economic loss resulting from cyber events. The cyber protection gap appears to be widening, with important differences across jurisdictions.
Cyber security measures
The report also finds that most insurers in the sample analyzed have implemented various cyber security measures, indicating a positive awareness and management of their own cyber risk. However, the effectiveness of their cyber security frameworks is difficult to evaluate due to data gaps and jurisdictional differences. The analysis shows that the global shortage of cyber security professionals compounds the cyber operational risks that insurers face.
In terms of systemic risk, the cyber underwriting activities of insurers in the sample were not assessed to pose a threat to financial stability. This is because the market was too small and tail losses arising from affirmative coverage would have been absorbed with the level of coverage being offered. However, there remain important data gaps to gauge the systemic risk posed by non-affirmative coverage.
The IAIS is a global standard-setting body whose objectives are to promote effective and globally consistent supervision of the insurance industry to develop and maintain fair, safe and stable insurance markets for the benefit and protection of policyholders and to contribute to the maintenance of global financial stability. Its membership includes insurance supervisors from more than 200 jurisdictions.
Read the Global Insurance Market Report (GIMAR) special topic edition on cyber risks in the insurance sector here.