Cyber insurance is harder for businesses to find than it was A year ago – and it’s likely to get harder. While cyber insurance is becoming increasingly imperative for businesses, the explosion of ransomware and cyber attacks means it’s also becoming a less attractive business for insurers. The average ransom payment skyrocketed 82 percent from 2020 to 2021. In the middle of last year, the number of ransomware attacks increased by more than 150 percent for the whole of 2020. And this has had direct implications for the insurance industry: the rise in attacks and payouts has meant steeper losses for insurers and diminished their appetite for this emerging class of business and, often, volatile.
For cyber insurance to remain a viable business, insurers and their clients need a new pool of capital to help address the risk of large, often unlikely (but possible) cyber catastrophes, events that affect multiple companies and cost insurers hundreds of millions of dollars. That new pool of capital could help insurers better manage their risk and give them more breathing room to underwrite more cyber insurance. Insurance-linked securities (ILS) could help give the industry what it needs to grow.
Less protection for more money
While it is difficult to measure the global amount of premiums that insurers charge for cyber insurance, the PCS team, which I lead at analytics/data company Verisk, puts the total at about $5.5 billion, up from about $5 billion a year ago. It’s cocktail napkin math, but pretty good cocktail napkin math.
Don’t be fooled by the appearance of growth, even if that growth is up 10 percent year over year. Many companies have had to spend more to buy insurance that covers the same or less than last year, with premiums rising from 25 percent to 75 percent, depending on the type of company buying the insurance, how much protection they want and other factors. . While that may seem like growth to insurers, that premium may also come from more imminent risk. And despite appearances, some insurers have reduced the amount of cyber insurance they will write or have even withdrawn from the market altogether.
As expected from the rise in ransomware activity (and other types of attacks), the global insurance industry’s loss environment has become more challenging. Data reviewed by PCS from the January 1, 2022 reinsurance renewal cycle shows a significant increase in cyber insurance loss ratios (insured losses divided by premium). After hovering around 60 percent in the past, according to our market sources, it looks like 2021 could hit 80 percent, when the dust settles, which may take a while. We still see more loss activity being reported from 2020, and even some from 2019. Over time, we could see past profitability deteriorate further, along with a delayed signal in cyber insurance loss trends from today.
For many in the cyber insurance industry, reinsurance has been a bit of a crutch. (Reinsurance is basically the insurance that insurance companies buy.) Insurers have become increasingly reliant on reinsurance as a way to manage their own risk and capital, and it is safe to say that the growth cyber insurance experienced (particularly through 2018) was largely driven by reinsurance. In a nutshell, reinsurance has helped many insurers to write cyber business more easily, because they have a partner ready to share the risk with them. It’s so much easier to say “yes” when someone else shares the load.
The participation of reinsurers is growing rapidly. A few years ago, insurers ceded about 45 percent of the business they wrote to reinsurers. Today, that’s about 55 percent. This means that insurers are not increasing their commitments to the cyber sector. They will underwrite more as someone else (the reinsurer) takes on more and more of the burden. But with losses becoming more frequent and costly, many reinsurers are also becoming more cautious.
While the growth of cyber reinsurance has allowed insurers to stay afloat, that’s not enough in the long run. However, part of what is missing is a growth in protection. Premiums may be on the rise, but companies may have less protection than in the past, possibly leaving them more exposed. The growth of the industry does not necessarily mean a more cyber-safe business environment. We need to see premiums grow from market expansion, not higher prices on a shrinking capital base. Right now, reinsurers provide enough support to insurers to keep the cyber insurance market in place, but not enough to help it grow.
This stabilization remains important as a more pervasive and aggressive cyber threat environment could cause many to reconsider whether they want to be cyber safe. The question now, bluntly, is simple: Has the threat become unsustainable?
How Values Could Help
It is clear that something must be done about the cadence and impact of cyberattacks. Alleviating the threat would have the most profound impact on insurers’ ability to underwrite more cyber. Fortunately, there have been some promising developments, such as the successful diplomatic efforts receive decryption keys without ransom payment after the attack on Kaseya last summer. However, diplomacy requires a long road and the industry needs to buy time while that process moves forward. For now, more capital could make a difference, if deployed in the right spaces in the market.
A small corner of the reinsurance industry is uniquely positioned to help the cyber insurance sector navigate today’s threat environment: insurance-linked securities, or ILS.
The ILS sector consists of fund managers that provide reinsurance through financial instruments designed to bridge the capital markets and the insurance industry. At approximately $106.6 billion, according to Artemis.bm, the leading trade publication for the ILS sector, the sector is still small, but could have a disproportionate impact on the cyber insurance and reinsurance market by underwriting what is called retrocession or reinsurance for reinsurers. Several decades ago, ILS funds provided a kickback to the property catastrophe reinsurance market (think hurricanes and earthquakes) when capital was tight, ultimately leading to the growth of both catastrophe and ILS reinsurance. Since they provided protection for massive events that are quite rare, they were able to generate enough returns for their investors while helping insurers and reinsurers manage their overall risk more effectively. Today’s cyberinsurers and reinsurers need that same kind of help.
A similar opportunity exists today with cyber, but insurers need to make the case and help these funds understand the market.
PCS recently spoke with 24 ILS funds, representing nearly 80 percent of the industry as measured by assets under management (AuM). Only two have mandates that completely exclude cyber risk. About 20 per cent of them have engaged in at least one cyber ILS trade, although these have tended to be smaller, more tailored transactions intended to mirror traditional reinsurance. More importantly, however, is the appetite for growth: Thirteen ILS funds, representing almost $60bn in assets under management, reported that they are interested in providing cyber reinsurance protection. Most of them have never done it before. Eight of those funds ($41 billion in assets under management) would like to provide cyber reinsurance this year.
The first step in bringing the ILS market online will be retrocession, again reinsurance for reinsurers. So that will leave reinsurers with more capital to help insurers. This is how you can start:
1) To engage this capital most effectively, and help it make the most impact, ILS funds need to see ILS cyber transactions that are easy to understand (and explain to their end investors).
2) Commoditizing those easy-to-understand offerings will be crucial, particularly when it comes to the importance of minimizing frictional costs.
3) Transactions that are easy to analyze and use a common language are more likely to cause the first big wave of cyber ILS activity and create a foundation for the development of an ongoing, reliable and robust cyber retrocession market.
4) With reinsurers able to underwrite retrocession, they should be able to deploy more capital to the insurers they support, which in turn will allow a return to growth in the cyber insurance market.
The industry is progressing. ILS funds have shown a notable increase in cyber risk appetite, particularly now that protection buyers’ price expectations have risen. Insurers and reinsurers have also seen ILS fund quoted prices move closer to a more realistic level, which is the behavior necessary for the market to reach a clearing price. Once the first tradable transaction is completed, most of my clients agree, many more will follow.
Cyber ILS alone will not save the cyber insurance market. Ransomware has become a deep problem and will require more than just insurance to solve. That said, cyber ILS can help insurers, policyholders, governments, and other stakeholders get the breathing room they need to manage the threat environment and make the cyber world a safer place.