Cyber remains one of the most dynamic insurance and reinsurance lines of business. It has seen record growth, headlined the Wall Street Journal and gone through a market cycle at blazing speeds. The cyber risk environment is ever changing, which makes it a challenging and engaging line in which to operate.
The third general session of the 2023 CAS Spring Meeting featured three speakers sharing their perspectives on the state of the cyber industry: insurance broker Lindsay Volpe, AVP-cyber liability at Arthur J. Gallagher; managing general agent underwriter Pete Hedberg, VP of cyber underwriting at Corvus; and reinsurance broker Justyna Pikinska, global head of cyber analytics at Gallagher Re.
Volpe led off the session with an overview of the recent cycle. In 2018 the cyber market was soft, because historically only the owners of large amounts of personal data (such as financial institutions, retailers, etc.) were the main victims of cyber breaches. Pricing was low, and applications were short and easy to complete. A mere three years later, as the frequency of cyber attacks increased due to the spread of ransomware, the market had experienced significant price increases, lengthened applications, instituted strict underwriting standards and policy conditions, and forced companies to materially improve their cyber practices to reduce the risk.
Now, per Volpe, premiums have eased from their recent steep climb, but the cyber market is not “soft.” Rates continue to rise for many companies, but more slowly. Most insurers have added more restrictive policy wording to their cyber policies to limit their losses to systemic risks and to catastrophic events, but policy wording is not yet standardized across the industry. Underwriting applications are still several pages long, with requirements for cyber risk management practices.
Clients need cyber insurance now more than ever. The ever-growing dependence of individuals and businesses on digital technology has made the threat — and potential cost — of cyber attacks ubiquitous and persistent. State and federal regulations around consumer data privacy continue to grow, expanding potential liability for failure to comply. And every contract between businesses must take into account the specifications in each party’s cyber policy.
Hedberg opened with clear declaration: “Cyber risk is insurable.” Some in the industry argue it is not, but this session’s panelists unanimously disagree. He referenced two studies — one from Swiss Re, the other from Munich Re — capturing the recent growth in global cyber premiums, as well as forecasts for the years ahead. Premiums have doubled from $5.8 billion in 2019 to $11.9 billion in 2022. Munich Re forecasts global premiums of $33.3 billion in 2027, with an annual growth rate of nearly 30%. (See Figure 1.)
Hedberg then shared the latest trends on ransomware. While the number of ransomware cases globally has been increasing, improved defenses in the U.S. reduced its portion of the total from over 50% in the fourth quarter of 2020 to approximately 30% by year-end 2022. But then he showed the number of ransomware victims spiked in the first quarter of 2023, well above 2021 and 2022 levels. His conclusion? “Attacks are on the rise, but not our demise.”
Hedberg elaborated on the point Volpe made about the complexities emanating from state and federal privacy requirements. State legislation, like the Illinois Biometric Information Privacy Act (BIPA), are creating new avenues for litigation against businesses and insurers. Per BakerHostetler’s 2023 Data Security Incident Response Report, “Lawsuits nearly doubled year-over-year. No longer are only the ‘big breaches’ capturing attention.”
Clients need cyber insurance now more than ever. The ever-growing dependence of individuals and businesses on digital technology has made the threat — and potential cost — of cyber attacks ubiquitous and persistent.
This risk will only increase as technology’s evolution accelerates. For example, Pixel is a recently created software application that retargets third-party cookies. Without getting too technical, user browsing of multiple websites results in unique IDs being created between these websites and cookies being sent back to the user. These cookies are a new source for data privacy litigation. Software like Pixel is leading to new challenges and new opportunities for cyber insurers.
Pikinska began by addressing six common misconceptions about the cyber insurance and reinsurance market:
- Cyber is uninsurable.
- There is no data.
- All cyber events lead to losses. (Reality — not every news headline results in insurance losses.)
- Cyber cannot be modeled. (Reality — multiple vendor cyber models are now available.)
- Cyber is not profitable.
- Hackers are always one step ahead.
She then elaborated on several of the points from her reinsurance outlook.
First, reinsurance capacity to assume cyber risk remains very strong. Quota share cessions remain in excess of 50%, while insurers continue to purchase excess of loss (XOL) treaties as well. Second, improving performance of cyber treaties and greater C-suite confidence in the market is easing pressure on pricing, as well as terms and conditions.
Third, reinsurers are offering forward-looking strategies to their insurer clients to support future growth (e.g., quota share treaties) as much as to transfer catastrophic and systemic risk (e.g., XOL treaties). Fourth, reinsurers are limiting retrospective treaties and event-based capacity and instead have a growing interest in occurrence-based solutions.
To address any misperceptions about cyber insurance profitability, Pikinska shared loss ratio results from the Lloyd’s market. The calendar-year loss ratios increased quickly, from a low of 27% in 2015 to the peak at 87% in 2019, then dipped back down below 50% in 2021 and 2022 (See Figure 2.). When asked about the risk of adverse development, she acknowledged some risk but tempered the risk because of claims-made policy forms, high IBNR amounts and ample room below their target loss ratio of 62%.
She closed her section by addressing the misconception about lacking cyber data via data standards. Reinsurers have a growing menu of cyber data in the risk bordereau with every additional renewal cycle and loss details with all claims submissions. For example, half of cedants now provide sublimit information, and 20% of cedants are beginning to provide web addresses to reinsurer markets. Reinsurers ask for and scrutinize the insurers’ rate change methodology and calculations to understand what factors and business were considered.
Panel moderator Andrew Li, head of pricing for Corvus, facilitated an interesting question and answer session. When asked to look into their crystal ball for future market trends, the panelists forecast a stabilizing market with more consistent policy language and technology solutions to better stratify high-to-low risk insureds.
What keeps them up at night? Panelists emphasized the growing risk of new regulations and federal intrusion disrupting the cyber market, which is already responsibly innovating to address growing and evolving cyber risk.
What tools do your teams need to be successful? Alongside improved client education and the need for staff diversity of thought and experience, two panelists mentioned the need for improved tools to validate the strength of cyber risk mitigation and protections like firewalls.
Li’s final question was their favorite part about working in cyber insurance. Pikinska said, “I like all the newness and the opportunity to develop new solutions.” Hedberg offered, “I learn something new every year, with new challenges to meet.” Volpe closed by sharing, “I’m excited by the challenge to respond to and assist clients when there is a cyber incident.”
Dale Porfilio, FCAS, is the chief insurance officer for the Insurance Information Institute.