Cyber insurance: challenges and opportunities of an emerging market

We are facing the last stage of a changing technological shift. The internet, which used to be a place where we “went” (cybercafe), is now a ubiquitous reality in which we “live”. Our house, car, or the way in which we shop and interact with people is filled with the presence of algorithms. This trend has also been fueled by the Covid-19 pandemic. We now have a split screen existence, where part of our time takes place in the real world, and the other half is in the virtual. This technological advance, which has brought many improvements to our day-to-day lives and many incredible discoveries, has also exposed us to a new set of risks and challenges. In this article we explore what some of these are and how they affect the insurance industry, and in particular its coverage of cyber incidents.

The insurance sector has not been oblivious to this evolution. In fact, cyber represents a fast-growing market. According to Forbes in 2021, the cyber insurance industry wrote $10 billion in premiums (in comparison with the $600.000 for the year 2010). As for the future of the industry, the Swiss Re Institute, has projected that the cyber sector is expected to grow 20% annually, reaching $23 billion in underwriting premiums by 2025.

The International Association of Insurance Supervisors (IAIS) has confirmed this pattern of growth in its recently published Global Market Report (GIMAR). In particular, it has explained this growth due to “the higher frequency and severity of cyber-attacks, a greater cyber-attack surface as a result of digitalisation and remote working policies, and a riskier cyber landscape [which is] expected to continue to push demand for cyber coverage to record levels” (GIMAR special topic edition, 2023).

Amid the myriad of conclusions offered by the Report, one may underline the following:

• regionalisation of the market (“71% of the premiums were underwritten in the Americas, 29% in Europe and Africa, and less than 1% in Asia and Oceania”);
• key role of reinsurance (“40% of all global cyber premiums flowed to the reinsurance market. This compares to 25% of non-life premiums”); and
• risk of lower profitability of cyber insurance compared to the overall non-life business insurance.

Furthermore, we are of the opinion that the technological evolution poses a greater challenge to the industry due to the widespread nature in which one single attack can expand its effects all around the world. In particular, some of the challenges associated with this new line of business could be:

• Risk-delocalisation and an increasing number of catastrophic-in-nature claims. Cyber is, by its own nature, a decentralised and interdependent scenario. As such, a company in Spain may be affected by an attack launched from a distant country. For instance, the “NotPetya” incident, which many believe was launched by the Russian military services against Ukraine, resulted in an estimate of $10 billion in losses, rendering companies applications and all end-user devices inapplicable to numerous entities not related to the conflict such as Mondelez, a food manufacturer not party to the conflict.

• This delocalisation may result in an increase of incidents. According to JUMPSEC, a leading Cyber Security Consulting Services “the US financial crimes agency (FINCEN) reported the cost of ransomware alone increased from $416 million in 2020 to reach almost $1.2 billion in 2021”. The increase in costs and occurrence has led to leading figures in the market to cast doubts on the sustainability of the sector. As the CEO of Zurich, Mario Greco told the Financial Times, “what will become uninsurable is going to be cyber”.

• Hybrid realities which may be difficult to ascertain, will challenge the traditional underwriting model. Realities such as cyberwarfare or hacktivism, which are of a mixed nature, complicate the scoring process. This complexity often leads to a mismatch between needs and coverages, and to stricter templates. According to Bob Ackerman, founder of Allegis Cyber Capital “rising premiums and excessively restrictive coverage leave companies—especially small-to-midsized organisations—unable to participate in this essential market” (Making Cyber Risk Insurable: Disrupting the Cyber Insurance Industry in 2023, Forbes). At the same time, Artificial Intelligence has rendered the traditional rules for factoring incident probabilities and scoring risks moot.

• Legal uncertainty due to the untested nature of the new insurance forms before the Courts. For instance, last year, the New Jersey appellate division issued a landmark cyber insurance decision stemming from the 2017 NotPetya malware attack. In particular, Merk & Co was awarded $1.4 billion thanks to the interpretation of the “act of war” clause. In this case, the Court stated that a war-like action needs the intervention of the use of armed forces, denying its application to the 2017 attack.

How is the insurance sector handling this new shift?

According to the data offered by GIMAR, the insurance sector is adjusting its exposure to cyber in many ways. For instance, by applying “affirmative coverage risks mitigation strategies” such as reducing policy limits (84%), increasing deductibles (64%) or making terms and conditions contingent on IT risk controls (e.g., multi-factor authentication) [48%]. At the same time, about 64% of insurers provided cyber advisory services, either as part of the policy or as an add-on to shore-up the insured’s capabilities.

Special attention should be made to the importance of cyber hygiene (i.e., the implementation of best practices in the use of cyber assets) as a pre-requisite of the coverage. We believe that this precondition would lead to a virtuous cycle which will improve our network resilience. As an example of its importance, one may take consider the Cybersecurity Certification Scheme introduced by Singapore’s Cyber Security Agency “to promote cyber hygiene measures with a view to partnering with the insurance industry to encourage the adoption of cyber insurance” (vid. page 21 of GIMAR’s report).

Another way to avoid the crippling effect that these systemic risks may cause is to exclude such incidents from insurance policies. That may explain why an insurance-powerhouse such as Lloyd’s will require insurance operators to include exemptions preventing the coverage of “state-backed” incidents.

In conclusion, taking into consideration that cyber is still in its infancy, we do find that insurance will have a leading effect on the evolution to a new cyber culture which will enhance our resilience against cybercrime and better the digital environment. The rapid distribution of this type of products will generate economies of scale that will lead to a higher insurance penetration rate.

At the same time, the need for higher cyber-standards will increase our cyber-culture, resulting in a stabilisation in the medium term of the number of declared incidents, which will rein in costs and increase profitability.