The cyber insurance market is in the middle of its first real profitability challenge. Despite an increase in attritional losses in recent years, insurers are continuing to offer meaningful cyber solutions. The priority now is to facilitate conditions for sustainable growth for a line of business that continues to be of high strategic relevance to the whole insurance industry.
Since 2018, each underwriting year has been developing less favourably across the market than the previous one. Ransomware attacks continue to be the primary loss driver. Despite the efforts of the cyber security industry – and more recently, the growing involvement of governmental bodies – to curb these attacks, there is no apparent end in sight.
Furthermore, cyber is a systemic line of business with the potential for significant aggregation of losses. While a catastrophic event is yet to materialise, the potential for such losses clearly exists, and insurers need to reconcile short-term profitability with long-term sustainability.
To continue on its path towards maturity, the cyber market must focus on three important challenges to achieve sustainability: ensuring profitability over the cycle; managing systemic risk by coverage design; and improving underwriting and risk intelligence through data.
The profitability challenge
Data from the market has shown many portfolios have followed a similar trend of deteriorating profitability over the course of the past years, mainly driven by ransomware losses. The insurance industry has responded with a range of measures, the effect of which – because of the nature of the insurance business – cannot yet be said to be sufficient to counterbalance the loss trend. This makes for challenging market conditions for insureds, insurers and reinsurers. From a reinsurer’s point of view, the current treaty renewal season will be characterised by achieving a clear understanding on the remediation measures taken and their likely effectiveness.
This challenge to profitability is new to the cyber market. The years before 2019 saw consistent profits for the young but growing cyber market. However, absent any major catastrophe-type losses, it has often been overlooked that profits were generated by a pure “ex cat” loss ratio. To determine how adequate these profits actually were, one needs to take into account a “normalised for catastrophe” performance, similar to property.
While we are yet to see a truly catastrophic event for the cyber market, a number of arguable near misses in 2020-21 (for example, SolarWinds and Kaseya) should remind us of the potential for large-scale losses, so in addition to addressing the ransomware trend, the catastrophic potential also needs to be catered for to achieve an adequate level of risk-adjusted profitability.
A proper assessment of catastrophe loss expectation for cyber is still challenging given the development of accumulation models and the limited experience of large-scale losses. Notwithstanding, it is already clear that cyber needs to achieve profitability levels that are commensurate for high-volatility business, driven in particular by the potential for significant catastrophic losses.
It also means the achieved profits can only be compared against more established and less volatile lines of business on a “normalised for catastrophe” basis. We must ensure the market remediation continues towards reaching a level where returns are sufficient to compensate for the uncertainty and volatility.
Better understanding and modelling of systemic risk is the key to unlocking more capacity for buyers of cyber insurance. Models will need to mature, but importantly cannot replace direct underwriting action to control the accumulation risk. In this respect we see a clear and increasingly more urgent need for cyber insurance products, coverages and underwriting approaches to evolve for the market to achieve its ambition to continue to grow.
A key part of analysing systemic risk is clearly identifying where to draw the line between insurable and uninsurable sources of risk. Uninsurable risks with potentially catastrophic consequences for the whole market – like cyber war – need to be very clearly excluded. Where considered insurable, other systemic exposures need to be underwritten on a knowing and conscious basis.
To this end, one viable option is to better distinguish between non-catastrophic and catastrophic events in cyber policies. Providing the latter as a compartmentalised coverage extension would follow the established practice of the property market where risk accumulations are identified on a policy level to manage, quantify and explicitly price for the exposure. Consequently, this would also allow insureds to make a more informed and conscious decision about their coverage selection in the context of a broader risk management strategy.
The data challenge
To date, the data captured during the underwriting process does not provide the necessary transparency for future-proofing cyber risk underwriting. Risk transparency across the value chain from the original insured to the reinsurance market and beyond is still sub-optimal and hinders the development of the market.
To enable cyber to reach a more mature level, we need to place an increased value on receiving meaningful data that allows for more in-depth, and frequent analyses than in the past. This is necessary in the short term to be able to appraise the progress of any re-underwriting measures on profitability.
Longer term, it means being able to assess performance and portfolio data in such a way that all insurers have full transparency over their accumulation exposure and allow the market to better respond to new developments.
Our conversations with clients will become much more data-focused with the emphasis on what data the industry should be capturing. Not only will this development enable a greater level of transparency about underlying risk profiles, it will also ensure the market is better equipped to respond to new and emerging loss trends, in a way that was arguably not possible with ransomware.
There has never been a more critical time to “future-proof” the cyber line of business. By addressing the above-mentioned challenges, the cyber market can achieve its goal of becoming a sustainable long-term offering that is indispensable for businesses to mitigate one of their key enterprise risks.Published in Insurance Day on 28 November