The cyber insurance market has dramatically shifted in recent years. At its infancy, the cyber insurance market was “soft” as there were relatively little to no claims. This attracted many new insurers which, in turn, increased available capacity, drove down premiums, and broadened coverages for many years. However, today’s cyber insurance market looks very different compared to a few years back. This is being driven by a significant increase in cyber incidents across the world. 

On a global scale, cybercrime costs are expected to grow 15% per year in the next five years, reaching $10.5 trillion annually by 2025 according to Cybersecurity Ventures.¹ Ransomware-related events have unquestionably been the largest driver of losses and it does not appear that will change anytime soon. Ransomware attacks continue to increase, with downtime cost often being as great as the ransom paid, averaging $283,000.² Overall, the average cost of a data breach globally was $3.86 million in 2020.³

Although the major losses are still centred in the European and U.S. markets, Asia is experiencing a noticeable increase in overall cyber claims. For example, APAC had 1.7 times higher than average malware encounter rates for ransomware attacks than the rest of the world.⁴ A recent analysis showed that 47% of all ransomware attacks got in through Remote Desktop Protocol (RDP).⁵ Shifts in global strategy regarding cyber coverage have also directly impacted the Asia cyber market.

From a global and regional perspective, we are clearly in a rapidly hardening cyber market. While that traditionally has a negative implication for brokers and insureds, there is reason to look at the cyber market through a different lens. That includes taking a broader, longer-term view of the possible benefits to insurers/reinsurers, brokers, and insureds.

Given the major cyber incidents of the last few years (e.g., WannaCry, Ryuk, REvil) there is little question about the criticality of cyber insurance for businesses of all sizes. This reality also reinforces the need for a correction in cyber pricing and terms and conditions — especially important to sustaining future growth. It is reasonable to believe that as the exposure of what insurance companies are ultimately covering increases, the risk selectivity and rating for risks also sharpens to adapt to the changes in circumstances.

Ultimately, changes driven by insurers will enable them to better recover from the relatively sudden increase in losses and help ensure a sustainable strategy for continuing to sell cyber insurance products. In addition, while insurers traditionally have to concede points to write business in a soft market, they now have an opportunity to sharpen their strategy and risk appetite and showcase their expertise and experience in the cyber space to differentiate themselves.

A shortage of capacity and tightening terms can present challenges to client relationships. The relative “youth” of cyber insurance comes with a lack of standardization across markets and insurers. Rapidly changing cyber exposures also make it a product line with a fast evolution of coverages and offerings. As a result, brokers have a major challenge to be fully aware of the differential in coverages and nuances among various cyber insurers (e.g., the type of incident response providers on an insured’s panel to ensure competent incident response).

Brokers can leverage this as an opportunity to showcase their important role, as insureds increasingly rely on them to help better understand changes in the market and their cyber policy that can directly impact their programs. Another positive: the days of having to pitch cyber insurance to insureds multiple times are gone, as media attention around cyber threats is at an all-time high. In fact, inquiries will only continue to increase, expanding opportunities for brokers. 

While the reality is that insureds will be impacted by premium increases and changes to terms, reduced capacity as well as more scrutiny from insurers, there are positives. Insureds will be required to assess their cyber security posture more realistically, as underwriters require greater transparency and detail in this environment of escalating loss and threat. This sets up a unique win-win opportunity: Insurers have a more receptive environment to consult with insureds, helping them identify protection gaps. Insureds can then improve their risk profile if those gaps are addressed.

Ultimately, everyone shares the same goal: mitigating a cyber attack through better cybersecurity governance and investment in controls. Without these corrective actions, insurers could be forced to exit the market entirely due to large losses, reducing options for insureds in the long-term, along with contributing to less available capacity. Insurance is inarguably a necessity as a method of risk transfer for cyber exposure. Thus, sustainable terms for insurers are critical for insureds to ensure companies can provide risk transfer options in the future.

As cyber claims escalate, the importance of cybersecurity service providers has also increased, with incident response providers being at the top of this list. Higher demand will trigger more competition, driving up the quality of services by requiring providers to enhance their expertise, technology and talents. In addition, the increased involvement of these vendors in the insurance world, encourages more knowledge exchange which allows everyone to share their lessons learned.

Cybersecurity risk assessment providers will also have a growing role and value. Traditional underwriting by application may not provide sufficient information in the cyberspace going forward. Cyber risk requires a breadth of knowledge and an “outside-in” review of cyber risk. That is, the scanning of external elements such as open ports, patch status on external IP addresses, deduction of known vulnerabilities, and more will become increasingly prevalent in the service offerings of cyber insurance. Larger companies, of course, will require proportionately broader and deeper analyses of their cybersecurity exposure, including the use of cybersecurity consulting firms or risk dialogue with their insurers. 

All stakeholders in the cyber insurance “ecosystem” are dependent on each other at the end of the day. Achieving a balance where all parties can benefit is imperative. Cybersecurity is and should be at the forefront of priorities for executives, irrespective of cyber insurance. The current hardening market then serves an important role to catalyse positive change in the ecosystem that will ultimately lead to more resiliency and sustainability for all.

Each party in the ecosystem must focus on those things they can internally control – whether it is improving one’s cyber risk management, or requiring improvements in terms and conditions of a cyber policy to renew. External factors in the cyber world, such as cybercriminal activity, are unpredictable and uncontrollable. Therefore, if all stakeholders leverage the beneficial opportunities of this hardening cyber market, we can collectively create a more resilient ecosystem that can withstand unexpected external developments. The combination of sustainable insurance terms and conditions from re/insurance with increased risk transparency and cyber maturity driven by cyber service providers, brokers, and the insureds will foster innovation, further driving solutions outside of the current borders of insurability.

Realistically, when it comes to cybersecurity, the target will be forever moving. Our collective, constant vigilance and adaption will be key to ensuring that one and all benefit from the highest caliber of cyber risk management. 

¹  https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
² https://purplesec.us/resources/cyber-security-statistics/ransomware/
³ https://www.ibm.com/security/data-breach.
⁴ https://www.munichre.com/topics-online/en/digitalisation/cyber/asia-pacific-cyber-incidents-in-    2020.html
⁵ 2020 Ransomware Attack Trends in Asia Pacific – Beyond the Ransom (kroll.com)
⁶ Cyber insurers hike rates, tweak coverage as loss ratio rises again in '20 | S&P Global Market Intelligence (spglobal.com)