What A.M. Best Says
A.M. Best Report Examines Cyber Insurance
Best’s Market Segment Report: Cyber Insurance Market Sees Steady Growth but Still Awaiting a Real Growth Spurt (Excerpt) (May 18, 2018)
- A.M. Best Company
- July 2018
Best's Market Segment Report: Cyber Insurance Market Sees Steady Growth but Still Awaiting a Real Growth Spurt (Excerpt) (May 18, 2018)
Cyber attacks were once again in the spotlight in 2017, with increasing frequency and severity. The WannaCry and NotPetya ransomware attacks and the
Equifax data breach received significant media attention and affected millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks. Also, in October 2017, Yahoo updated its 2013 data breach tally from 1 billion to all 3 billion of its accounts, potentially making this the largest, most extensive cyber breach ever recorded.
These events highlight the vital need for cyber insurance, but the market is bifurcated. On the one hand, national accounts and Fortune 500 companies seem to be embracing the need to partner with insurers and brokers as a way to counter cyberrisks. Financial institutions and health care companies are acutely aware of their cyber exposures and are increasing their coverage. Average policy limits are rising, with some of the largest companies’ coverage towers above the half-billion dollar mark. On the other hand, the take-up rate for small to medium-size enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth. In 2017, cyber-packaged policies in force increased 28%, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but this is still something of a fledgling business, and an increase of this magnitude, while material, does very little to close the protection gap. However, interest from SMEs does seem to be gaining traction, and capacity from insurers is ample.
In the short term, despite the inherent challenges in managing aggregations and pricing, we believe the cyber insurance market presents a positive opportunity for insurers. Demand is expected to grow due to the accelerating adoption of technology and the increasing awareness of cyber risks, especially among SMEs. Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the overall exposure of the P/C industry to cyberrisk to be lower than its exposure to more mature risks. However, this not does not preclude the possibility of individual insurers becoming outliers to systemic cyber events due to unexpected loss creep from silent cyber events if these insurers fail to manage cyberrisks prudently. Cyberrisk still has many unknowns and will continue to rapidly evolve.
As insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to ensure that these exposures remain aligned with the company’s risk tolerances and appetites. The extent to which an insurer grows its cyber business should also lend to a broader understanding of this relatively new risk and a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a key factor when insurers provide information to regulators, other stakeholders, and their A.M. Best analytical team.
Plenty of Room for Growth
Cybersecurity insurance experienced significant growth in 2017. Total cyber direct premiums written (DPW) grew almost 32%, and policies in force, 24% (Exhibit 1). Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks under two assumptions: that hackers target only bigger businesses such as Target or Home Depot or that they already have coverage under another policy when they might not. However, this sentiment and tepid interest in cyber insurance among SMEs may be changing, in light of the near daily reminders of cyber threats, attacks, and breaches feeding social media. Pricing is another factor, as more business owners see the cost benefits and also realize their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers. A data breach is only one factor in cyberrisk, however—many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much greater, as they may not be as resilient or diverse as national account clients.
According to The Council of Insurance Agents & Brokers’ (CIAB) Fall 2017 Cyber Survey, the cyber insurance take-up rate was just 31%. However, cyber exposure is expected to grow significantly in the coming years, and so too will opportunities for insurers to provide solutions for these risks.
Stand-alone cyber insurance grew significantly in 2016, but in 2017 there was a large uptick in packaged policies (Exhibit 2). In 2016, A.M.
Best viewed the increase in stand-alone policies as positive, commenting not just on the expected cost and expense reductions in litigating disputed claims, but also on the more specific and defined policy language focused on the prevalent types of attacks. With the move back to packaged policies, we expect an uptick
in cost and expenses related to claims handling. In recent years, many companies have expanded their CPP and BOP offerings by adding cyber endorsements,
as standardized cyber forms have become more widely available. This has led to an increase in packaged cyber policies to 2.5 million in 2017, from 1.9 million in 2016, with a little over half of these policies featuring occurrence coverage triggers. Some of the growth can also be attributed to companies reclassifying policies for financial reporting purposes, as well as companies adding affirmative cyber coverage to policies, so the actual increase in policies may be overstated. In contrast, stand-alone policies declined 32%, with most of these policies likely being businesses migrating to less expensive packaged policies.
Access the complete report