AM Best: With Cyberattacks Becoming More Complex, US Cyber Market to Remain Hard
Rate increases are driving a large part of the premium growth and are expected to continue to rise through 2022.
- August 2022
OUT OF GAS: Fuel reserves in North Carolina were depleted after the Colonial Pipeline was shut down by a ransomware attack in 2021.
Editor's Note: The following is an excerpt from the Best's Market Segment Report: US Cyber: The Hardest of the Property/Casualty Markets. Visit www.ambest.com to access the full report.
Cybercrime, in the form of high-profile attacks on educational institutions, hospitals, and other establishments, garnered significant headlines throughout 2021. These attacks, most notably the Colonial Pipeline ransomware hack in May 2021, underscore the urgency of addressing cyberthreats, which require brokers, underwriters, managing general agents, and customers to work together, along with some legislative and regulatory involvement. Despite the ongoing growth in cyber claims in 2021, cyber insurers' underwriting performance still improved, due largely to strong rate increases, which exceeded 30% in the fourth quarter. The segment also benefited from an overall decrease in cost-containment expenses.
Cyber insurance originated as a liability cover; insureds were covered for third-party claims when hackers stole clients' or employees' personal data. In recent years, however, first-party claims or ransomware have become dominant. Should insurers pay ransomware? Does paying the ransom encourage bad actors? The majority of respondents to an audience poll conducted at AM Best's Review & Preview conference in March 2022 believe that, yes, ransomware should be covered because it is an important value for the clients. The rising frequency and severity of ransomware attacks suggest that insurers need to be more proactive with their clients' cyberrisk profiles to prevent these incidents.
Cyber exposure may exist through general liability policies or property policies as “silent cyber”—cyberrisk that was unintended or unpriced for. For example, Merck's claim in the 2017 NotPetya attack represents just that: a cyberattack leading to a claim on a property policy. This begs the question: Can silent cyber be eliminated? A slight majority of the respondents at the Review & Preview conference believe that “No, it can never be completely eliminated.” Even most of those who believe silent cyber could eventually be eliminated think there is still a long way to go. Insurers need to be aware of potential silent cyber exposures in any commercial policy, including general liability, property, and other casualty covers.
Severe Impact on Institutions
Institutions are particularly vulnerable to ransomware attacks. Lincoln College in Illinois has closed its doors permanently because of an attack on its systems. Hospitals and government institutions are also high on cyber criminals' lists of potential targets—and Russia's invasion of Ukraine has sparked further worries about potential attacks on government institutions. An attack on a single government institution could have a far-reaching impact, as the May 2022 attack in Costa Rica by the Conti ransomware group showed. The NotPetya attack demonstrated that what might be intended as a local attack can quickly spread and cause extensive collateral damage. Because of the lack of geographic or political boundaries for these attacks, insurers are focusing on what cyber protections their insureds have in place—as well as what services they can offer to strengthen those protections.
Cyber DPW Continues to Grow
Cyber direct premiums written have grown steadily since they were first reported in 2015, doubling in the five years from 2015 to 2020 and rising 75% in 2021. The growth was strongest among standalone cyber policies, which were up 95%. Standalone policies have always accounted for a majority of the cyber premium but rose from 60% to 65% of all premium in 2021. Rate increases drove a large part of the premium growth; we expect rates to continue to rise through 2022. The number of policies in force also grew, mainly standalone policies.
Cyber growth is far outpacing that of the overall property/casualty industry. Some of the growth is being driven by the overall hardening of commercial insurance prices owing to inflation fears, fallout from the pandemic, and general weakening of the investment market. However, the pandemic also brought to the fore the change in work environments and a greater need for cyber protection, in both company defenses and cyber insurance.
Claims Are Up
Through 2018, the majority of cyber-related claims were on packaged policies. However, that changed in 2020, and claims on standalone policies are now the majority—and growing. Standalone policies, with a much smaller share of the overall policy count, are more often subject to claims. These policies are usually purchased by more sophisticated clients with more data and more financial resources.
First-party ransomware claims are also growing, both by number of claims and as a share of total claims. Cyber insurance started mainly as third-party coverage to protect against cybercriminals stealing and selling client data. But criminal behavior has shifted in recent years, from stealing data to holding operations hostage. The growth in cryptocurrencies, which are difficult to trace, and the immediacy of payments make ransomware much more attractive for a criminal enterprise.
Additionally, the number of claims on standalone first-party policies has grown by an average of 38% over the past five years, compounded by worsening severity as well as the growing sophistication of ransomware criminals—owing to their awareness of victims' financial wherewithal to optimize their ransomware demands. However, claims frequency as measured by policy count seems to be dropping, although the exposure base for cyber policies is inconsistent.
Who's Insuring Cyber?
Chubb remains the largest writer of cyber insurance by premium, while Fairfax has become the second-leading insurer overall and the leading standalone writer, surpassing XL Reinsurance America. Berkshire Hathaway's acquisition of Alleghany will place the combined group among the top 10 cyber writers. Hartford writes the most cyber insurance policies, outpacing the next three largest writers (Berkshire Hathaway, Farmers Insurance Group, and The Cincinnati Insurance Companies) combined. Definitions of standalone and packaged policies appear to be open to interpretation, and there is ample room for clarity.
The chart below shows each group's underwriting expense ratio estimated by using the group's own underwriting expense ratio for Other Liability–Claims Made business as reported in the Insurance Expense Exhibit (IEE). Based on this estimate, the aggregate combined ratio of the top five insurers by premium exceeds 100. Even more concerning, actual underwriting expenses may be even higher than the overall line. Services provided during the underwriting process—evaluating cyber defenses in place, assisting in upgrading cyber defenses, and warning clients when threats are detected—all drive up underwriting expenses. In light of the high combined ratio, further rate increases in the segment are likely, though we expect the size of the rate increases to moderate.
US Cyber Insurance – Top 20 Insurers – 2022 Edition
Ranked by 2021 total standalone and packaged cybersecurity direct premiums written.
|% of Cyber DPW
||Chubb INA Grp.
||Fairfax Financial (USA) Grp.
||XL Reinsurance America Grp.
||Tokio Marine US PC Grp.
||American International Grp.
||Beazley USA Insurance Grp.
||CNA Insurance Cos.
||Arch Insurance Grp.
||AXIS US Operations
||Zurich Insurance US PC Grp.
||Liberty Mutual Insurance Co.
||Sompo Holdings US Grp.
||BCS Financial Grp.
||Hartford Insurance Grp.
||Munich-American Holding Corp Cos.
||Swiss Reinsurance Grp.
||Alleghany Corporation Grp.
||W. R. Berkley Insurance Grp.
||Berkshire Hathaway Insurance Grp.
||Total P/C Industry
Cyber Data on Captives Is Limited
With cyberattacks becoming more complex due to the seemingly never-ending pandemic, and the invasion of Ukraine (among other factors), we expect the cyber market to remain hard for some time. The hardening market and a lack of capacity has made captives an attractive risk management option for corporations. Given their flexibility, captive insurers can customize policies that can mitigate the growing threat of these attacks. As a result, parent organizations can more quickly assess the damage and devise a plan of action toward recovery.
Sufficient and reliable cyber data for captive insurers does not exist. With the exception of most risk retention groups, captive insurers do not generally file with the National Association of Insurance Commissioners; their filings are either audited GAAP/IFRS filings or via the shorter versions of statutory filings required by the governing jurisdiction, which do not require insurers to provide data as in the NAIC Cybersecurity and Identity Theft Insurance Coverage Supplement. However, many captive domiciles have shown interest in having captives provide this level of detail, which will improve future transparency.
Parent companies or individual members of group captives typically secure such coverage from the commercial market. Given the premium increases in recent years, captive insurers are conducting detailed feasibility analyses and due diligence that will allow them to include at least a manageable layer of cyber coverage for their parents. The parent companies spend millions of dollars on their IT security systems and infrastructure every year, training their staff and requiring strict adherence to cyber policies and procedures from their employees as well as third-party service providers. Given the proximity to their parents (physically, culturally and enterprise-wide), captives can be used as a strategic tool to provide cyber coverage.
RRGs and group captives aim to provide their members with a full menu of policy options that include cyber coverage—albeit manageable and limited. Both pure and group captives must understand and appreciate the great complexity that cyber poses and conduct detailed underwriting and risk management on the policies that they would offer. In other words, simply a hard commercial market should not be the main reason to transfer the cyber exposure to the captives.
In 2021, based on NAIC data, RRGs wrote approximately $19.0 million in cyber premiums with limited coverage ($50,000 to $250,000). However, some pure captives are writing multimillion-dollar limits and premiums. Captives are using third-party technology and forensic cyber consultants to help with underwriting, with regular monitoring of the parent's cybersecurity policies, procedures, and testing.
Growth of Cyber MGAs/MGUs
In recent years, many cyber managing general agents and managing general underwriters have created their own captive or specialty insurers. By doing so, these entities retain a share of each risk they underwrite, fueling additional growth while demonstrating their long-term commitment to underwriting a profitable and sustainable book on a global scale. MGAs and MGUs benefit from working closely with their policyholder and insurance brokers. As a result, they are able to recommend measures for policyholders to improve their cyber profiles and practices, while they work with brokers to create customized coverage. At-Bay, Coalition, Corvus, Cowbell, and Resilience are prominent entities in this area.
Comprehensive Risk Management Strategies Are Paramount
Given the growing complexity of cyberrisk, cyber insurance is becoming a critical element of businesses' risk management strategies. As an important part of the ecosystem, insurers will need to develop clear risk appetite guidelines for how much cyberrisk to assume and limits on the nature of the risks underwritten by industry, geography, size of the insured, etc. Underwriting practices need to be clear on a number of risk controls: using multifactor authentication, securing open ports, patching policies, accessing controls, training, etc. MFA has become a minimum necessity for obtaining cyber coverage.
Cyberrisk modeling is improving as more data becomes available, and threat vectors are being modeled with stochastic simulations of frequency and severity scenarios. However, these are not anywhere close in maturity to natural catastrophe models, such as those for hurricanes. In addition, there has not been a real-world test of these models, which makes validating them a challenge. Questions such as “What does a 1-in-100 cyber event look like?” are still hypotheticals. Nevertheless, there is value in modeling since the process of validating assumptions, parameterization, discussion of results, and comparison of events will give insureds—and underwriters—a better understanding of the risks. Insurers can use these models to measure their exposures against their appetites and to determine capital allocations and reinsurance strategies.
Regulators around the globe—not just the NAIC—should consider requiring that insurers break out cyber metrics in their financial statements, which will do much to improve accuracy and consistency of these metrics. It will also enable stakeholders to analyze trends and profitability and to develop best cyber practices for a healthier marketplace.