What A.M. Best Says
Special Report Focuses on Cyber Insurance
Best's Special Report (Excerpt): Cyber Insurance Market: Stress Testing the Future (August 20, 2018)
- A.M. Best Company
- October 2018
The accelerating speed of technological advances is foundationally changing business processes, supply chains and delivery mechanisms across a plethora of industries: health care, university systems, entertainment, transportation and financial services. Both the accumulation of data and the technology using the data have become significantly more sophisticated, but the controls for data infrastructure and security haven't caught up. There is no amount of money a company can spend to keep itself 100% secure, so insurance is a natural complement to loss mitigation efforts, to provide a financial backstop in the event of a loss. The insurance industry has traditionally been slow to respond to technological innovation, but finds itself in a unique position managing this emerging risk as it relates to its own business as well as those of its policyholder customers.
Cyberrisk differs from many other insurance risks owing to a lack of actuarial data, rapid evolution, broad operational scope involving people, process and technology, and the potential for an active adversary. The idiosyncratic nature of this risk is difficult to estimate and clearly expanding, with recent significant losses for a host of the largest companies in the world, including Target, Home Depot, J.P. Morgan Chase, Equifax, Anthem, Yahoo and Sony.
Idiosyncratic risk can be managed through diversification, risk limits and prudent underwriting, but cyberrisk presents a systemic aggregation challenge as well. Malware such as NotPetya or interruptions to key service providers such as the DDoS attack on Dyn DNS could affect multiple insureds, causing an aggregate loss to insurers. Insurers are conservative with regard to insuring cyberrisk, and their approach to cyber underwriting has therefore been a measured one: They have allocated a very small percentage of their overall insurance portfolio to cyber, with typical allocations of premiums of less than 1%. In addition, the limits offered on cyber insurance have been rather low compared to well-understood risks such as property catastrophe risk to prevent significant individual company losses. As the cyber insurance market grows, carriers will likely retain larger amounts of the risk through underwriting operations. Additionally, the implications of cyberrisk for insurers extend beyond the affirmative cyber insurance market. Cyber events can also cause silent cyber losses, where policies written to protect against other types of losses such as property, directors and officers, and errors and omissions find coverage from an event caused by a cyberperil. In addition to the exposure insurers face from their underwriting operations, insurers are also exposed to direct exposure from their business operations, which are heavily dependent on IT systems for high availability and high security transactions that are required for good customer service and building trust and reputation in a crowded market.
Given the incredible growth and dynamic state of the affirmative cyber market, A.M. Best, in conjunction with Guidewire's Cyence Risk Analytics team, conducted a stress test on the top 20 cyber insurance providers as of 2016 (Exhibit 1), to examine the potential implications of a cyber catastrophe incident. These insurers include some of the largest carriers globally and may have the largest cyber exposures, given their significant market share in the growing coverage area.
We chose to project the cyber insurance market to 2022, to allow for a steady state portfolio to emerge. Given that the cyber insurance market is in seemingly constant flux, a longer-term forecast would be subject to considerable uncertainty.
For this exercise, we averaged historical industry growth rates and forward projections by a number of industry sources and settled on an annual growth rate of 28%. This may be conservative, as cyberrisk costs the U.S. economy over 1% of gross domestic product, or nearly $800 billion annually, and the cybersecurity marketplace is well over $100 billion. Among the drivers that are specifically relevant to the continued growth of the cyber insurance market are the following four:
Small to medium-size businesses: Estimates of cyber insurance take-up rates for SMBs range from 5% to 25%. The NAIC's 2017 data identifies roughly 2 .5 million cyber policies in place in the U.S.—only around 8% of the 29.6 million businesses estimated, according to 2014 data from the U.S. Census Bureau. According to Advisen, between 2011 and 2015, the take-up rates for the SMB segment grew more rapidly than for any other revenue segment, and there is still significant room for growth. Several market leaders such as AIG, Liberty Mutual and Hartford have indicated their intention to focus on the SMB market.
Expanding industry segments: In an increasingly interconnected and digitally reliant world, cyberrisks are present in multiple forms for all industries. Today's cyber policy structures have responded to this need through versatile structures that are able to cover a range of exposures, including first-party data breach costs, liabilities, cyber extortion and business interruption. Additionally, brokers can often customize coverage to address gaps in traditional cyber policies and conventional lines like crime or property, which helps drive adoption in industries like manufacturing and utilities.
International: U.S.-domiciled organizations constitute an estimated 90% of all cyber insurance gross premiums written (GPW) today. This differs significantly from other P/C coverage lines, for which the U.S. accounts for only 40% of GPW. The U.S. cyber insurance market took off as data breach notice and other privacy laws were implemented which highlights the tangible costs associated with data breaches. Such regulations are now proliferating globally; they have either already been established or will be in the near term in Canada, the European Union, the U.K., and Australia, among many others.
Increasing limits, exposure, and pricing: According to Marsh, which has published limit trends for all of its customers from 2012 to 2015, the average growth in limits during this period was 15.8% annually. Extrapolating to Dec. 31, 2022, we expect a company's average limits purchase will double. The Marsh Global Market Insurance Index has tracked rate changes for cyber insurance policies since 2012 and shows an average annual rate change of 5.2%, which contrasts markedly with the U.S. casualty insurance's average renewal rate of -0.6% over the same period.