Manuel AdamFrankfurtmanuel.adam@spglobal.com
Koshiro EmuraTokyokoshiro.emura@spglobal.com
Published Aug. 29, 2023
The global cyber insurance market has recently returned to profitability following two years of rate increases and tightening terms and conditions.
Annual premiums reached about $12 billion at year-end 2022, and are likely to increase by 25%-30% per year to reach about $23 billion by 2025.
S&P Global Ratings' survey of global multiline insurers and reinsurers suggests that growth in cyber insurance will depend heavily on reinsurance to provide capital and manage accumulation risk.
Positively, our analysis of cyber exposure data suggests that global multiline insurers and the largest reinsurers could withstand a direct cyberattack on their own operations with no material effect on their capital.
Cyber insurance is still the fastest-growing subsector of the global insurance market. Global cyber insurance premiums reached about $12 billion in 2022, and in S&P Global Ratings' view, are likely to increase by an average 25%-30% per year to about $23 billion by 2025. Cyber insurance relies to a great extent on reinsurance protection, and we believe reinsurers remain critical to the sustainable growth of the market.
The opportunities for reinsurers and insurers (re/insurers) are clear, but how much of an underwriting risk does cyber present? To find out, we surveyed global multiline insurers (GMIs), large primary insurers, and reinsurers underwriting cyber re/insurance to assess market growth, profitability, risk appetite, and the types of reinsurance offered.
Insurers and reinsurers are not immune to cyberattacks on their operations, and any service disruptions or data breaches will likely affect their bottom lines and potentially their capital positions. To better understand the impact, we analyzed cyber exposure data from cybersecurity specialist, Guidewire, using its Cyence cyber risk model. We found that, on average, GMIs and the global reinsurers we rate could withstand a direct cyberattack on their organizations, with a limited impact on capital. However, a direct cyberattack could hit the earnings of some insurers significantly.
Although we have taken only a modest number of cross-practice rating actions, and no rating actions on insurers, because of cyber risk to date, organizations' increasing dependence on technology and global interconnectedness mean the risk remains elevated. Our analysis of cyber incidents among insurers we rate illustrates the mounting likelihood of a more significant impact on these companies' business and financial profiles in the future.
Should a re/insurer aggressively expand in the cyber risk market without the requisite expertise, that could change our assessment of its risk exposure, especially if we believe the higher exposure could lead to volatile capital and earnings. That said, building a strong ecosystem of internal and external cyber-related expertise early on may lay the foundations for an improved competitive position and stronger profitability. Therefore, we closely monitor rated re/insurers' expansion in this area and how they deal with the challenges and potentially large losses associated with insuring and reinsuring cyber risk.
Cyber also presents an operational risk for re/insurers, given the huge amount of sensitive data they handle. We could change our assessment of a re/insurer's governance framework if we observe insufficient cyber risk management, including potential inability to identify and detect cyber risks, a lack of prevention measures, and an inadequate cyber-claim response strategy. We incorporate our view of a re/insurer's cybersecurity into our overall assessment of risk management, looking at how the entity prepares for, responds to, and recovers from cyberattacks.
The frequency and severity of cyber claims, especially those involving ransomware attacks, have undermined the market's profitability in recent years. In response, re/insurers have reduced their exposure, increased rates materially, and tightened policy wording. Consequently, much of the recent increase in premiums was due to substantial rate increases, rather than underlying growth in the size or volume of contracts.
However, we believe the industry will need to encourage more sustainable underlying growth that is not largely led by rate increases. This growth will depend heavily on market participants addressing systemic cyber risk, more insurers providing coverage with the support and expansion of the reinsurance, retrocession, and insurance-linked securities markets, as well as more small-to-midsize enterprises purchasing cyber insurance.
If the industry acts to encourage more sustainable underlying growth, we expect global cyber insurance premiums to increase by an average of 25%-30% to about $23 billion by 2025 from $12 billion in 2022 (see chart 1).
The primary cyber insurance segment’s rate increases and tightening of terms and conditions to offset pressure from high claims frequency have paid off.
In the primary cyber insurance market, Latin America and Asia-Pacific have seen the highest premium growth rates in the past five years (see table 1). The cyber insurance markets are larger and more mature in North America and Western Europe, which explains the lower growth rates in these markets.
Table 1 | Historically high growth rates underscore the dynamic development of cyber (re)insurance premium
Gross premium written growth (%)
CAGR 2018-2022 (%) primary insurance
CAGR 2018-2022 (%) reinsurance
North America
35.2
55.7
Europe, Middle East, and Africa
35.4
63.2
Asia-Pacific
51.2
43.4
Latin America
56.8
57.4
Total
36.2
58.0
CAGR--Compound annual growth rate. Data is based on our cyber insurance survey for global multiline insurers and global reinsurance groups. Source: S&P Global Ratings.
About 56% of gross premiums written (GPW) on affirmative cyber insurance--which explicitly covers cyber risk--are generated in North America; about 37% in Europe, the Middle East, and Africa; 6% in Asia-Pacific, and 1% in Latin America (see chart 2).
In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market. Cyber insurers use a significant amount of reinsurance. Primary insurers ceded about 50%-65% of cyber insurance premiums to reinsurers in 2022, depending on the region (see chart 3). The reinsurance market and, eventually, the retrocession market will therefore be extremely important in providing capital and capacity to support further GPW growth.
Reinsurers' expertise in underwriting and modeling is also helping to develop the market. In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focuses on risk differentiation, strong underwriting, and the provision of assistance services along the lines of prevention measures, crisis management, and data recovery.
Changes in claims patterns, the rise of cyber threats, and huge accumulation risk all create opportunities to increase reinsurance capacity. The number of reinsurers offering cyber coverage is rising in response.
Many reinsurers are nearing the limits of the amount of cyber exposure they can and want to handle. However, we don't expect the market to soften as it has for primary cyber insurance. This is evident from the reinsurance segment's higher rate adjustments so far in 2023. Reinsurers also need to regain underwriting profitability in their cyber portfolios.
Reinsurers had a difficult 2022 due to low profitability and even underwriting losses in their cyber portfolios. Their gross and net combined (loss and expense) ratios underperformed the primary insurance segment on average. The gross combined ratio was 107% and the net combined ratio 101% in 2022 for global reinsurance groups for the cyber business they reinsured (see charts 4 and 5).
We therefore expect more rate increases for cyber reinsurance business this year, as we have seen in the cyber primary insurance segment over the past two years. However, we believe primary cyber insurance underwriters can absorb the increases without passing them on to policyholders. This may be vital in the development of a sustainable cyber insurance market.
Primary cyber insurance rate increases have decelerated recently. According to the Council of Insurance Agents and Brokers, in the first quarter of 2023, the average increase in cyber insurance premiums fell below 10.0% for the first time in ten quarters (see chart 6). The increase was 15.0% in the fourth quarter of 2022 and only 3.6% in the second quarter of 2023, down from a peak of 34.3% in the last quarter of 2021. Besides increased competition as more carriers offer cyber insurance, this indicates the measures insurers have taken to reduce their exposure and increase rates have also helped them establish a better risk-return profile.
The primary cyber insurance segment's rate increases and tightening of terms and conditions to offset pressure from high claims frequency have paid off. In 2022, the gross combined ratios of global insurers in the primary insurance segment improved to 64%-87%, depending on the region, indicating solid underlying technical profitability (see charts 7 and 8).
However, we believe profitability will remain volatile due to the dynamic nature of the threat landscape. Furthermore, many insurers are still building their exposure to cyber insurance, optimizing their reinsurance structures, and diversifying and scaling their portfolios by region and industry to improve their risk-return profiles.
Rate fluctuations will arise from the emergence of new risk-differentiation models and cyber security standards, alongside improvements in cyber security systems. These underwriting techniques have become a mainstay of insurers' efforts to create what they deem to be sustainable cyber insurance products. In some cases, it has also led to the cancellation of contracts where policyholders have failed to meet security standards and thus provide an acceptable risk-return profile for insurers.
Insurers have also adjusted contract terms and conditions; increased retention levels, meaning policyholders retain more risk; and reduced coverage for specific types of loss, especially in relation to ransomware and business interruption coverage. Those changes partly stem from the significant number of insurers whose loss ratios increased sharply, mainly due to larger and more frequent ransomware-related claims in 2020 and 2021.
An unfortunate side effect of the price increases and tightening of terms and conditions over the past two years is the perception of cyber insurance being unaffordable, especially for small-to-midsize enterprises. That, in turn, has led some companies and government entities to eschew cyber coverage altogether. This course of action offers upfront cost savings, but it could also make recovering from a cyberattack more difficult.
So far, retrocession capacity for cyber reinsurers has been limited; total retrocession utilization is only 11% according to our statistics. Only a few large reinsurers have allocated capacity to this submarket. We understand this is because they wish to avoid a potential increase in accumulation and concentration risks across their cyber portfolios. In addition, because most retrocession offerings come from potential competitors in the reinsurance market for this line of business, reinsurers have hesitated to share underwriting and claims data with retrocessionaires. This has hindered the industry's ability to establish a comprehensive retrocession market.
In our opinion, the cyber re/insurance market would benefit from the development of a more comprehensive retrocession and insurance-linked securities market, supported by government risk pools (see "Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain," published Aug. 24, 2022, on RatingsDirect).
Most affirmative cyber insurance is still ceded via stand-alone proportional cover, most of which comprises quota share (87% in 2022; see chart 9). Despite the relative dominance of proportional quota-share reinsurance, the nonproportional market is also expanding in absolute terms. We see rising demand for event-based structures like aggregate excess-of-loss, aggregate stop-loss, and tail-risk occurrence cyber reinsurance, especially from larger players.
Large carriers provide most of the capacity for cyber reinsurance. We expect this concentration to fall in the next few years as more reinsurers enter the market, and existing players cautiously increase their insurance limits or broaden their cyber product ranges. This should help strengthen diversification in both the treaty and facultative markets, and also support innovation in quantitative modeling, scenario analysis, and data quality.
Like other corporations, insurers and reinsurers are also exposed to operational cyber risks, such as interruptions of dependent services, shutdowns of IT systems, breaches of client data, and ransomware attacks and their side effects. In our view, the COVID-19 pandemic accelerated the digitalization of insurance businesses and increased insurers' vulnerability to cybersecurity breaches.
Nevertheless, we believe that, on average, GMIs and reinsurers can manage their direct cyber risk exposures, thanks to their sophisticated enterprise risk management, robust capitalization, and the insights they have gained through cyber insurance underwriting. In contrast, a direct cyberattack on re/insurers could hit some of them hard, eating up a significant amount of their annual average earnings.
Cyber incidents have so far had a minimal impact on our view of global re/insurers financial strength. However, this situation could change quickly and dramatically. Cyber criminals are rapidly becoming more sophisticated, and insurers possess large amounts of personal information about their customers, which makes them an attractive target.
A cyberattack could lead to a severe financial loss for insurers due to a direct theft of funds or ransom demands for stolen data, but also due to business disruption and regulatory fines. Besides the direct financial consequences, cyber incidents can also result in severe and long-lasting operational issues. The reputational damage may also be substantial, or even irreversible. It could also lead to a decline in new business or stymie access to capital markets. Protecting internal sensitive data from cyber criminality is therefore paramount for insurers.
Insurers globally are migrating toward digital channels and focusing increasingly on technology-led customer value chains in an effort to improve customer relationships and offer innovative products. Insurers are also working on advanced models and advanced risk management tools to deal with the complexity of cyber insurance products. Streamlining technology by using online policy application tools, digital claims handling, and mobile-based applications is an important part of their strategy. Yet a digital environment also introduces new attack gateways for cyber hackers.
Analyzing the operational cyber risk (using Guidewire's Cyence model) of the GMIs and global reinsurers we rate revealed that potential cyber losses may have a small effect on their capital (see chart 10). The data indicates that, on average, these large re/insurers would be able to withstand a direct cyberattack, since they have well-diversified earnings streams and do not depend on a single line of business or region.
The average probability (0.1%) of cyber loss in the tail for very large insurers with more than $50 billion of GPW is only about 7% of earnings, compared to about 12% for insurers with less than $30 billion of GPW (see chart 11).
However, cyber losses could be material for some rated insurers. For one insurer in our sample, we estimate a significant cyber tail loss of about 90% of average annual earnings over a five-year period (see chart 12). This estimate demonstrates that, for several insurers, potential cyber losses may be well above the average for the sample, due to lower profitability or structural shortcomings in cyber risk management and, consequently, lower protection against cyberattacks. This could strain insurers' earnings and, in the long term, curb the buildup of capital buffers, leading to a potential weakening of creditworthiness.
As the cyber insurance market develops, the cyber reinsurance market will mature as well. Despite larger reinsurers signaling that they are close to capacity, we see other reinsurers exploring opportunities to increase their exposure to cyber risk. This would help the market expand responsibly, with a diverse range of reinsurers.
Another mechanism to foster such growth is collaboration among participants in the cyber insurance market. Insurers, reinsurers, brokers, and managing general agents have developed innovative data-rich analytics to enhance their underwriting and aggregation-risk management. We expect to see increasing numbers of partnerships among these players in the future.
However, the cyber insurance market remains especially difficult for those in the cyber re/insurance value chain, given the enormous potential for economic losses. We therefore believe re/insurers need to diversify their sources of back-up protection when expanding in the cyber space. With risk-adequate pricing, we see an opportunity for re/insurers to partner with the capital markets and increase their capacity. In our view, despite the many challenges, third-party capital could become a vital component in the development of a mature cyber insurance market.
In our opinion, the cyber re/insurance market would benefit from the development of a more comprehensive retrocession and insurance-linked securities market, supported by government risk pools.
This report does not constitute a rating action.
