The booming cyber insurance market is led by price increases rather than volume growth. To ensure sustainable growth, cyber risk insurers must look to clear policies, precise exceptions, and improved accumulation-risk modelling.July 26, 2022
This report does not constitute a rating action
Manuel AdamFrankfurtmanuel.adam@spglobal.com
Awareness of the risks posed by cyber attacks has never been greater. A survey of senior executives, conducted by Munich Re in 2022, found that 38% of so-called C-level managers are “extremely concerned” by cyber threats, up from 30% in last survey. Add in senior executives who identify as "concerned" and the percentage rises to 70%.
That is no surprise. Cyber risk awareness has grown in waves, increasing suddenly as incidents get media attention. But there has also been a general rising tide of awareness, driven by organizations' increasing reliance on data and IT systems, which accelerated with the COVID-19 pandemic.
Those growing concerns have come with a parallel increase in mitigation efforts, and thus increased investment in cyber risk management, including in cyber insurance. Such insurance policies have become a central component of companies' cyber risk management, offering a route to recovery from a cyber attack or data breach via financial compensation for costs associated with IT services, digital forensic analysis, business interruption, equipment damage, legal costs, and fines.
Cyber insurance premiums topped $9 billion in 2021, according to Munich Re. That figure is likely to increase at an average 25% per year to about $22.5 billion by 2025, according to S&P Global Ratings.
That growth might seem to be a sign of a burgeoning cyber insurance market, but rising rates accounts for much of the increase in total premiums (see chart 1) over the past two years, rather than an increase in the number or size of insurance contracts. Improvements in risk modeling will be necessary if further growth is to reflect increased market capacity, driven by (re)insurer's greater risk appetite, rather than still higher rates underpinned by a supply-demand mismatch due a reluctance to take on new risk.
The significant increase in premiums over the past two years (see chart 2) stems partly from an increasingly cautious approach to underwriting cyber risks by insurers eager to protect margins and remain within their risk limits. It has also led to complaints that cyber insurance has become unaffordable, especially for small and midsize enterprises. That, in turn, has led some companies and government entities to eschew, or drop, cyber coverage--a course of action that offers upfront cost savings, but which we believe could also make recovery from a cyber attack more difficult, and thus potentially have implications on issuer credit profiles.
Price fluctuations are likely to be an ongoing characteristic of the cyber insurance market. These will arise from the emergence of new risk differentiation models and variable pricing that incorporates emerging cyber security standards and improvements in cyber security systems. This variability has become a key pillar of (re)insurers' efforts to create sustainable cyber insurance products. It has also, in some instances, led to the cancellation of contracts where policyholders have failed to meet security standards and thus an acceptable risk-return profile for (re)insurers.
Insurers have also realigned contract terms and conditions, increased retention levels (meaning more risk remains with policyholders), and reduced coverage for specific types of loss (known as sublimits), especially in relation to ransomware and business interruption coverage. Those changes partly derive from the significant number of insurers whose loss ratios have sharply increased, mainly due to larger and more frequent ransomware-related claims.
The wariness is also justified by the systemic risk that comes from interconnected digital services and infrastructure. That exposes (re)insurers to risk accumulation--not least because a single cyber event could simultaneously affect a considerable number of policyholders. Significant improvements in scenario modeling have highlighted this danger, the need for improved portfolio management, and shown how a major cyber event could result in damages worth multiples of the estimated size of the entire cyber insurance market.
Ransomware attacks were the major drivers of higher loss ratios, and consequently cyber insurance price increases over 2020 and 2021
We are monitoring the development of accumulation risk management at our rated insurers. Specifically, we would consider that an overly aggressive expansion into the cyber insurance market, without effective risk controls, could be detrimental to insurance companies' risk exposure and their capital and earnings positions.
Ransomware attacks were the major drivers of higher loss ratios, and consequently cyber insurance price increases over 2020 and 2021. The number of ransomware attacks increased 232% from 2019 to 2021 (see chart 3), bolstered by new trends including: subscription-based access to ransomware software (known as ransomware as a service, or RaaS); an uptick in supply chain and critical infrastructure attacks; double extortion attacks (where hackers steal and encrypt data); and increased targeting of unpatched systems.
In its simplest form, a ransomware attack usually involves hackers demanding money in exchange for decrypting or returning a company’s data. Yet ransomware can trigger a host of other losses covered by cyber insurance policies including payments linked to business interruption, data recovery, IT forensic costs, regulatory investigations, and fines. Those secondary effects have prompted insurers to analyze ransomware claims to better understand vulnerability patterns in successful attacks. That has given rise to more comprehensive questioning of policyholders, innovation in risk assessments during underwriting, and raised the threshold for accepting new risks.
The insurance industry is also reacting to this complexity by building a broader cyber risk ecosystem that includes consulting services to help clients deal with ransom demands, legal advice, forensic IT services, advice on back-up solutions and resilience consulting, and 24/7 incident reporting services (76% of ransomware attacks occur outside office hours, according to cyber security vendor FireEye).
The creation of this ecosystem should ultimately shift insurers’ role from that of simple insurance provider to cyber solutions provider (see "Cyber Risk in A New Era: Insurers Can Be Part Of The Solution," published on Sept. 2, 2020). That initiative may already be reaping rewards. The average payment following a successful ransomware attack declined to about $211,000, in the first quarter of 2022, down 34% from a peak in the fourth quarter of 2021, according to ransomware research group Coveware.
Some of that decline in average ransom payments (see chart 4) appears to stem from companies refusing to pay their attackers, though increased targeting of smaller companies is also likely to have contributed. Nonpayment of ransom demands was 54% in the first quarter of 2022, up from 15% two years earlier, according to Coveware (see chart 5). We believe that both the increase in nonpayment and the decline in the average ransom payment underscore a diminishing sense of powerlessness among victims, following investment in employee awareness, technological defenses, and operational resilience. We also note that legislators in some countries' have begun debating whether ransomware payments should be banned outright.
A combination of policyholder education, the provision of services to reduce claim values, and policy rate adjustments means ransomware shouldn't be an existential threat to the cyber insurance sector. Yet making a steady profit from cyber will remain challenging for insurers. That was underscored by the worse-than-expected results from insurers' cyber operations in 2021, which led to increased hesitancy to underwrite larger risks and to some insurers reducing their risk appetite. That caution, and the resultant shift in underwriting strategies, has been exacerbated by the Russia-Ukraine conflict, and concerns that it could lead to an uptick in cyber attacks, even if that has not materialized yet.
Insurers have also expanded their own operations to include real-time monitoring of new threat actors and new and emerging attack tactics
Amid this elevated level of vigilance, it has become common practice for insurers to decline requests for cyber cover if a potential policyholder lacks comprehensive IT system back-ups, endpoint detection technology, a protocol that ensures ongoing patching of IT systems, defined cyber attack response measures, or multifactor authentication.
Insurers have also expanded their own operations to include real-time monitoring of new threat actors and new and emerging attack tactics. This monitoring now regularly feeds into the standardized information and system security questions that are used by insurers to assess risk. We regard this favorably and believe it should enable better assessment of the underlying risk dynamics of policyholders and potential clients.
We also believe that insurers that understand their clients’ business models, and marry that with an ability to analyze evolving threats, will be better able to help policyholders develop protective measures and resilience. That is likely to prove a competitive advantage in attracting new business, and in avoiding so-called "silent cyber" risk (see "Cyber Risk In A New Era: Let’s Not Be Quiet About Insurers’ Exposure to Silent Cyber," published March 2, 2021), and thus ultimately improve underwriting profitability.
We expect that the road to improved underwriting of cyber insurance will be signposted by clear and precise policy wording that mitigates evolving risks. The big challenge for (re)insurers in developing this wording lies in the need for continual reassessment of shifting risk exposures, which necessitates dynamic contract conditions and coverage concepts--both of which are likely to be enduring characteristics of the cyber insurance industry.
The need for clearer terms in contracts has been highlighted in recent months by the threat of spillover (deliberate or accidental) from cyber attacks linked to the Russia-Ukraine conflict. At the heart of the issue are so-called war exclusions, which were designed to exclude claims arising from physical or kinetic war, but which have proven ill-suited to the context of cyber warfare. Notably, a traditional definition of war implies conflict between two nation states, while cyber attacks are often conducted by non-state actors, or in such a way that proving a state's role can be difficult. That opens the door to policyholders claiming for damages that are part of a conflict, or to insurers seeking to apply war exclusions to cyber claims simply because there is a major conflict underway.
The lack of clarity surrounding war exclusions (and the risks of silent cyber) were at the heart of the dispute, between ACE America Insurance and Merck, which arose after the latter claimed for losses due to the June 2017 NotPetya ransomware attack. Merk claimed against an all-risk property insurance policy that covered physical loss or damage to electronic data and software, but was denied by ACE, which asserted that NotPetya was part of a "hostile or warlike action" and thus excluded. The resulting legal battle concluded in January 2022, when the Superior Court of New Jersey ruled Merck was right to anticipate that the exclusion applied only to traditional forms of warfare and not cyber attacks.
We believe that insurers should focus on quality, in the context of cyber insurance wording, rather than quantity. A proliferation of imprecise cyber war exclusions could hurt the development of a sustainable cyber insurance market, which is in no one's interest.
Thankfully, the industry has begun to respond to that need for precision. In December 2021, Lloyd's of London announced the introduction of a new framework for cyber war exclusions, which applies different levels of exclusions in an effort to avoid ambiguity, while also maintaining some flexibility. Under the framework, all insurance policies written at Lloyd’s must exclude losses due to war, in line with its requirement, but clauses can differ in the degree to which they exclude losses due to state-backed cyber operations (see Lloyd's Of London Exclusion Clauses on previous page).
Excludes losses from war and all cyber operations* attributed to a nation state§.
Coverage for losses that are NOT due to cyber operations that either: (1) are retaliatory between specific states† or (2) have a major detrimental impact to the functioning of the state. Insurance cover up to specific limits, per event or in aggregate per year. Unless an amount is specified, there shall be no coverage for any cyber operation(s).
Coverage for the same losses as defined in Exclusion No. 2, but without the coverage limits.
Covers effects on "bystanding cyber assets‡" in addtion to the coverage provide by clause No. 3.
*Cyber operation--The use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of, or in, another state. §State--Sovereign state. †Specified states--China, France, Germany, Japan, Russia, U.K. or U.S. ‡Bystanding cyber asset--A computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation. Source: Lloyd’s Market Association, S&P Global Ratings.
The Lloyd's framework is a step in the right direction but is likely to require further refining. Key terms, such as "retaliatory" and "major detrimental impact," are not defined in the exclusion policies, and thus open to interpretation. We also worry that too many choices could lead to unnecessary heterogeneity, contributing to a lack of consensus over the treatment of cyber war exclusions. And questions remain about how the new clauses will interact with existing exclusions, which supports the case for standalone cyber insurance policies that provide clarity of coverage.
Yet by offering a range of standard exclusions, the framework could improve policy transparency while helping insurers to adapt exposure to their risk appetite, all of which we consider to be positive for the cyber insurance market.
There are other vexing issues that the market still needs to confront with relation to cyber war exclusions, including who bears the burden of proof in establishing the origins of a cyber incident, the extent of state involvement, and the relevance of an attack to a conflict's aims. Such questions must be answered, and not least because demand for cyber insurance will continue to increase.
A stable market is in the interest of policyholders, who will benefit from greater certainty of coverage and lower costs, and insurers, who will be better able to match products to their risk appetites while also reducing the volatility of returns.
We believe clearer policies will be at the forefront of those efforts, but that it will also necessitate a deeper understanding of how ransomware drives losses, improvements in scenario modeling, better management of risk accumulation, and disciplined underwriting. Insurers that aggressively expand in the cyber market without that expertise will expose themselves to increased capital and earnings volatility that could lead us to change our assessment of their operations.