Despite recent signs of recovery from shock losses, insurers do not expect the amount they are willing to cover through cyber policies to grow dramatically in the near future.
According to Jeremy Gittler, practice leader and head of cyber for the Americas at AXA SA’s XL reinsurance unit, which issues insurance for insurers, most major cyber insurers are willing to write insurance for their largest customers up to around $15 million. However, few are likely to begin issuing policies for $20 million or $50 million, which large companies frequently require to cobble together full coverage from multiple carriers.
“I don’t know that there’s that much of a comfort level, aside from a couple carriers,” to offer single policies in that range, Mr. Gittler said at a Professional Liability Underwriting Society conference in New York on Tuesday.
According to regulator data, a rapid increase in ransomware claims beginning in 2019 rocked cybersecurity insurance providers, with direct loss ratios, or the cost of claims to carriers, reaching an average of 72% in 2020 from 47% in 2019.
Insurers responded broadly by raising premiums and instituting stricter underwriting standards that more closely examined applicants’ cybersecurity defenses. They also established strict limits on the amounts they were willing to cover, as well as exclusions for potentially catastrophic attacks.
Despite the fact that these changes reduced loss ratios to 65% by 2021, insurance executives say the industry is still wary of providing significant coverage to any single policyholder. Some insurers believe that strict underwriting, rather than making policies more widely available, is critical to the health of the cyber insurance industry.
“Our job is to make a profit, not to make as much money as possible,” Mr. Gittler explained.
Insurers are also concerned about how long-term risks will play out, which contributes to the decision not to increase coverage limits. While ransomware attacks and claims can be costly, they are relatively short-term expenses, according to Jason Glasgow, cyber lead at Allied World Assurance Company Holdings Ltd.’s insurance business.
Insurers have yet to collect sufficient data on the extent to which longer-term events, such as class-action data-breach lawsuits arising from cyberattacks, can affect claims, he said.
Many claims last year reflected corporate efforts to recover costs associated with privacy liability. “Determining how carriers will pay out will take longer,” Mr. Glasgow stated at the same event. “Are we now confident in our pricing based on this longer-tail exposure? “I’m not certain.”