Direct-written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms.
The increase is primarily due to higher rates, rather than insurers significantly increasing the amount of money they are willing to cover.
"The amount of rate that is generated in this market is quite astonishing, just in terms of the percentages that are out there," Tim Zawacki, principal research analyst at S&P Global Inc.'s Market Intelligence business, said.
The price increases aided the US cyber insurance industry in lowering its direct loss ratio, or the percentage of income paid out to claimants, from 72.5 percent in 2020 to 65.4 percent in 2021. However, that figure is still significantly higher than the direct loss ratio of 47.1 percent in 2019.
According to executives, the sometimes drastic rate increases reflect a realignment of a relatively new market that is maturing quickly, indicating that the insurance industry is grappling with pricing cyber risk.
"Despite an evolution in cyber underwriting, cyber risk insurance premiums are being right-sized after many years of softer market conditions," said Jack Kudale, CEO of Pleasanton, Calif.-based insurer Cowbell Cyber Inc.
The reset includes stricter criteria for those seeking coverage, which the White House has praised as part of a broader push to tighten private-sector security. Many carriers are now requiring potential clients to demonstrate at least basic cyber hygiene practices, such as multifactor authentication.
"Now, if you can't demonstrate certain baseline controls, the vast majority of the marketplace is going to say no," said Adam Lantrip, senior vice president and leader of CAC Specialty's professional and cyber solutions practice.
According to insurance experts, market turbulence accelerated following the May 2021 hack of Colonial Pipeline Co. The incident highlighted a surge of costly ransomware attacks that disrupted businesses and prompted Washington to enact a slew of new cyber regulations.
Mr. Lantrip claims that, in addition to raising prices last year, many carriers reduced the scope of their policies. This meant that businesses needed more policies—and more paperwork—to maintain the same dollar amount of coverage.
Mr. Lantrip's firm now budgets four to six months for its clients to overcome all of the obstacles required to renew their plans.
"It's almost to the point where the deals never get done," Mr. Lantrip said.
In recent months, as the insurance industry has adjusted to the risk of criminal hacking groups, some carriers have moved to clarify act-of-war exclusions for conflicts such as Russia's invasion of Ukraine. The Lloyd's Market Association, a trade group, proposed new language in November to exclude cyber threats from property and casualty policies.
As more armed conflicts spill over into the digital realm, the precise language of such exclusions—and how they are interpreted in court—may prove costly for insurers or businesses.
While the Ukraine conflict has seen a slew of mostly low-impact cyberattacks by Kremlin-linked hackers, security experts warn that operations by nonstate actors on both sides of the conflict could widen the legal gray area surrounding what is and isn't covered by insurance.
"It's not always clear what a war is nowadays," said Jon Bateman, senior fellow in the Carnegie Endowment for International Peace's Technology and International Affairs Program. "The insurance community has varying appetites for how much exposure to state-sponsored cyber risk they are willing to take on."