More Clients Are Buying Cyber Insurance

Despite the challenges in the cyber insurance market over the past two years, the percentage of clients buying coverage continued to climb in 2022.

Source: Marsh | Published on May 15, 2023

Howden launches Cyberwrite

Despite the challenges in the cyber insurance market over the past two years — which included steep pricing increases, tighter terms and conditions, and intensified scrutiny from underwriters — the percentage of clients buying coverage continued to climb in 2022. Looking back on 2022 and ahead into 2023, we see a number of trends, including:

  • Cyber insurance pricing increases moderated for the fifth consecutive quarter, rising 11% on average in the US in the first quarter of 2023, compared to 28% in the prior quarter.
  • The largest companies, those with greater than $1 billion in annual revenues, continue to be far more likely to purchase cyber insurance.
  • Innovative, data-backed analysis allows clients to better understand and prioritize the impact of cyber risk controls.
  • Over the past two years, many cyber insurers have focused on potentially catastrophic cyber risk, including fallout from geopolitical conflicts and corresponding nation state activity, changing policy exclusions, and the possible impact from single points of failure.

Effective March 31, 2023, Lloyd’s of London mandated new war exclusion wording inclusive of language to manage systemic loss. Marsh continues to question insurers on clients’ behalf regarding the approach to war and cyber catastrophic risk.

Concurrently, cyber risk management is being driven by advances in predictive aggregation models, improved cyber hygiene, ways to prioritize investments, greater information sharing between private and public entities, and increased government actions in support of a cyber resilient society.

As these forces shape the future state of cyber resilience, it’s important to understand the role of cyber insurance, including purchasing trends.

A shift in cyber insurance retentions and limits purchasing

The increase in the number of organizations purchasing coverage is a positive trend, reinforcing the view that insurance is an important part of any cyber risk management strategy.

  • 63% majority of executives surveyed see insurance as a key piece of cyber risk management strategy. (Source: The State of Cyber Resilience)

Another significant shift in purchasing in 2022 was in how clients made coverage decisions and managed their cyber insurance programs.

Early in the year, clients generally continued to increase their self-insured retentions (SIRs), bringing more financial risk in house as they had been doing for several quarters due to prevailing market conditions. However, as the market improved and pricing stabilized throughout 2022, many clients began to decrease their SIRs as coverage became more available and affordable, a trend that has continued into 2023.

And as SIRs declined, the percentage of clients purchasing higher limits increased, from 10% in the second quarter of 2022 to 16% in the fourth quarter (see Figure 2). Rising competition among cyber insurers — driven in part by improvements in potential clients’ cyber controls — positively affected pricing for clients seeking to increase limits.

Many clients sought to regain a sense of control of their cyber programs as 2022 progressed. In the last two years, for example, we saw a 75% increase in the number of Marsh-managed captive insurers writing cyber coverage.

Another way to view pricing conditions for cyber coverage, or any other insurance product, is through rate on line (ROL) data (see Figure 3). ROL is a measure of what reinsurers charge insurers for coverage, and is calculated by dividing the total premium into the total limits purchased.

This provides a more consistent measure of pricing compared to data that is based on monthly percentage changes in overall premium. This is largely because the starting point for the latter varies, while the starting point for ROL is concrete — it’s the limits purchased.

ROL provides a more consistent measure compared to data that is based on point-in-time percentage changes in overall pricing. This is largely because the starting point for the percentage-based rate changes varies; premium is a variable and some organizations may have a higher or lower base to start from. ROL is a more accurate measure of the cost of risk transfer as it is based on how much organizations pay as a percentage of limits purchased.

Who is buying cyber coverage?

Large companies continue to be more likely than smaller ones to purchase cyber insurance. Larger organizations typically have more robust cyber risk management infrastructure, and many view cyber insurance as part of their overall cyber resilience strategy. Further, there’s a perception that larger companies are potentially more lucrative targets for bad actors and thus, face a higher level of threat from factors such as employee and supplier errors.

However, it’s important to understand that organizations of all sizes are targets. Those with weaker cybersecurity controls present a lower barrier to entry for cyber criminals.

  • 47% of clients with annual revenues greater than $1 billion purchase cyber insurance vs.
  • 34% of clients with annual revenues below $1 billion.

By industry, education clients continued to have the highest take-up rate in 2022, followed closely by healthcare (see Figure 4). Most industries experienced slight upticks in take-up rates in 2022. Over three years (2020 to 2022), financial institutions and life sciences clients saw the largest change in take-up rates, both increasing by 20%.

After slowing in 2022 compared to 2021, ransomware claims increased in the first quarter of 2023 to a level not seen in more than a year.

A variety of external factors had contributed to a decrease in last year’s attack frequency, including international sanctions in response to Russia’s invasion of Ukraine, which hindered ransom money movement. In February and March of this year, however, new ransomware groups emerged at the same time that established threat actors executed mass ransomware attacks. Ransomware-as-a-service has also become more prolific, making it easier for bad actors to execute an attack.

At the same time, privacy claims nearly doubled in the first quarter compared to the prior quarter.