S&P notes in a new report, Cyber Risk in a New Era: The Rocky Road to a Mature Cyber-Insurance Market, that much of the growth in the cyber-insurance market is being driven by a significant increase in cyber-insurance premiums rather than the size or volume of cyber-insurance contracts.
According to S&P, some insurers and reinsurers have chosen to reduce their cyber-risk appetite in response to increased frequency and severity of cyber attacks, as well as increased systemic vulnerabilities.
According to Munich Re, insurers and reinsurers wrote more than $9 billion in cyber-insurance premiums in 2021. According to S&P, that premium figure will rise by 25% per year to around $22.5 billion by 2025.
However, because that growth is being driven primarily by premium increases rather than the size or volume of cyber-insurance contracts, S&P believes that changes are required if future growth in the cyber-insurance market is to reflect more than just price increases.
"Improvements in risk modeling will be required if further growth is to reflect increased market capacity, driven by (re)insurers' increased risk appetite, rather than still higher rates underpinned by a supply-demand mismatch due to a reluctance to take on new risk," according to the report.
According to the report, there is a growing awareness of cyber risks, citing a Munich Re survey that found that 38% of C-level managers are extremely concerned about cyber risks, up from 30% in a previous survey. When top executives who are "concerned" about cyber threats are included, the total in the recent Munich Re survey reached 70%, according to S&P.
"Those growing concerns have coincided with increased mitigation efforts, and thus increased investment in cyber-risk management, including cyber insurance," according to the S&P report. "Such insurance policies have become a critical component of companies' cyber-risk management, providing a path to recovery from a cyber attack or data breach through financial compensation for IT services, digital forensic analysis, business interruption, equipment damage, legal costs, and fines."
However, significant price increases in cyber insurance in recent years have led some buyers to view the coverage as unaffordable, according to S&P, particularly among small and midsize businesses. As a result, some businesses and government entities have dropped cyber coverage, which may make future cyber attacks more difficult to recover from.
According to the S&P report, price fluctuations are likely to be an ongoing feature of the cyber-insurance market. According to the report, "these will result from the emergence of new risk differentiation models and variable pricing that incorporate emerging cyber-security standards and improvements in cyber-security systems."
According to S&P, risk differentiation has become an essential component of insurers' and reinsurers' efforts to create sustainable cyber-insurance products. It has also resulted in some contract cancellations when policyholders failed to meet insurers' and reinsurers' cyber-security standards.
According to the report, cyber insurers have also revised contract terms and conditions, increased required policyholder retentions, and imposed sublimits for certain types of loss, particularly ransomware or business interruption.
"Those changes are due in part to the significant number of insurers whose loss ratios have sharply increased, primarily as a result of larger and more frequent ransomware-related claims," S&P says.
Cyber insurers will continue to face challenges in generating consistent profits. It mentions their worse-than-expected 2021 results, which led to increased reluctance to underwrite larger risks and decreased risk appetites among some cyber insurers. "That apprehension, and the resulting shift in underwriting strategies," S&P says, "has been exacerbated by the Russia-Ukraine conflict, and concerns that it could lead to an increase in cyber attacks, even if this has not yet materialized."
Insurers are increasingly turning down requests for cyber coverage from prospective buyers who lack comprehensive information technology (IT) system backups, endpoint detection technology, IT system patching protocols, defined cyber-attack response plans, or multifactor authentication.
Meanwhile, cyber insurers have begun monitoring new threat actors and emerging cyber-attack tactics in real time. According to S&P, "this monitoring now regularly feeds into the standardized information and system security questions that insurers use to assess risk." "We welcome this and believe it will allow for a better assessment of the underlying risk dynamics of policyholders and potential clients."
According to S&P, dynamic contract conditions are likely to remain a feature of the cyber-insurance market. Meanwhile, clear and precise policy language is critical to the market's long-term development.
"The threat of spillover (deliberate or accidental) from cyber attacks linked to the Russia-Ukraine conflict has highlighted the need for clearer terms in contracts in recent months," the report says. "At the heart of the problem are so-called war exclusions, which were intended to bar claims arising from physical or kinetic war but have proven unsuitable in the context of cyber warfare."
According to the S&P report dated July 26, 2022, a stable cyber-insurance market is beneficial to both policyholders, who would benefit from greater coverage certainty and lower costs, and insurers, who would be better able to match cyber-insurance products to their risk appetites while reducing return volatility.
"We believe that clearer policies will be at the forefront of those efforts," the S&P report says, "but that it will also necessitate a deeper understanding of how ransomware drives losses, improvements in scenario modeling, better risk accumulation management, and disciplined underwriting." "Insurers that aggressively expand in the cyber market without that expertise risk increased capital and earnings volatility, which could cause us to change our assessment of their operations."