The recent ransomware attacks in more than 150 countries are likely to increase demand for related insurance protection as they reveal the widening scope of corporations’ cyber risk exposures.
But Fitch Ratings says insurers should take a cautious approach to adding cyber exposures as there is considerable uncertainty in pricing and underwriting this risk. Aggressive expansion by individual underwriters into the segment could be credit negative, Fitch warned.
Tallying the costs from recent attacks will take time. However, Fitch analysts believe growth in corporate anxiety from cyber-related threats amid regular reports of data breaches and other information system intrusions will spur demand for cyber protection and insurance protection.
Compliance with developing cybersecurity regulations will likely further increase the demand for coverage.
U.S. insurers wrote approximately $1.3 billion in cyber coverage in 2016, and this market could grow more than tenfold to $14 billion by 2022, according to Fitch.
Fitch says insurers are playing an expanded role in countering the cyber threat, utilizing traditional expertise in risk management and claims services while also gaining more technical expertise through acquisitions or alliances with cyber security vendors. Cyber protection coverage, increasingly includes a service and advisory component, as well as insured loss limits.
Cyber extortion and ransomware attacks are not the only events likely to increase interest in insurance. Systems hacking, data theft and denial of service attacks may cause economic loss from damage to systems and property, remediation costs, lost revenue due to business interruption and reputation damages. Hacking events can also generate third-party liability exposures triggered by errors and omissions or failure to protect data. Professional liability exposures, including potential claims against directors and officers for failing to manage risks and prevent cyber incidents, are also possible.
Leading writers of cyber risk include American International Group, XL Group and Chubb. Many insurers have taken a cautious approach to introducing cyber coverage, particularly with regard to liability coverage. Underwriting experience relating to cyber coverage, as reported by insurers, has appeared relatively favorable for insurers in the past two years, but the market remains untested, according to Fitch.
About 120 U.S. insurance groups wrote an estimated $1 billion in cyber insurance direct written premiums in 2015, according to Fitch. The P/C industry’s direct loss ratio for cyber standalone business, which accounts for almost half of all the business, in 2015 was 65.2.
Insurers’ reluctance to write more cyber coverage is due to the challenges in establishing actuarially robust pricing and coverage terms for cyber-related risks given still-limited data from historical claims losses. The evolving nature of events and uncertainty regarding the source and range of potential losses add further challenges, the analysts note.
Premium growth in cyber products may also be dampened somewhat by contrasts between the coverage insurers are currently willing to offer and the policyholders’ perspective of the nature of their cyber risk and protection needs. Over time, these differences will likely converge as the market matures, Fitch says.
Given the scope of these challenges, Fitch is warning that aggressive growth in standalone cyber coverage, or movement to high portfolio concentration in cyber, would be negative for an insurer’s credit profile. Underwriting, pricing and reserving uncertainties would outweigh the potential earnings growth benefits. Fitch recommends controlled growth as part of a diversified portfolio, coupled with continually enhanced underwriting standards, which would generally be neutral for the credit profile.