Cyber insurers have been enjoying a profitable run for several years but are now facing a changed risk landscape with data breaches, ransomware attacks, insurance claims and overall threat awareness increasing.
In a report, “Cyber Insurance: Profitability Less Certain as New Risks Emerge,” rating agency AM Best notes that growth has slowed significantly from 2016-2017 when direct premiums written grew by more than 30% annually and claims have doubled to 18,000 in 2019, up from 9,000 in 2017.
“The profitability of the cyber line has been strong, but concerns are emerging,” the AM Best analysts write.
“Claims are growing exponentially, which will be an issue if prices cannot keep up with rising frequency,” the report says.
Accordingly, AM Best analysts are advising carriers that they should focus on “greater clarity in their insurance contracts to set transparent expectations for themselves and their clients.”
Noting that insurers are still battling with the claims resulting from NotPetya from 2016, the report points out that protracted litigation can have a longer tail than expected, underscoring the importance of managing so-called silent cyber.
Additionally, the frequency and severity of ransomware attacks have escalated, as have data breaches and kidnaps in the health care industry in particular. According to CoveWare, the average ransom payment increased to $84,116 in the fourth quarter of 2019, up 104%, from $41,198 in the third quarter.
Based on data collected by the National Association of Insurance Commissioners (NAIC), AM Best reports that direct premiums written in the admitted U.S. cyber insurance market grew by 11% year over year in 2019 to $2.25 billion; however, the rate of growth slowed from the previous year, marking the fourth-straight year of this slowing trend.
Standalone coverage is outpacing packaged cyber. Standalone policy premiums were up 14% in 2019, to $1.26 billion in premiums, while packaged cyber policies grew 7%, to $988 million.
“The higher rate of growth for standalone policies indicates organizations’ escalating concerns about cyber risk and their strategic choice to purchase policies solely for cyber risk protection,” AM Best says.
Buyers are “becoming more sophisticated” and are seeking separate cover for cyber, as they do not want other risks to erode their coverage.
Also, insurers may be pulling back on packaged policies options. The report concludes that insurers are heeding the warnings and “making greater efforts to provide clarity and explicitly exclude cyber coverage in non-cyber policies, to diminish or eliminate silent cyber exposures.”
AM Best said it expects standalone policies to continue to grow, with insurers including Lloyd’s and AIG pushing affirmative cyber.
Chubb, with $356.9 million in cyber direct premiums written, remained the top cyber insurer in 2019, ahead of XL Reinsurance America Group (AXA XL) and American International Group.
The top three cyber writers—Chubb, AXA XL, and AIG—specialize in either standalone or packaged policies, but half the top 20 writers sell substantial amounts of both.
The numbers suggest that newer writers are flexing their cyber muscles, as the top 10 of the top 20 writers all lost market share, while the bottom 10 expanded theirs.
The top 20 write $1.9 billion or about 84% of the total $2.2 billion cyber insurance market. The top five write about 50%.
Hartford Insurance Group retained its position as the insurer with the most cyber policies in force at year-end, with 543,000. Cincinnati Insurance Companies (227,000), Liberty Mutual (218,000), Berkshire Hathaway (183,000) and Farmers Insurance (178,000) are the other leaders in number of cyber policies in force.
The report notes that AM Best’s market figures likely are understated given lack of standardization in cyber policies and reporting, as well as a considerable usage of captive and surplus lines insurers to write cyber coverage.
Before the pandemic, cyber insurance rates were increasing by 4% to 5%. With COVID-19, AM Best said it expects momentum for rate increases to continue.
The report also warns that pandemic may be compounding cyber risk and that insurers should reconsider their stress testing to acknowledge the similarities between a pandemic and a cyber attack.
The analysts point out that there are no geographical boundaries to either a pandemic or a cyber attack and both can result min big losses for business interruption, contingent business interruption, trade credit and professional liability.
Was this article valuable?
Here are more articles you may enjoy.