Cyber insurance is harder for companies to find than it was a year ago — and it’s likely going to get harder. While cyber insurance is becoming more of a must-have for businesses, the explosion of ransomware and cyberattacks mean it’s also becoming a less enticing business for insurers. The average ransom payment shot up 82 percent from 2020 to 2021. By the middle of last year, the number of ransomware attacks was up more than 150 percent over the entirety of 2020. And this has had direct implications for the insurance industry: The uptick in attacks — and payouts — has meant steeper losses for insurers and dulled their appetites for this emerging and often volatile class of business.
For cyber insurance to remain a viable business, insurers and their customers need a new pool of capital to help address the risk of large, generally unlikely (but possible) cyber catastrophes — events that hit multiple companies and cost insurers hundreds of millions of dollars. That new pool of capital could help insurers manage their risk better, and give them more breathing room to write more cyber insurance. Insurance linked securities (ILS) could help give the industry what it needs to grow.
Less Protection for More Money
While it’s tough to gauge the worldwide sum of premiums that insurers collect for cyber insurance, the PCS team, which I lead at data/analytics firm Verisk, puts the total at around $5.5 billion, up from roughly $5 billion a year ago. It’s cocktail napkin math, but pretty good cocktail napkin math.
Don’t be fooled by the appearance of growth, even if that growth is up 10 percent year over year. Many companies have had to spend more to buy insurance that covers the same or less than it did last year, with premium increases of 25-75 percent — depending on the type of company buying insurance, how much protection they want, and other factors. While that may look like growth for insurers, that premium may also be coming on more imminent risk. And despite appearances, some insurers have either reduced how much cyber they’ll write or have even pulled out of the market entirely.
As you’d expect from the increase in ransomware activity (and other types of attacks), the global insurance industry’s loss environment has become more challenging. Data reviewed by PCS from the January 1, 2022, reinsurance renewal cycle shows a significant increase in cyber insurance loss ratios (insured losses divided by premium). After hovering around 60 percent in the past, according to our market sources, it looks like 2021 could go as high as 80 percent, when the dust settles, which can take a while. We’re still seeing further loss activity from 2020 get reported, and even some from 2019. With time, we could see past profitability impaired further, along with a delayed signal on today’s cyber insurance loss trends.
For many in the cyber insurance sector, reinsurance has been a bit of a crutch. (Reinsurance is basically the insurance that insurance companies buy.) Insurers have become increasingly dependent upon reinsurance as a way to manage their own risk and capital, and it’s safe to say that the growth in cyber insurance experienced (particularly through 2018) was fueled largely by reinsurance. Simply put, reinsurance has helped make it easier for many insurers to write cyber business, because they have a partner in place ready to share the risk with them. It’s a lot easier to say “yes” when someone else is sharing the burden.
The share carried by reinsurers is growing quickly. A few years ago, insurers ceded around 45 percent of the business they wrote to reinsurers. Today, that’s around 55 percent. This means that insurers aren’t increasing their commitments to the cyber sector. They’ll write more as long as someone else (the reinsurer) takes more and more of the burden. But with losses becoming more frequent and more expensive, many reinsurers are becoming more cautious, too.
While cyber reinsurance growth has allowed insurers to tread water, that’s not enough in the long run. Part of what’s missing, however, is a growth in protection. Premiums may be on the rise, but companies may have less protection than they did in the past, possibly leaving them more exposed. Industry growth doesn’t necessarily mean a business environment that’s safer from cyber. We need to see premium grow from market expansion, not higher prices on a shrinking capital base. Right now, reinsurers are providing enough support to insurers to keep the cyber insurance market in place, but not enough to help it grow.
This stabilization is still important, as a more pervasive and aggressive cyber threat environment could cause many to reconsider whether they want to be in cyber insurance at all. The question now, bluntly, is simple: Has the threat become untenable?
How Securities Could Help
It’s clear that something needs to be done about the cadence and impact of cyberattacks. Alleviating the threat would have the most profound impact on insurers’ ability to write more cyber. Fortunately, there have been some promising developments, like the successful diplomatic efforts to have decryption keys provided without ransom payment following the Kaseya attack last summer. Diplomacy requires a long runway, though, and the industry needs to buy time while that process progresses. For now, more capital could make a difference — if it’s deployed to the right gaps in the market.
A small corner of the reinsurance industry is uniquely poised to help the cyber insurance sector navigate the current threat environment: insurance linked securities, or ILS.
The ILS sector consists of fund managers that provide reinsurance through financial instruments designed to bring capital markets and the insurance industry together. At approximately $106.6 billion, according to Artemis.bm, the leading ILS sector trade publication, the sector is still small, but it could have a disproportionate impact on the cyber insurance and reinsurance market by writing what’s called retrocession, or reinsurance for reinsurers. Several decades ago, ILS funds provided retrocession to the property-catastrophe reinsurance market (think hurricanes and earthquakes) when capital was in short supply, ultimately leading to the growth of both catastrophe reinsurance and ILS. Since they were providing protection for massive events that are quite rare, they were able to generate sufficient returns for their investors while helping insurers and reinsurers manage their overall risk more effectively. Cyber insurers and reinsurers today need that same sort of help.
There’s a similar opportunity today with cyber — but insurers need to make the case, and help these funds understand the market.
PCS recently spoke with 24 ILS funds, representing nearly 80 percent of the industry as measured by assets under management (AuM). Only two have mandates completely excluding the cyber risk. Roughly 20 percent of them have engaged in at least one cyber ILS trade, although they have tended to be smaller, bespoke transactions intended to mirror traditional reinsurance. What’s more important, though, is the appetite for growth: Thirteen ILS funds, representing nearly $60 billion in AuM, reported they are interested in providing cyber reinsurance protection. Most of them have never done so before. Eight of those funds — $41 billion in AuM — would like to provide cyber reinsurance this year.
The first step in getting the ILS market into cyber will be retrocession — again, reinsurance for reinsurers. Then, that’ll leave reinsurers with more capital to help out insurers. Here’s how that can get started:
1) To engage this capital more effectively — and help it achieve the greatest impact — ILS funds need to see cyber ILS transactions that are easy to understand (and explain to their end investors).
2) Commoditizing those easy-to-understand deals will be crucial, particularly when it comes to the importance of minimizing frictional costs.
3) Deals that are easy to analyze and use a common language are most likely to cause the first large wave of cyber ILS activity and create a foundation for the development of an ongoing, reliable, and robust cyber retrocession market.
4) With reinsurers able to secure retrocession, they should be able to deploy more capital to the insurers they support, which in turn will enable a return to cyber insurance market growth.
The industry is making progress. ILS funds have shown a salient increase in appetite for cyber risk, particularly now that protection buyer expectations on pricing have moved upward. Insurers and reinsurers have seen quoted pricing from ILS funds approach a more realistic level as well, which is the behavior necessary for the market to reach a clearing price. Once the first commoditizable transaction is completed, most of my clients agree, many more will follow.
Cyber ILS alone won’t save the cyber insurance market. Ransomware has become a profound problem, and it will require more than just insurance to solve it. That said, cyber ILS can help insurers, insureds, governments, and other stakeholders get the breathing room they need to manage the threat environment and make the cyber world a safer place.