Premiums in the US cyber insurance market's premium dipped slightly in 2023 after several years of rapid growth against a backdrop of falling prices and new threats.

Direct written premiums for stand-alone and package cyber business combined fell 0.7% to $7.18 billion in 2023 from $7.24 billion in 2022, according to S&P Global Market Intelligence data. Although a small drop, it ends a prolonged period of rapid growth in cyber premium volume.

The fall was driven by stand-alone business, where direct written premiums fell 3.2% to $4.93 billion. This was partly offset by a 5.1% growth in package business. By contrast, direct premiums for stand-alone business grew by 62% year on year in 2022 and 91% in 2021.

Falling prices, growing risk

The prices cyber insurers charge for cover started to fall in 2023 after rising sharply between 2020 and 2022 to counteract a jump in ransomware claims. After rising 11% in the first quarter and 1% in the second, global cyber prices fell by 2% and 3% in the third and fourth quarters, respectively, according to insurance broker Marsh LLC's Global Insurance Market Index. This trend has accelerated in 2024. Global cyber insurance prices fell 6% in the first quarter, Marsh's index shows.

Some underwriters are concerned the price cuts are premature because they are being made without evidence of a sustained reduction in claims, although they say pricing remains adequate for the risks being taken on.

The picture at the individual company level is mixed, with some showing big swings in direct written premiums. Of the stand-alone underwriters, AmTrust Financial Services Inc. showed the biggest increase, at 30.1%. At the other end of the spectrum, Arch Capital Group Ltd. reported the biggest decrease, with a drop in direct premiums written of 22.6%. For package underwriters, Berkshire Hathaway Inc. reported the biggest increase, with 133%, while the biggest faller was Zurich Insurance Group AG with a drop of 14%.

At the same time, cyberthreats continue to evolve. The February ransomware attack that shut down UnitedHealth Group Inc.'s Change Healthcare Inc. subsidiary has highlighted insurers' and reinsurers' potential exposure to the US healthcare industry more broadly.

Insurers are unlikely to be on the hook for UnitedHealth's costs from the attack, which the company said were $872 million in the first quarter of 2024 and could rise to between $1.35 billion and $1.60 billion for the full year. The company is self-insured, UnitedHealth's CEO Andrew Witty said during a May 1 congressional hearing about the attack.

But the hack showed the potential for cyberattacks on US healthcare technology infrastructure to affect a large number of companies at the same time, which insurers refer to as risk aggregation. Change Healthcare handles a range of functions in the healthcare industry, including claims and billing. CyberCube, a cyberrisk analytics company, estimates that up to 189,000 entities were exposed to the Change Healthcare attack.

For insurers and reinsurers with exposure to healthcare, "this is an industry that requires greater due diligence and care at the underwriting level, but also at the risk aggregation management level," William Altman, cyber threat intelligence principal at Cybercube, said on the company's global threat briefing webinar April 24.

3rd-party risk

The Change Healthcare attack was an example of third-party ransomware exposure, where an insured company is affected by an attack on one of its service providers. This third-party exposure "is a real risk" to the insurance market, Philippa Berry, cyber product leader at specialist underwriting agency CFC Underwriting Ltd., said at a cyber insurance conference in April. Noting that the attack on Change Healthcare affected "thousands of small healthcare entities," and so "the aggregation risk on it is really high," Berry said. She added: "The challenge for us as a market ... is how can we underwrite to that."

Sensitive data was also stolen in the Change Healthcare attack. "Where I see more catastrophic potential here is in the data breach component rather than the outage," Altman said. He described the breach as "very significant," involving the data of large numbers of healthcare providers and patients. "That's going to result in a long tail of fraud and abuse against those providers and patients," Altman said, adding that the impact on the insurance industry is difficult to quantify.

Altman said the US healthcare industry is prone to cyberattacks for several reasons: it holds sensitive data, can ill-afford downtime, and there is a small number of single points of failure in its technology infrastructure. "There's a number of different large entities in the healthcare system in the US that are responsible for an outsized share of the industry's operations, data, functionality, et cetera," Altman said.

Elections, tensions

The US healthcare system's susceptibility to cyberattacks is far from the only worry for cyber underwriters. CyberCube's global threat outlook also flagged the potential for more attacks on the US public sector in an election year, and rising state-sponsored attacks amid the Russia-Ukraine and Israel-Hamas wars and growing tensions between China and the US, among other things.

So far, lower prices and evolving risks are not greatly affecting US cyber insurers' loss ratios. The direct loss ratio for stand-alone cyber business increased by just 0.5 percentage point in 2023 to 43.6% and remains well below 2020 and 2021 levels.