Digitalization, interconnectivity, and innovation are already reshaping our lives, and there is much more to come with the internet of things, Industry 4.0, artificial intelligence, and simply the increase in access to the web globally. Yet with these developments come risk. People and business are increasingly prone to cyberrisks, as demonstrated by ransomware attacks WannaCry and NotPetya in 2017, whose economic losses ranged from $4 billion to $10 billion each. The Center for Strategic and International Studies says cybercrime resulted in global economic losses of about $600 billion in 2017, up from about $100 billion in 2014. This rapidly emerging risk has led to a fast-growing cyberinsurance market. Nevertheless, at this point the insured losses from these events are minuscule compared with the economic losses, and we expect this gap to narrow slightly but not change fundamentally.

Although some (re)insurers started underwriting cyberrisks more than 20 years ago, at least in the U.S., S&P Global Ratings believes the global market is still in an early stage. For reinsurers, cyber is an opportunity for growth--with the potential for building long-term relationships with customers. And it's also a threat, with a number of challenges, limitations, and the possibility of large accumulation risk--and, if not handled properly, the potential for large claims that could cause earnings or capital volatility for (re)insurers (see table 1).

Table 1

Affirmative: A Rapidly Growing Dedicated Cyberinsurance Market

Unsurprisingly, demand for cyberinsurance continues to expand after strong growth in recent years because of the spike in frequency and severity of economic cyber losses. According to "The Global Risks Report 2019" by the World Economic Forum, although the top three risks by likelihood of occurrence remain environmental factors such as climate change and natural catastrophe, cyberrisks and data theft have moved up to Nos. four and five . Moreover, prominent cyber incidents have increased awareness among individuals and businesses, such as the ransomware attacks WannaCry and NotPetya in 2017, and the targeted theft of personal data of about 500 million guests from international hotel group Marriot in 2018. At the same time, global policymakers have introduced several regulatory requirements for data protection and are creating new standards. In particular, the U.S. has several data protection acts that have increased the costs of data breaches. According to "The Hiscox Cyber Readiness Report 2019," the mean loss from global cyber incidents for companies increased 61% to $369,000, while the frequency (of recorded company attacks) also rose 61%, up from 45% the year before.

Cyberinsurance is offered either as a separate product or as an additional peril for existing insurance policies for first-party cyber liabilities (for example, malware or ransomware attacks, business interruption, online fraud, or identity theft) and third-party cyber liability (for example, data breach and potential legal fines). Targeted customer segments range from multinationals to microbusinesses and private households. Demand for cyberinsurance not only stems from the need to cover financial losses from cyberattacks, but also comes from ancillary services offered with cyber policies, such as immediate IT support, data recovery, and forensic services as well as reputation and loss prevention management. Therefore, the cyberinsurance market extensively uses third-party services from cybersecurity companies that most insurers cannot offer in-house. Some larger insurance companies have started to build up in-house expertise and have hired IT professionals such as cybercrime experts.

Insured cyber losses remain a fraction of total economic cyberlosses caused by cybercrime, with about $6 billion of insured losses in total (affirmative and nonaffirmative cyber losses), versus $600 billion of economic losses in 2018. At the same time, global affirmative cyber premiums remain low at about $5 billion in 2018, which indicates a large protection gap. In comparison, global economic losses from natural catastrophes in 2018 were about $155 billion and insured losses were about $76 billion, according to Swiss Re.

We believe the lack of global standards, including a homogenous definition of cyber events, liberal exclusions, and relatively low sums at risk offered by (re)insurers for now are keeping the market in its infancy. However, we estimate that the market has been very profitable, illustrating the lack of large insured cyber losses. According to Aon, the combined ratio for U.S. cyberinsurance averaged about 70% in 2015-2017. We expect returns will start to diminish as insurance providers currently benefit from an uncertainty premium.

The global cyberinsurance market today is dominated by the U.S., which represented about 70% of 2018 global premiums. Demand is mostly coming from various data protection regulations in several states where nonadherence to data security could lead to significant fines. In July 2019, Equifax settled with the U.S. Federal Trade Commission over its 2017 data breach, which affected 147 million Americans. The settlement of up to $700 million includes as much as $425 million for individual compensation. Another example is Facebook's record-breaking $5 billion settlement with the commission announced in July 2019 for violating consumers' privacy rights. However, we believe that cyberinsurance outside of the U.S. will grow at a faster pace and could take about a 40% share of the global market in 2021. Europe will take the lead following implementation of General Data Protection Regulation in the EU last year. The regulation has a provision to levy fines of up to €20 million or 4% of global revenues. British Airways' owner International Airlines Group, for example, is facing a fine of $230 million from customer data theft from its website, and Google is looking at a $50 million fine from France. Asian markets recently entered the cyber insurance market and we believe this region will witness growth too, as awareness about cyberrisk is rising too. Recently, the Singaporean government announced plans to introduce a commercial cyberinsurance pool. As a result of rising cyber losses, increasing awareness, and growing demand for cyber products, outside of the U.S., we believe the global market will grow to $8 billion in gross written premiums by 2022 (see chart 1).

Chart 1

Underwriting Cyberrisks Means Looking At The Whole Iceberg

Before discussing the underwriting features of affirmative cyber polices, it is important to review the cyber exposure that already exists in traditional products. Most of the risks are an iceberg threat, lurking below the surface for both non-life and life insurers. This nonaffirmative or silent cyber exposure can be plentiful.

Any policy that has no explicit exclusion for cyber incidents could be exposed, including products like business interruption, marine, aviation, or transport. According to the U.S.-based Property Claim Services, the insured global cyber loss of the NotPetya attack was over $3 billion, with 90% covered in traditional policies such as business interruption. As a result, insurers have started to address these "silent" exposures through explicit exclusions or by offering insureds affirmative cover. For example, Allianz recently announced a group and worldwide cyber underwriting strategy to update and clarify all non-life policies for cyberrisks.

Regulators too have become more vocal about silent cyberrisk. In January 2019, the U.K.'s Prudential Regulation Authority called on U.K. insurers to actively manage nonaffirmative cyberrisk and clearly define cyber strategies and risk appetites. In July 2019, Lloyd's of London announced that its underwriters will have to clarify whether standard policies include or exclude cyberrisks starting next year. S&P Global Ratings believes that a proactive strategy to address nonaffirmative cyber exposure can help to further develop the cyberinsurance market by clarifying coverage for insureds, insurers, and brokers. We closely monitor (re)insurance initiatives for addressing silent cyber exposures since we believe those companies that do not act to generate dedicated insurance premiums for the risk may experience earnings and capital volatility from cyber exposure.

For those wishing to underwrite for affirmative cyberrisk, the path is not straightforward. Compared with insuring natural catastrophes, the most obvious difference with cyberrisk is the human origin of the peril and in particular the criminal element. According to NetDiligence, 92% of insured data breach losses had a criminal origin in 2017 (see chart 2). Cybercriminals are becoming more professional, aiming to develop more complex ransomware quicker than protection technologies are created to block them. This makes it much more difficult to model losses based on historic experience because it may not be a relevant indicator of the future.

Chart 2

While diversification by geography, business line, or customer base lessens natural catastrophe risk, the same cannot be said for cyber, where we believe diversification benefits are more limited. The cyberattacks WannaCry and NotPetya were global incidents encompassing many industries and geographies, demonstrating the enormous potential accumulation risk of cyber events. The sector is also still in its infancy and has limited data on losses. Modeling capabilities are improving but are still more basic than for more traditional risks. What's more, underwriting still relies highly on qualitative judgment and scenario testing.

Reinsurers Are Well Placed To Help To Develop The Cyber Market

In our view, reinsurers have been cautious about writing cyberreinsurance. Business appears to be still written mainly on a quota share basis, although we observe some increase in excess of loss and aggregate stop loss covers. We believe that the number of reinsurers and insurers that are offering cyber cover is rising. In our view, even the market leaders are only cautiously increasing their exposures compared to other lines of business, showing that affirmative cyber remains a niche specialty. One of the largest global reinsurers, Munich Re, reported affirmative global cyber (re)insurance premiums of $473 million in 2018, which is less than 1% of the group's total gross written premiums of $49.1 billion in 2018. Given the uncertainties about cyberrisks, we believe this cautious approach is appropriate and a reflection of sophisticated risk management in the global reinsurance sector.

In general, we believe reinsurers are well placed to enable further development of the cyberinsurance market. In particular, outside of global multiline insurers, which usually have in-house expertise, some midsize and more regionally focused insurers do not have the resources to significantly increase their cyber expertise and are therefore more reliant on external know-how and reinsurance. In this regard, reinsurers can help to develop products and share underwriting know-how, including modeling experience, in exchange for a fee or classic reinsurance protection. We also expect reinsurers will be able to help customers understand their nonaffirmative cyber exposure and offer solutions to help transfer that into affirmative cover. Reinsurers can also play a role in establishing cyber ecosystems by offering holistic cyber solutions through services and relationships with cybersecurity companies, specialized managing general agents, or insurtech companies. This in our view will create attractive long-term partnerships, unlike the more commoditized capacity in the pure natural catastrophe business. The reinsurance sector, in cooperation with insurers, regulators, and governments, can also continue to play a vital role in helping to define affirmative cyber products and global standards such as event definitions or more standardized terms and conditions.

Due to the enormous potential size of economic cyber losses, combined with the limitations on traditional (re)insurance capacity, we believe (re)insurers will partner with governments and the capital markets to increase capacity in the global market. We observed such behaviors in the catastrophe risk market following Hurricane Andrew in 1992, when state funds for catastrophe risks and catastrophe bonds for capital market investors brought more capacity to the sector. The Singaporean government's plans to introduce a commercial cyber pool with (re)insurers and insurance linked security (ILS) backing capacity is a recent example. However, before ILS investors will accept cyberrisk as a potential investment opportunity, the market will need to enhance its ability to model this risk as well as have a longer track record. The noncorrelation benefit that ILS catastrophe investors enjoy when investing in natural catastrophe ILS is also less clear for cyberrisks. Lastly, the losses from cyber incidents can be physical, similar to losses from fires, which shows another correlation of cyberrisk to catastrophes of human origin. While technically a government backstop program like TRIA (Terrorism Risk Insurance Act in the U.S.) can cover cyberrisk, a key concern is that attribution will be difficult to determine.

The cyber (re)insurance market is largely fluid as demand is increasing, newer entrants are scratching the surface, and the risk itself is evolving. Although the market is immature at the moment, there is still value to be found if (re)insurers properly underwrite risk. If reinsurers are able to improve quantitative modeling and data quality, this may allow for more capacity in the fast-growing business of cyberrisk.