Key Takeaways
- The COVID-19 pandemic is forcing almost all organizations to speed up their digital transformation priorities.
- This rapid transformation will inevitably increase systemic vulnerabilities to cyber attacks, leading us to expect the next decade to be the most important period of growth for the cyber insurance market.
- Currently, commercial and private cyber insurance premiums total about $5 billion, and we expect this to increase 20%-30% per year on average in the near future.
- As the market gains critical mass, providers should continue to build out their platforms and product offerings and focus on robust underwriting skills.
- Insurers will have to offer more relevant products for the market to succeed, and carefully evaluate and monitor exposures, in particular related to potential accumulation risks, to maintain credit strength if they accept cyber insurance risks on a larger scale.
The COVID-19 pandemic has changed the ways we shop, learn, and work with important implications for cyber risk. E-commerce is booming, brick-and-mortar retailers are shifting to digital platforms, and schools and offices have adopted online classes and home working. For organizations this has meant re-thinking digitalization strategies and doubling-down on information technology (IT) spending, cloud capacity, and infrastructure to boost bandwidth, ensure business continuity, and retain customers.
We believe these digitalization trends are here to stay and will inevitably lead to a higher likelihood of cyber incidents, as companies increase their digital footprint or enter the space for the first time.
Even prior to the COVID-19 pandemic, cyber risk was the top peril for organizations globally, according to the Allianz Risk Barometer Survey in January 2020. The same survey ranked it 15th back in 2013.
High-profile incidents such as ransomware attacks WannaCry in May 2017 and NotPetya in 2016 and 2017 have materially increased awareness of cyber threats, with estimated global damage of up to $4 billion and $10 billion, respectively. These cyber incidents demonstrated the huge accumulation risk and potential for large interrelated losses given the spread of ransomware across the globe. Ransomware attacks, where a specific malware (such as a Trojan) locks down entire computer networks and bad actors threaten to publish victims' data or perpetually block access unless a ransom payment is made, are increasing in frequency and severity.
The increasing sophistication of cyber attacks is also undeniable. For example, Advanced Persistent Threats (ADPs)--a targeted attack where a cyber hacker gains access to a system with the goal of stealing data or disrupting a network and remains undetected for an extended period--are on the rise. These attacks are usually intended to steal intellectual property and sensitive data for political or economic gains.
Another increasingly popular avenue of attack is social engineering, where cyber attackers manipulate individuals into divulging sensitive information. In July 2020, Twitter became the victim of a coordinated social engineering attack that targeted employees with access to sensitive internal administrative systems. The accounts of famous faces including former U.S. President Barack Obama, Amazon founder Jeff Bezos, Tesla CEO Elon Musk, and rapper Kanye West were compromised and pushed out tweets asking millions of followers to send money to a Bitcoin address as a community donation. Many followers were deceived and sent Bitcoin payments expecting a double return that never arrived.
On top of costs related to a cyber attack itself, companies face a potential fine if they are found to have not fully complied with regulation, for example, by not promoting a culture of data protection and proactively reporting data breaches. The implementation of the General Data Protection Regulation (GDPR) means organizations are facing higher penalties for data breaches, with EU regulators levying fines of up to 4% of an organization's annual global revenue or €20 million, whichever is larger, if they infringe on users' privacy.
The pace of digitalization and data interconnectivity will only increase, driven by trends such as the Internet of Things, social media, fifth generation mobile networks, and Industry 4.0. This means cyber security, cloud, and data protection must be organizations' highest priorities to cope with sophisticated new cyber threats. In this context, we think increasingly more companies will consider cyber insurance to complement wider cyber risk-management strategies.
Cyber Is A Blessing And A Curse For Insurers
In most developed global markets, cyber insurance will become one of the key growth areas for insurers in the next decade, partly because many larger lines of business, such as motor and property, are highly saturated. However, market penetration has remained relatively low, despite the area being among the largest risks for organizations globally. The estimated yearly economic costs of cyber crime already exceed $700 billion, but insured cyber losses are still very small at below $5 billion.
In comparison, total economic losses from natural and man-made disasters in 2019 totaled about $140 billion, with $56 billion insured, according to Swiss Re. This indicates the untapped potential of the cyber insurance market.
Currently, commercial and private cyber insurance premiums total about $5 billion, and we expect this to increase 20%-30% per year on average in the near future. A key avenue for growth will be small and midsize enterprises (SMEs), which have a considerable untapped demand for cyber insurance. In the U.S., cyber insurance growth rates for SMEs were more than double those for other industry segments in 2018 and 2019. In our view, this is an important development that will gradually improve the risk diversification of insurers' exposure.
Chart 1
More broadly, cyber insurance market growth will depend on how insurers tackle associated challenges.
We believe there are a number of reasons why there is such a huge gap between economic losses associated with cyber attacks and the size of the cyber insurance market (see chart 2).
Chart 2
A key challenge for insurers is accumulation risk. The accumulation of claims within a cyber insurance portfolio can expose an insurer to high financial losses. A severe natural catastrophe can also affect many countries, but is limited to a certain region. Cyber risks are not limited by geography and can easily spread across the globe in a few seconds. As proven by attacks like NotPetya and WannaCry, there is significant accumulation potential due to increasing digital interconnectivity and interfaces along multiple supply chains.
Uncertainties regarding cyber insurance coverage can arise from nonaffirmative silent cyber risks, which are neither explicitly included nor excluded within insurance policies. As a result, legal disputes can arise and, consequently, unexpected cyber claims, which are not yet priced in the insurance premium. We have seen insurers improve their handling of this area in 2019 and 2020 following regulatory requests to screen their portfolios for silent cyber risks. Insurers have also developed more robust analytical tools and they are gradually transforming silent cyber to affirmative cyber risks using clear and transparent inclusions or exclusions, which we regard as a positive sign. Still, we see a broad disparity between insurance companies taking silent cyber risks very seriously in their underwriting strategies and those with less ambitious silent cyber strategies. Going forward, insurers will need to focus on identifying, quantifying, and modeling silent cyber risks across their portfolios and in their new business to control and minimize the overall accumulation risk and expand sustainably and profitably.
Furthermore, calculating an appropriate price for cyber insurance is more difficult than other lines of business, given the very dynamic nature of cyber risks and increasing sophistication of cyber crime. In the U.S., so far the largest and most advanced cyber insurance market with about a 70% share of the global market, profitability is still high, with a combined ratio (loss and expense) of 67% on average over 2017-2019, according to AON. These market-leading profit levels are backed by an uncertainty premium, but we expect margins to narrow over time. In less developed cyber insurance markets, like Europe and Asia, it is still too early to comment on profitability but we observe insurers also applying high uncertainty premiums when entering the market to build more robust data on potential cyber losses. However, historical data can't always predict future cyber risk development. This makes underwriting cyber insurance more sophisticated than conventional insurance cover, with the insurer heavily relying on modelling and scenario calculations, as well as qualitative judgement. Given these challenges, cyber insurers have cautiously expanded their coverage but the approach will need to evolve to support demand growth at a reasonable economic cost.
We also see a lack of transparency and rigidity from the insurance market, which is not entirely accommodating customer demands. Among them, uncertainties around coverage elements, given non-uniform definitions of cyber risks and inconsistent terms and conditions, since cyber is often bundled in liability or property lines of business. In some instances, we also see exclusions for certain industries, such as critical infrastructure or financial service companies, and certain claims, including fake president fraud (where criminals impersonate a company leader and order an emergency bank transfer) or cyber extortion payments. In addition, some insurers offer a maximum payout, which is viewed as inadequate insurance protection in the event of a cyber incident. This could lead customers to query the benefits of a cyber policy. The lack of cyber risk awareness and difficulty in highlighting the need for spending when the company hasn't been attacked, especially among SMEs, are other growth constraints.
In our view, cyber risk awareness has increased rapidly, spurred by organizations' reliance on data and IT systems and further accelerated by the COVID-19 pandemic. Demand rises when cyber incidents get media attention and an increasing number of organizations are starting to see cyber as a severe risk. As a result, investment in cyber risk management, including cyber insurance coverage, is rising.
For insurers, this demand means huge opportunities but also large risks. In particular, they need to understand the complexity and dynamics of cyber insurance to successfully and efficiently provide coverage.
The Future Of Cyber Insurance Is More Than Just A Payout
Cyber incidents and data breaches have become a part of daily life. The threat is evolving dynamically, creating a constant battle between attackers and defenders finding and exploiting (or patching) system flaws. However, whether, or to what extent, an attack becomes a cyber insurance claim depends upon the cyber risk-management framework. Many claims arise because a cyber security strategy was absent or not sufficient to withstand an attack.
For companies, a cyber incident can lead to, among other outcomes, business interruption, ransom payments, a drop in reputation, and a potential fine from the regulator. This can mean several adverse consequences as companies rebuild databases and take care of reputational and operational damage.
In our view, cyber insurance needs to offer more than just pure compensation for a potentially significant financial loss. Insurers can provide additional value by providing assistance services and helping policyholders better handle cyber risks. This would provide a key benefit to the policyholder, enable insurers to differentiate themselves from competitors, and help reduce the frequency and severity of cyber claims. More efficient cyber prevention and sophisticated management in a claims scenario heavily correlate with a lower claim cost and are therefore also a key advantage for an insurer.
We believe cyber insurers can also act as an orchestrator by building an ecosystem of internal and external expertise to prevent cyber claims, or investigate any attacks for a policyholder quickly.
Chart 3
This includes comprehensive IT expertise and services associated with prevention measures, crisis management, and data recovery. Transparent and proper legal and crisis communication is also key to avoid or minimize regulatory fines, third-party legal claims, and reputational damage.
The cyber insurance market is to a large extent still dependent on third-party cybersecurity companies and law firms to provide these services, but larger insurers have already started to build-up expertise and hired IT experts from renowned cybersecurity firms.
By building this ecosystem, cyber insurance providers can bring significant added value to the insured party and play an important role in improving cyber resilience. We believe the digitalization boost linked to the COVID-19 pandemic will allow insurers to develop comprehensive cyber risk-management strategies together with policyholders. Insurers should also take up the role of educating policyholders about cyber risks to further enhance awareness.
However, if insurers only focus on compensation for claims, we see less potential to develop a sustainable and profitable cyber insurance market in the mid-to-long term.
The Implications For Our Ratings
On the one hand, cyber risk can be an operational risk for insurers, given the huge amount of sensitive data they handle. We could change our assessment of an insurer's governance framework if we observe insufficient cyber risk management, including a potential inability to identify and detect cyber risks, a lack of prevention measures, and an inadequate cyber claim response strategy.
On the other hand, cyber insurance providers can be exposed to cyber risks in the form of a first- and third-party written cyber coverage, cyber coverage packed into another policy (affirmative cyber risks), and implicit silent cyber coverage (nonaffirmative cyber risks).
We believe that the coming decade will be a game changer for the cyber insurance industry if insurers can tackle the associated challenges. In particular, the accumulation risk we consider in our risk exposure assessment could increase significantly due to the complex and dynamic risks providers are exposed to. To successfully write cyber insurance on a larger scale and generate profitable long-term growth, insurers need to create an ecosystem combining internal and external expertise and providing the best benefits to policyholders.
Chart 4
Should an insurer aggressively expand in the cyber market without proper expertise it could change our risk exposure assessment, especially if we believe this higher cyber exposure could lead to capital and earnings volatility. That said, building a strong ecosystem early on may lay the foundation for an improved competitive position and higher profitability. Therefore, we will closely monitor rated insurers' expansion in this area and how they deal with the challenges and potential large interrelated losses associated with cyber insurance.
Related Research
- Cyber Risk Management For U.S. Municipal Utilities Should Be Routine And Requires Vigilance And Flexibility, Feb. 3, 2020
This report does not constitute a rating action.
Primary Credit Analyst: | Manuel Adam, Frankfurt (49) 69-33-999-199; manuel.adam@spglobal.com |
Secondary Contact: | Simon Ashworth, London (44) 20-7176-7243; simon.ashworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.