articles Ratings /ratings/en/research/articles/220726-cyber-risk-in-a-new-era-the-rocky-road-to-a-mature-cyber-insurance-market-12437830 content esgSubNav
In This List
COMMENTS

Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market

COMMENTS

Insurance Industry And Country Risk Assessment: Global Property/Casualty Reinsurance

COMMENTS

Insurance Brief: Flash Floods In Spain Have Limited Effect On Insurance Ratings

COMMENTS

Evolving Risks In North American Corporate Ratings: Artificial Intelligence, Cyberattacks, And Blockchain

COMMENTS

Cyber Risk Insight: Poor Cyber Vulnerability Management Can Be A Governance Issue


Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market

Table 1

image

Table 2

image

Awareness of the risks posed by cyber attacks has never been greater. A survey of senior executives, conducted by Munich Re in 2022, found that 38% of so-called C-level managers are "extremely concerned" by cyber threats, up from 30% in last survey. Add in senior executives who identify as "concerned" and the percentage rises to 70%.

That is no surprise. Cyber risk awareness has grown in waves, increasing suddenly as incidents get media attention. But there has also been a general rising tide of awareness, driven by organizations' increasing reliance on data and IT systems, which accelerated with the COVID-19 pandemic.

Those growing concerns have come with a parallel increase in mitigation efforts, and thus increased investment in cyber risk management, including in cyber insurance. Such insurance policies have become a central component of companies' cyber risk management, offering a route to recovery from a cyber attack or data breach via financial compensation for costs associated with IT services, digital forensic analysis, business interruption, equipment damage, legal costs, and fines.

Cyber insurance premiums topped $9 billion in 2021, according to Munich Re. That figure is likely to increase at an average 25% per year to about $22.5 billion by 2025, according to S&P Global Ratings.

That growth might seem to be a sign of a burgeoning cyber insurance market, but rising rates accounts for much of the increase in total premiums (see chart 1) over the past two years, rather than an increase in the number or size of insurance contracts. Improvements in risk modeling will be necessary if further growth is to reflect increased market capacity, driven by (re)insurer's greater risk appetite, rather than still higher rates underpinned by a supply-demand mismatch due a reluctance to take on new risk.

Chart 1

image

The significant increase in premiums over the past two years (see chart 2) stems partly from an increasingly cautious approach to underwriting cyber risks by insurers eager to protect margins and remain within their risk limits. It has also led to complaints that cyber insurance has become unaffordable, especially for small and midsize enterprises. That, in turn, has led some companies and government entities to eschew, or drop, cyber coverage--a course of action that offers upfront cost savings, but which we believe could also make recovery from a cyber attack more difficult, and thus potentially have implications on issuer credit profiles.

Chart 2

image

Price fluctuations are likely to be an ongoing characteristic of the cyber insurance market. These will arise from the emergence of new risk differentiation models and variable pricing that incorporates emerging cyber security standards and improvements in cyber security systems. This variability has become a key pillar of (re)insurers' efforts to create sustainable cyber insurance products. It has also, in some instances, led to the cancellation of contracts where policyholders have failed to meet security standards and thus an acceptable risk-return profile for (re)insurers.

Insurers have also realigned contract terms and conditions, increased retention levels (meaning more risk remains with policyholders), and reduced coverage for specific types of loss (known as sublimits), especially in relation to ransomware and business interruption coverage. Those changes partly derive from the significant number of insurers whose loss ratios have sharply increased, mainly due to larger and more frequent ransomware-related claims.

The wariness is also justified by the systemic risk that comes from interconnected digital services and infrastructure. That exposes (re)insurers to risk accumulation--not least because a single cyber event could simultaneously affect a considerable number of policyholders. Significant improvements in scenario modeling have highlighted this danger, the need for improved portfolio management, and shown how a major cyber event could result in damages worth multiples of the estimated size of the entire cyber insurance market.

We are monitoring the development of accumulation risk management at our rated insurers. Specifically, we would consider that an overly aggressive expansion into the cyber insurance market, without effective risk controls, could be detrimental to insurance companies' risk exposure and their capital and earnings positions.

The Multifaceted Response To Ransomware's Threat

Ransomware attacks were the major drivers of higher loss ratios, and consequently cyber insurance price increases over 2020 and 2021. The number of ransomware attacks increased 232% from 2019 to 2021 (see chart 3), bolstered by new trends including: subscription-based access to ransomware software (known as ransomware as a service, or RaaS); an uptick in supply chain and critical infrastructure attacks; double extortion attacks (where hackers steal and encrypt data); and increased targeting of unpatched systems.

Chart 3

image

In its simplest form, a ransomware attack usually involves hackers demanding money in exchange for decrypting or returning a company's data. Yet ransomware can trigger a host of other losses covered by cyber insurance policies including payments linked to business interruption, data recovery, IT forensic costs, regulatory investigations, and fines. Those secondary effects have prompted insurers to analyze ransomware claims to better understand vulnerability patterns in successful attacks. That has given rise to more comprehensive questioning of policyholders, innovation in risk assessments during underwriting, and raised the threshold for accepting new risks.

The insurance industry is also reacting to this complexity by building a broader cyber risk ecosystem that includes consulting services to help clients deal with ransom demands, legal advice, forensic IT services, advice on back-up solutions and resilience consulting, and 24/7 incident reporting services (76% of ransomware attacks occur outside office hours, according to cyber security vendor FireEye).

The creation of this ecosystem should ultimately shift insurers' role from that of simple insurance provider to cyber solutions provider (see "Cyber Risk in A New Era: Insurers Can Be Part Of The Solution," published on Sept. 2, 2020). That initiative may already be reaping rewards. The average payment following a successful ransomware attack declined to about $211,000, in the first quarter of 2022, down 34% from a peak in the fourth quarter of 2021, according to ransomware research group Coveware.

Chart 4

image

Some of that decline in average ransom payments (see chart 4) appears to stem from companies refusing to pay their attackers, though increased targeting of smaller companies is also likely to have contributed. Nonpayment of ransom demands was 54% in the first quarter of 2022, up from 15% two years earlier, according to Coveware (see chart 5). We believe that both the increase in nonpayment and the decline in the average ransom payment underscore a diminishing sense of powerlessness among victims, following investment in employee awareness, technological defenses, and operational resilience. We also note that legislators in some countries' have begun debating whether ransomware payments should be banned outright.

Chart 5

image

Strict Underwriting Will Dominate The Market

A combination of policyholder education, the provision of services to reduce claim values, and policy rate adjustments means ransomware shouldn't be an existential threat to the cyber insurance sector. Yet making a steady profit from cyber will remain challenging for insurers. That was underscored by the worse-than-expected results from insurers' cyber operations in 2021, which led to increased hesitancy to underwrite larger risks and to some insurers reducing their risk appetite. That caution, and the resultant shift in underwriting strategies, has been exacerbated by the Russia-Ukraine conflict, and concerns that it could lead to an uptick in cyber attacks, even if that has not materialized yet.

Amid this elevated level of vigilance, it has become common practice for insurers to decline requests for cyber cover if a potential policyholder lacks comprehensive IT system back-ups, endpoint detection technology, a protocol that ensures ongoing patching of IT systems, defined cyber attack response measures, or multifactor authentication.

Insurers have also expanded their own operations to include real-time monitoring of new threat actors and new and emerging attack tactics. This monitoring now regularly feeds into the standardized information and system security questions that are used by insurers to assess risk. We regard this favorably and believe it should enable better assessment of the underlying risk dynamics of policyholders and potential clients.

We also believe that insurers that understand their clients' business models, and marry that with an ability to analyze evolving threats, will be better able to help policyholders develop protective measures and resilience. That is likely to prove a competitive advantage in attracting new business, and in avoiding so-called "silent cyber" risk (see "Cyber Risk In A New Era: Let’s Not Be Quiet About Insurers’ Exposure to Silent Cyber," published March 2, 2021), and thus ultimately improve underwriting profitability.

Clear Terms and Dynamic Contracts

We expect that the road to improved underwriting of cyber insurance will be signposted by clear and precise policy wording that mitigates evolving risks. The big challenge for (re)insurers in developing this wording lies in the need for continual reassessment of shifting risk exposures, which necessitates dynamic contract conditions and coverage concepts--both of which are likely to be enduring characteristics of the cyber insurance industry.

The need for clearer terms in contracts has been highlighted in recent months by the threat of spillover (deliberate or accidental) from cyber attacks linked to the Russia-Ukraine conflict. At the heart of the issue are so-called war exclusions, which were designed to exclude claims arising from physical or kinetic war, but which have proven ill-suited to the context of cyber warfare. Notably, a traditional definition of war implies conflict between two nation states, while cyber attacks are often conducted by non-state actors, or in such a way that proving a state's role can be difficult. That opens the door to policyholders claiming for damages that are part of a conflict, or to insurers seeking to apply war exclusions to cyber claims simply because there is a major conflict underway.

The lack of clarity surrounding war exclusions (and the risks of silent cyber) were at the heart of the dispute, between ACE America Insurance and Merck, which arose after the latter claimed for losses due to the June 2017 NotPetya ransomware attack. Merk claimed against an all-risk property insurance policy that covered physical loss or damage to electronic data and software, but was denied by ACE, which asserted that NotPetya was part of a "hostile or warlike action" and thus excluded. The resulting legal battle concluded in January 2022, when the Superior Court of New Jersey ruled Merck was right to anticipate that the exclusion applied only to traditional forms of warfare and not cyber attacks.

Quality Not Quantity

We believe that insurers should focus on quality, in the context of cyber insurance wording, rather than quantity. A proliferation of imprecise cyber war exclusions could hurt the development of a sustainable cyber insurance market, which is in no one's interest.

Thankfully, the industry has begun to respond to that need for precision. In December 2021, Lloyd's of London announced the introduction of a new framework for cyber war exclusions, which applies different levels of exclusions in an effort to avoid ambiguity, while also maintaining some flexibility. Under the framework, all insurance policies written at Lloyd's must exclude losses due to war, in line with its requirement, but clauses can differ in the degree to which they exclude losses due to state-backed cyber operations (see table 3).

Table 3

Lloyd's Of London Exclusion Clauses
War, Cyber War, and Cyber Operation Exclusion No. 1 (LMA5564):
Excludes losses from war and all cyber operations* attributed to a nation state§.
War, Cyber War and Cyber Operation Exclusion No. 2 (LMA5565):
Coverage for losses that are NOT due to cyber operations that either: (1) are retaliatory between specific states† or (2) have a major detrimental impact to the functioning of the state. Insurance cover up to specific limits, per event or in aggregate per year. Unless an amount is specified, there shall be no coverage for any cyber operation(s).
War, Cyber War and Cyber Operation Exclusion No. 3 (LMA5566):
Coverage for the same losses as defined in Exclusion No. 2, but without the coverage limits.
War, Cyber War and Cyber Operation Exclusion No. 4 (LMA5567):
Covers effects on "bystanding cyber assets‡" in addtion to the coverage provide by clause No. 3.
*Cyber operation--The use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of, or in, another state. §State--Sovereign state. †Specified states--China, France, Germany, Japan, Russia, U.K. or U.S. ‡Bystanding cyber asset--A computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation. Source: Lloyd’s Market Association, S&P Global Ratings.

The Lloyd's framework is a step in the right direction but is likely to require further refining. Key terms, such as "retaliatory" and "major detrimental impact," are not defined in the exclusion policies, and thus open to interpretation. We also worry that too many choices could lead to unnecessary heterogeneity, contributing to a lack of consensus over the treatment of cyber war exclusions. And questions remain about how the new clauses will interact with existing exclusions, which supports the case for standalone cyber insurance policies that provide clarity of coverage.

Yet by offering a range of standard exclusions, the framework could improve policy transparency while helping insurers to adapt exposure to their risk appetite, all of which we consider to be positive for the cyber insurance market.

There are other vexing issues that the market still needs to confront with relation to cyber war exclusions, including who bears the burden of proof in establishing the origins of a cyber incident, the extent of state involvement, and the relevance of an attack to a conflict's aims. Such questions must be answered, and not least because demand for cyber insurance will continue to increase.

A stable market is in the interest of policyholders, who will benefit from greater certainty of coverage and lower costs, and insurers, who will be better able to match products to their risk appetites while also reducing the volatility of returns.

We believe clearer policies will be at the forefront of those efforts, but that it will also necessitate a deeper understanding of how ransomware drives losses, improvements in scenario modeling, better management of risk accumulation, and disciplined underwriting. Insurers that aggressively expand in the cyber market without that expertise will expose themselves to increased capital and earnings volatility that could lead us to change our assessment of their operations.

Related Research

This report does not constitute a rating action.

Primary Credit Analyst:Manuel Adam, Frankfurt + 49 693 399 9199;
manuel.adam@spglobal.com
Secondary Contacts:Tiffany Tribbitt, New York + 1 (212) 438 8218;
Tiffany.Tribbitt@spglobal.com
Simon Ashworth, London + 44 20 7176 7243;
simon.ashworth@spglobal.com
Koshiro Emura, Tokyo (81) 3-4550-8307;
koshiro.emura@spglobal.com
David S Veno, Princeton + 1 (212) 438 2108;
david.veno@spglobal.com
Jesse Capaul, Centennial 303-721-4588;
jesse.capaul@spglobal.com
Alexandra Filatova, Dubai + 7 49 5783 4061;
alexandra.filatova@spglobal.com
Olivier J Karusisi, Paris + 44 20 7176 7248;
olivier.karusisi@spglobal.com
Celio P Neto, Sao Paulo +55 11 3039 4827;
Celio.Neto@spglobal.com
Mariana Bisteni, Mexico City +52 5550814443;
mariana.bisteni@spglobal.com
Mauricio Ponce, Mexico City + 52 55 5081 2875;
mauricio.ponce@spglobal.com
Research Contributor:Ruchika Agrawal, CRISIL Global Analytical Center, an S&P Global Ratings affiliate, Mumbai

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in