Key Takeaways
- Insurance is an important part of an organization's cyber risk management, and USPF issuers need to adapt to changing requirements and costs, or they may be unable to acquire insurance
- Premiums are rising rapidly while inflation is pressuring budgets
- Increasingly more USPF entities will consider cyber insurance to complement wider cyber risk management strategies
- However, insurance is only one element of cyber risk management and issuers will never be able to remove cyber risks entirely, nor, will insurance replace good security practices
- We view cyber insurance or similar dedicated resources to mitigate financial losses from a cyber attack as a demonstration of cyber preparedness
When analyzing an issuer, S&P Global Ratings views insurance as just one component of risk management. Insurance is one of the most dynamic sectors of risk management, and is changing rapidly, testing issuers from both an IT infrastructure and a cost perspective. Across the entire insurance industry, we've seen gradual shifts in cyber coverage premiums and other insurance eligibility elements, and believe U.S. public finance (USPF) issuers should consider all these elements when building their cyber security system. We've heard from issuers we rate that costs are increasing, in some cases to a level where certain entities, usually smaller ones, have decided to forgo insurance altogether, or explore other means of insurance. Cyber security is an ever-evolving credit risk and we'll continue to monitor this complex insurance component of it.
Insurance Demand
Insurance providers can play an important role in improving network resilience of policyholders by providing an ecosystem (see chart 1) of cyber services--such as IT expertise, crisis management, data recovery--to prevent claims, or investigate any attacks for a policyholder quickly. Still, many insurers have restrictive coverage for systemic risks such as those relating to compromised software infrastructure or cyber attacks deemed acts of war, having higher retention levels for public entities or coinsurance requirements for ransom payments, which could make it more difficult for public entities to be fully compensated in such a scenario.
Chart 1
Demand for cyber insurance has been increasing but limited capacity on the supply side has led to rapidly rising premiums, as well as adjustments in coverage, terms, and conditions. Globally, cyber insurance premiums reached almost $12 billion in 2022, according to Munich Re. In our view, that figure is likely to increase at an average of 25% per year to about $23 billion by 2025 (see chart 2). The growth of the past two years might seem to be a sign of a burgeoning cyber insurance market, but rising rates accounted for much of the increase in total premiums, rather than an increase in the number or size of insurance contracts.
Chart 2
Cyber insurance rate increases have decelerated recently (see chart 3). According to the Council of Insurance Agents and Brokers, the average increase in premiums fell below 20% for the first time in six quarters, leading to a rise of 15% in fourth-quarter 2022 and 8.4% in first-quarter 2023. This is down from a peak of 34.3% in the last quarter of 2021, indicating improved profitability for insurance companies underwriting cyber insurance.
Chart 3
The market remains tough but the cyber insurance industry has improved slightly due to:
- Enhanced risk management capabilities;
- New capacity as insurers and innovative managing general agents continue to enter the market;
- Policyholders improving their network hygiene (to prevent data breaches by protecting sensitive data, backups, encryption, patch management, multifactor authentication, and so forth); and
- Better understanding of ransomware, following investment in employee awareness, technological defenses, and operational resilience, taking pressure off the claim dynamic.
The insurance industry has improved cyber risk management and gone through a period of portfolio optimization. This puts it in a more sustainable position to underwrite a higher number of risks, which could lead to a material increase in the number of contracts. For more information, see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," published July 26, 2022, on RatingsDirect.
Insurance Is An Key Part Of An Issuer's Risk Management Strategy
We incorporate our view of an issuer's cyber security preparedness into our overall assessment of risk management, looking at how an issuer prepares for, responds to, and recovers from cyber attacks (for more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021). Cyber insurance can be a critical part of an issuer's response plans and ability to recover from an attack. Given the change in the insurance market, it may seem that USPF issuers have elevated risks; however, this is just one element of an organization's holistic cyber risk management strategy. A lack of insurance can be partially mitigated by following strong practices in other areas, such as rapid detection, which can disrupt the cyber attack lifecycle; comprehensive training; strong IT asset management; and robust continuation of operations planning, with adequate backups and other measures to ensure a rapid recovery in the event of an attack. Furthermore, some issuers are relying on self-insurance or other dedicated financial resources to assist with response and recovery after an attack.
The Credit Implications Of Insurance
We consider cyber insurance under various management principles in our USPF criteria. In our view, insurance is just one component of an entity's risk management stance. However, a lack of insurance, self-insurance, or other dedicated resources to mitigate cyber attacks, could negatively affect our view of an entity's management profile, particularly if it reduces an issuer's ability to adequately respond to and recover from an attack depending on potential mitigating factors. These could include robust practices regarding preparation, such as active IT asset management, an active management team with leadership that quickly adapts to a changing threat landscape, or significant liquidity. For more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance."
For USPF Issuers, Getting Cyber Insurance Is Difficult But Not Impossible
Because costs and system requirements are rising, issuers are taking other routes for insurance protection, such as joining a municipal pool, like the Texas Municipal League, or even using self-insurance for cyber security.
For cyber insurers, losses have increased significantly in the public sector. Cyber incidents and data breaches have become a part of daily life. Threats are evolving as attackers relentlessly exploit system flaws and defenders patch them.
Governments and public agencies make an attractive target for cyber criminals. For example, a city or town delivers services and might store and use confidential and sensitive data. As a result, USPF entities often fit hackers' target criteria. At the same time, issuers might have fewer cyber security staff and limited budgets dedicated to cyber security, along with aging networks. Public entities can't afford for their systems to be offline. That's why hackers often use ransomware, as they believe many public organizations will pay a ransom: The Sophos State of Ransomware 2023 report indicates that in 2023, a higher proportion of U.S. local governments paid ransoms above $1 million than in 2022, and 34% of organizations reported paying ransoms to recover data.
The Cyber Insurance Ecosystem
For any organization, a cyber incident can lead to service interruption, ransom payments, a drop in reputation, and potential fines from regulators or state governments. This can mean several adverse consequences as organizations rebuild databases and manage reputational and operational damage. Especially for public entities with limited cyber security staff, we believe cyber insurers can act as an orchestrator by building an ecosystem of internal and external expertise to prevent cyber claims and investigate attacks quickly.
Public entities will continue to face hurdles in obtaining cyber insurance in the form of increased requirements for coverage and higher costs. Insurers that still offer coverage are making it harder to obtain: High premiums, very detailed questionnaires, and comprehensive web screenings make applying for a policy excessively complex. However, the upside is that by meeting an insurer's requirements, an organization's network becomes more cyber secure.
We expect insurers will continue focusing on risk differentiation by incorporating security standards in the underwriting process and linking improvements in organizations' information security to pricing consideration for cyber insurance contracts, especially in the public sector. That means organizations with a more resilient cyber security strategy will receive better insurance rates, which could motivate them (as policyholders) to fortify their cyber hygiene.
Third-Party Vendors Aren't A Quick Fix Or Substitute For Good Practices
Third-party vendors, including IT suppliers, are convenient for issuers, especially those with limited cyber security resources or potentially limited insurance options. However, when these vendors are used, management teams should review their cyber security insurance policies and verify if any coverage is applicable to their vendor as part of their assessment of the risks associated with outsourcing and development of risk management plans. Management teams need to understand if their third-party vendor should experience a cyber threat or breach, how this will affect the issuer; if the vendor's insurance policy protects the outsourcing entity, and if the entity's insurance policy covers the damages they might face due to the third party's threat or breach. Although third-party vendors are convenient, they aren't a substitute for healthy cyber hygiene practices because they present additional risks. For more information, see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?" published Oct. 25, 2021.
Federal Help Could Be On The Way
In the U.S., recent regulatory actions, including the National Cyber Workforce and Education Strategy, support proactive cyber security practices. In addition to cyber education, skill building, and workforce development, a major contribution in the strategy is a cyber insurance backstop, which would offer a federal insurance backstop should a catastrophic cyber event occur. With this backstop in place, some risks of coverage could be transferred to the U.S. government, thereby potentially increasing private insurers' willingness to insure additional entities. This strategy could provide some relief to USPF issuers that have faced difficulty when attempting to obtain cyber security insurance; however, with this higher demand for insurance, insurers are likely to raise minimum cyber hygiene standards for policyholders, thereby raising cyber-related costs for issuers. For more information, see "Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost" published Aug. 3, 2023.
In some sectors, such as public power, more established regulations exist. Of note, it's mandatory for public power utilities to comply with the Critical Infrastructure Projection reliability standards, developed by the North American Electric Reliability Corp., with a focus on bulk electric systems. For more information, see "Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark," published May 11, 2023.
Insurance is progressing beyond just financial compensation for damages to also provide recovery services and assistance in handling an attack. As threats evolve, issuers need to enhance their protection with insurers, all while fitting these expenditures within a limited budget. S&P Global Ratings will continue to monitor changes in the cyber insurance market and how they could affect USPF issuers' credit quality.
Related Research
- Global Cyber Insurance: Reinsurance Remains Key To Growth, Aug. 29, 2023
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
- Cyber Risk Insights: Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
- Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
- Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
- Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain, Aug. 24, 2022
- The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
- Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market, Sept. 29, 2021
This report does not constitute a rating action.
Primary Credit Analysts: | Alex Louie, Englewood + 1 (303) 721 4559; alex.louie@spglobal.com |
Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com | |
Mallie Lange, Austin +1 2147655861; Mallie.Lange@spglobal.com | |
Secondary Contacts: | Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.