S&P Global Ratings' stable view of the global cyber insurance and reinsurance industry is supported by its solid underwriting profitability in 2023 and 2024, and our expectation that this will continue over 2025. The industry is still benefiting from substantial increases in rates on cyber insurance and a tightening of the terms and conditions on cyber policies, which was mainly implemented in 2021 and 2022.

Why it matters:  Given the dynamic threat landscape, a combination of stagnant or even declining cyber rates and a sharp increase in underlying cyber claims could quickly result in a material decline in profitability.

Over 2025-2026, it is thus crucial that the cyber re/insurance industry pursues efforts to encourage policyholders to strengthen their cyber security posture; focuses on clear policy wording; selectively adjusts rates; and cautiously manages retentions and insurance limits. The combination of those actions should help safeguard sustainable profitability for the global cyber insurance market and serve to build-up capital in line with exposure growth.

Annual cyber insurance premiums are expected to reach about $23 billion in 2026, up from about $14 billion at year-end 2023, with a projected growth of 15-20% annually (see chart 1). The fastest growth rates are anticipated in the Asia-Pacific and Latin America regions, where cyber insurance markets are smaller and less mature than in the United States and Europe. Overall, cyber insurance remains one of the fastest-growing subsectors of the global insurance market, meaning that a key priority will be the development of a sustainable model for insuring cyber risks that both meets rising demand and effectively responds to the rapidly evolving risk landscape.

Chart 1

Over the last two years, re/insurers and managing general agents (MGAs) have entered the cyber insurance market, leading to an increase in capacity and competition, especially in the U.S. Furthermore, following several years of increasing premiums and capacity constraints, the past two years of cyber insurance renewals reflected softening conditions that have led to a lowering of expected growth rates.

Stronger competition has also resulted in lower retention rates and premiums and an easing of required sub-limits for policyholders. We will closely monitor any resulting reduction in margins for a potential negative impact on capital, earnings, and our risk exposure assessment of the insurers and reinsurers that we rate which offer cyber re/insurance.

Widespread AI Adoption Will Increase The Frequency Of Cyber Attacks

AI is accelerating the automation of hacking. That is particularly the case with regards to personalized and tailored phishing and email extortion, which can be efficiently and convincingly translated into multiple languages, enabling scaling across numerous regions. Ransomware-as-a-Service (RaaS), whereby criminals deploy predeveloped ransomware tools, is also expected to increase with the support of AI. The result is likely to be an expansion of cyber criminality as new markets become increasingly accessible and economically attractive.

We expect that understanding the implications of AI for cyber insurance will be a key focus for the industry over the next two years and that the threat landscape will continue to evolve dynamically, shaped by the battle between attackers seeking to exploit vulnerabilities and defenders seeking to close them. That interaction will influence claims development and, consequently, the loss ratios within the cyber insurance industry in the years ahead, as will the industry's own approach to adopting to AI tools, notably to effectively evaluate and price emerging risks.

Systemic Risk Remains A Major Challenge

The insurance industry's understanding and pricing of everyday attritional cyber losses encountered by businesses has improved, even as the frequency of claims continues to increase. That said, the modelling of systemic risk and the potential for catastrophic cyber events remains a major challenge. Large-scale cyber incidents, such as coordinated ransomware attacks or widespread malware, could impact multiple businesses simultaneously.

In 2024, evolving privacy regulations contributed to legal uncertainty that created the conditions for a rise in cyber claims. According to Allianz's commercial claims analysis, in the first six months of 2024, the frequency of large cyber claims rose by 14%, while the size of those claims increased by 17%. In addition, ransomware attacks increased in sophistication, and resulting business interruption and extortion proved more frequent, according to Allianz's data. The CrowdStrike outage, caused by a faulty update to cyber security software, affected millions of systems across multiple industries and highlighted software supply chain risks (see box: The CrowdStrike Outage: A Manageable Shock For Insurers).

We are monitoring the development of accumulation risk management among our rated insurers. In particular, we would consider that an overly aggressive expansion into the cyber insurance market, without robust risk controls, to be potentially detrimental to an insurer's risk exposure, capital strength, and earnings stability.

Non-US Markets Are Fueling Cyber Insurance Expansion

Insurance limits vary, and underwriting requirements are adapting to evolving threat landscapes in the various global regions. Non-US markets are currently playing a significant role in driving growth, amid heightened awareness and regulatory demands for cyber hygiene. The cyber cover penetration gap will drive demand for protection due to elevated cyber awareness (across small and midsize enterprises (SMEs), larger organizations, and critical infrastructure) and evolving regulation, in particular with regards to data privacy.

In the primary cyber insurance market, Latin America and Asia-Pacific have witnessed the highest growth rates in premiums over the past five years (see table 1). Cyber insurance markets are larger and more mature in North America and Western Europe, which explains the lower growth rates in these markets.

Table 1

Rates in the U.S. were almost stable over 2024, with rate adjustments of 0.2% to 1.6% over the period from Q3 2023 to Q2 2024. That results from ample market capacity and a competitive environment that created a more buyer-friendly cyber insurance market characterized by decelerating primary cyber insurance rate increases. The average increase in cyber insurance premiums fell below 1% over Q1 2024, down from an average increase of above 20% in 2022 and a peak of 34.3% in the last quarter of 2021, according to the Council of Insurance Agents and Brokers (see chart 2).

Chart 2

Based on our cyber insurance survey, North America accounts for about 51% of gross premiums written (GPW) on affirmative cyber insurance--which explicitly covers cyber risk; Europe, the Middle East, and Africa (EMEA) about 38%; Asia-Pacific (APAC) 9%; and Latin America (LATAM) 3% (see chart 3). We expect the relative share of the U.S. to gradually fall and, especially, APAC and LATAM to increase over 2025-2026.

Chart 3

Cycle Management Will Be Key For Cyber Insurers Over 2025-2026

The primary cyber insurance segment's rate increases and tightening of terms and conditions in 2021 and 2022 have paid off. In 2023, the net combined ratios of global insurers in the primary insurance segment remained relatively stable at 75%-88%, depending on the region, indicating strong underlying technical profitability (see chart 4).

Chart 4

The cyber insurance industry is currently navigating a soft rate environment. This line of business is still young compared to other lines of business. As a result, price fluctuations are likely to be an ongoing characteristic, not least due to the emergence of new risk-differentiation models and cyber security standards, alongside improvements in cyber security risk management frameworks.

On the one hand, underwriting requirements are dynamically changing. There is a clear trend towards using more sophisticated models and tools that enable data-driven scenario analysis. For example, quantitative underwriting involves gathering signals and data, including internal and external security data, enterprise statistics, and supply chain data, including loss and exposure information. This enables more individualized risk underwriting and decision making at a portfolio level, including forward-looking scenario analysis. It also facilitates quantitative comparisons of quality within portfolios and facilitates better capture of changes in cyber risk dynamics that, ultimately, improves confidence in the market.

The increased focus on advanced risk-selection technologies and claims management (including incident response and even specialized ransomware response teams) is helping to make the cyber insurance industry more sustainable and propelling its development. We consider the current margins to be sustainable and expect this will contribute to market development and the ongoing accrual of reserves for long-tail events.

On the other hand, the industry is facing large increases in the frequency and severity of claims and increasing competition. The resultant potential for stagnating rates, or rate reductions, could quickly lead to insufficient margins. We will closely be monitoring progress in modelling and the cycle management of cyber insurers over 2025-2026, including pricing levels, the competitive landscape, underwriting discipline, and policy wording.

Cyber Insurance's Growth Will Continue To Rely On Reinsurance's Ability To Provide Capital

In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market (see "Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market," Sept. 29, 2021). Cyber insurers use a significant amount of reinsurance, with primary insurers, on average, ceding around 56% of cyber insurance premiums to reinsurers in 2023, according to our survey (see chart 5). The reinsurance market will remain extremely important in providing capital and capacity to support further revenue growth.

Chart 5

Cyber reinsurers' average net combined ratio underperformed the primary insurance segment over the last three years. However, in 2023, strict underwriting and higher rate adjustments, compared to primary cyber insurers, helped reinsurers to achieve underwriting profitability in their cyber portfolios, with a net combined ratio of 89% for 2023, compared to 99% in 2022, and 104% in 2021 (see chart 6). We expect this trend continued in 2024, leading to currently sustainable margins for cyber reinsurers.

Chart 6

Most affirmative cyber insurance is still ceded (sold on to reinsurers) on a stand-alone, proportional basis, where reinsurers pay a share of the losses as a quota share. That quota share was about 76% in 2023 (see chart 7). A combination of improved profitability and cyber underwriters that are better equipped to manage and absorb attritional losses, has seen reinsurers move toward excess-of-loss treaties (which pay compensation for losses that exceed a specified limit) that focus on high-severity events. This could be an early sign of a maturing cyber reinsurance market. Overall, we forecast rising demand for event-based structures, like event excess-of-loss reinsurance, and aggregate stop-loss agreements, especially from larger insurance groups.

Chart 7

Currently, most of the capacity for cyber reinsurance comes from large and specialty carriers. However, in the coming years, we anticipate this concentration will decrease as more reinsurers enter the market and as existing players gradually raise their insurance limits to expand their cyber product offerings. This shift should enhance diversification in both treaty and facultative markets, while also fostering advancements in quantitative modeling, scenario analysis, and data quality.

Re/Insurers Operations Are Also Exposed To Cyber Threats

Like other industries, insurers and reinsurers are exposed to operational cyber risks, including interruption of IT systems, outages of dependent third-party IT services, data breaches, defense costs, liability for security events, and ransomware attacks. We consider that the vulnerability of insurers to cyber attacks is increasing, driven by the sector's digitalization and the greater adoption and concentration of shared network infrastructure and service providers. The CrowdStrike outage impacted insurers and reinsurers, with some (re)insurers forced to suspend web-based services as a result. However, on average, the outage did not have a significantly negative direct impact on the industry.

We continue to believe that, on average, global multiline insurers and reinsurers can manage their direct cyber risk exposure, thanks to their sophisticated enterprise risk management, robust capital, the regulatory oversights they are exposed to, and the insights they gain through underwriting cyber insurance. However, we remain wary of the possibility that a direct cyber attack could affect re/insurers, and that a significant event could cost them a significant portion of their average annual earnings.

Large-Scale Data Breaches Are A Concern For Re/Insurers

So far, cyber incidents have had minimal impact on the creditworthiness of global re/insurers. However, that could change rapidly and dramatically. Cyber criminals are rapidly becoming more sophisticated, and insurance companies are attractive targets for attacks due to the large amounts of valuable customer personal information they hold.

Events have highlighted the risks posed to insurance groups:

• In February 2024, U.S.-based Change Healthcare, part of UnitedHealth Group, suffered a ransomware attack by a threat actor known as ALPHV/Blackcat. Change Healthcare's system was disconnected from its parent group to contain the cyber attack, resulting in disruptions to insurance claim processes that affected patients and healthcare professionals across the U.S. (see "Bulletin: Cyber Attack At Change Healthcare Poses Reputational Risks For UnitedHealth Group Inc.; Uncertainties Remain," March 11, 2024). The financial cost of the attack is expected to be about $2.2 billion this year (based on Q3 2024 guidance), which we consider manageable for UnitedHealth. While most processes and products have been fully restored, we consider that the event exposes the company to increased reputational risk. The outages at Change Healthcare also highlighted the interconnected nature of the healthcare system and how an attack can cripple the industry at large.
• In March 2021, U.S.-based CNA Financial Corp. discovered a cyber security breach, prompting it to launch swift remediation efforts focused on identifying, containing, and mitigating the impact of the attack. The group's operating subsidiaries were largely unaffected by the incident. The company's rapid response--including communication with employees, customers, brokers/agents, and regulators--mitigated our concerns about effects on its brand reputation and competitive position (see "Bulletin: CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position," March 26, 2021). The company also said it was able to absorb the potential financial consequences of the breach due to its cyber insurance coverage.

Most Large Re/Insurers Appear Able To Resist The Financial Impacts Of Direct Cyber Attacks

Global multi-line insurers and reinsurers appear likely to be able to manage the capital impact of a potential cyber attack on their own companies, according to our analysis, which was conducted using Guidewire's Cyence model (see chart 8). The data suggests that large re/insurers have, on average, sufficient revenue and financial buffers to withstand operational cyber risks, due to: well diversified revenue streams that aren't dependent on a single business area or region; and strong capital adequacy, that is a result of strong and prudential regulation.

Chart 8

Our analysis also suggests that damage from a cyber incident could vary significantly on a case-by-case basis. For one insurer in our sample, we estimate the tail loss of a cyber incident at about 75% of the average annual income over five years (see chart 9). That highlights the fact that, for some insurers, the potential for damage from a cyber attack could be significantly higher than the average due to lower profitability and structural deficiencies in risk management that reduce their cyber resilience. We believe such weaknesses could weigh on insurers' earnings and reduce the accumulation of capital buffers in the long run (especially when combined with other tail risks such as natural disasters and sluggish investment environments), which could lead to deteriorating creditworthiness.

Chart 9

Looking at the estimated losses (based on Guidewire's Cyence model) resulting from different types of cyber attacks, we see that direct and indirect business disruptions tend to result in the greatest loss, followed by liability-related and data breach losses (see chart 10).

We note that the survey suggests that damage from cyber ransoms appears to be relatively small, but we counsel against underestimating the potential impact of ransomware attacks (see survey results illustrated in chart 10). That is because the survey's outcome for cyber ransoms includes only loss estimates and forensic costs caused directly by ransom payments, while other (and often related) losses are attributed to the other types of cyber damage.

In fact, targeted ransomware attacks are the biggest contributor to damages from cyber incidents for re/insurers in our analysis. That is supported by the survey's results, which show that the vast majority, about 75%, of cyber incidents are targeted events, including ransomware attacks and data breaches. The remaining 25% are large-accumulation incidents such as cloud service provider outages and mass malware events.

In addition to direct financial impacts, cyber incidents (including ransomware attacks) can also cause serious and long-term business problems. That notably includes reputational damage, which can lead to declining new business and disrupt access to capital markets. We believe the risk of this secondary damage needs to be recognized and factored in to the potential harm that can be caused by a cyber incident.

Chart 10

Editor: Paul Whitfield

Related Research

• Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
• Cyber Risk Insights: Navigating Digital Disruption Booklet Published, Jul 09, 2024
• Quarterly Cyber Focus: A More Balanced Insurance Market And Cyber Risk Pools, May 09, 2024
• Reputational Risks For UnitedHealth Group Inc.; Uncertainties Remain, March 11, 2024
• Cyber Risk Insights: C-Suite Must Walk The Cyber Talk, Oct 17, 2023
• U.S. Public Finance Issuers Face Challenges In An Evolving Cyber Insurance Market, Oct 03, 2023
• Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market , Sept. 29, 2021
• Bulletin: CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position," March 26, 2021