US cyber premiums double in four years but growth ‘slowing’: AM Best
US cyber insurers have seen written premiums more than double in four years from $996 million in 2015 to $2 billion in 2018, a report from ratings agency AM Best has shown.
But growth slowed to around 10 percent from 2017 to 2018 from a much faster rate of increase of almost 25 percent from 2015 to 2016.
The report, ‘Cyber insurers are profitable today, but wary of tomorrow's risks’, showed premiums rising from $996 million, in 2015, to 1.3 billion in 2016, up to 1.8 billion in 2017, reaching $2 billion in 2018.
Growth is not entirely surprising as large attacks, such as the Facebook hack in December 2018 that affected 30 million people, and the ongoing court case involving insurance firm Zurich and US company Mondelez International over a claim following the 2017 NotPetya attack, regularly hit the headlines. Smaller firms are a big issue as they commonly have lower levels of protection and are easier targets but their cyber breaches rarely make the news.
Increases in written premiums have also been driven by insurers removing cyber cover from traditional insurance and tighter regulations in US states that can require companies to declare data breaches and other cyber attacks.
However, while growth has slowed, the report said market figures are “likely to be understated” as a number of organisations use captive insurers to write cyber cover.
“Captives have fewer filing requirements and do not file the Cyber Supplement. Without this supplement data, obtaining an accurate measure of the growth of this line isn’t possible,” it read.
Analysts found that small and medium-sized enterprises (SMEs) were more likely to buy packaged policies, while larger companies buy standalone cyber policies with much higher limits.
“With awareness and demand for cyber coverage growing, many insurers have expanded their product offerings by adding cyber endorsements to their commercial packaged policies and business owner’s policies and packaging cyber coverage with technology E&O policies, which is pressuring other insurers to follow suit, to stay competitive and to meet the demands of policyholders.”
As cyber policy forms have become more standardised, smaller insurers have been able to offer cyber coverage “with many of these carriers ceding 100 percent of the risk to reinsurers”.
But the typical sublimit for cyber coverages on packaged policies offered is low and the majority of packaged cyber policies are occurrence-based. In contrast, standalone policies are generally written on a claims-made basis.
“However, since the inception of the Cyber Supplement, the percentage of total cyber policies with claims-made triggers has increased.” This is a positive trend, the ratings agency said, as ‘claims-made triggers’ reduce risk and allow insurers to react more quickly to pricing trends, especially for higher limit policies. Companies are also incorporating statutes of limitations in policies to minimise their exposure to first-party claims.
The number of cyber claims are growing, with first-party claims the making up the bulk of this increase. In 2018, packaged first-party claims reached 5.1 million, while standalone first party claims reached 3.5 million, the report showed. Third party claims also grew in 2018 with standalone claims reaching 1.9 million and packaged claims at 1.8 million.
But despite the rise in claims and slower growth, the line remains profitable, the report said.
“The line’s underwriting performance remains strong,” the report said pointing to 2018 direct paid loss and defence and cost containment ratios below 25 for both standalone and packaged cyber policies. Ratios had risen but remained below 25, prompting AM Best to add “cyber loss ratios are low because when these policies are priced, carriers apply higher loads owing to uncertainty, compared to other lines”.
It said that writers of cyber insurance are still refining their pricing and underwriting. As this line of business stabilises, more data is gathered, and legal environments become more defined. The ratings agency said it expected that the current profitability of cyber insurance will attract more competition, which will “ultimately pressure profitability”.
