Cyber insurance: sizing up the global market

The US and global markets for cyber insurance are continuing to grow strongly – and this is likely to continue, albeit not at the same pace, seems to be the conclusion of various reports seeking clarity on this subject.

The US market for cyber insurance continued to grow in 2018, according to data from the NAIC’s Cybersecurity and Identity Theft Insurance Coverage Supplement published in August 2018.

Direct premiums written (DPW) grew 12.6 percent for standalone and packaged policies, while cyber premium volume surpassed $2 billion for the first time—more than double the amount in 2015. However, growth slowed from the two prior years, when industry DPW grew more than 30 percent.

A report from rating agency AM Best, published in June 2019, says that at year-end 2018, nearly three million cyber insurance policies were in force, up from 2.6 million the previous year (Table 1).

The report, Cyber Insurers Are Profitable Today, but Wary of Tomorrow’s Risks, also states that in 2018, 528 US insurers reported writing cyber insurance, up from 471 in 2017, 400 in 2016, and 309 in 2015.

According to Aon, an estimated $800 million in cyber reinsurance was placed in 2018.
“Globally, the cyber market continued to grow,” says Jonathan Laux, head of cyber analytics, Aon Reinsurance Solutions, “but in the US, that growth was just 10 percent, down from 37 percent in 2017. That could be a response to the market coverage broadening, but equally, the market is soft: we saw 14 new entrants in the US in 2018.”

Growth ahead
Studies taking a longer view on this issue suggests more strong growth ahead. A report by Adroit Market Research published in April 2019, Global Cyber Security Insurance Market 2025, suggests that the global cybersecurity insurance market size was $3.89 billion in 2017 but is expected to grow to $23.07 billion in 2025 owing to growing intensity of cyber attacks across the world.

It also notes that the emergence of government regulations such as the EU Global Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act and others have had a significant impact on the rise of cyber insurance market.

Furthermore, growing vulnerability of cyber exploitation due to the rise in connected devices across the world and emergence of the internet of things (IoT) have driven the growth of the cyber insurance market. High-profile events of data breaches such as the ‘WannaCry’ ransomware in 2017 spread across systems around the world have made the organisations more aware about cyber attacks.

One reason for this increase is the fact that the world is increasingly electronically interconnected, as a report from Marsh & McLennan Insights points out.

The MMC report, Advancing Cyber Risk Management: From Security to Resilience, points out that between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially.

The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cybersecurity defences much more challenging since every employee or web-connected device now represents a potential vulnerability.

Driving growth
The growth seems to be global and many of the biggest carriers are at the forefront of writing this business. Allianz says it experienced substantial growth in its European segments.

“In our core European markets, we were able to underwrite a large number of new cyber policies in 2018, particularly in core markets such as Germany,” says Emy Donavan, global head of cyber and tech PI, Allianz Global Corporate & Specialty (AGCS).

“Globally, AGCS will generate cyber insurance premiums in the higher double-digit million range in 2018.”

The cyber market continues to attract attention, with several driving forces responsible.

“While the cyber insurance market in the US is more mature, Europe and Asia are still in their infancy but are steadily developing,” Donavan explains.

“Key drivers for that are growing risk awareness of companies and tighter privacy regulation such as the EU GDPR that came into force in May 2018.”

The AM Best report also found that regulation was a key factor, while explaining that growth is being driven by organisations wanting to minimise cyber and reputational risk and protect their balance sheets and bottom lines.

First-party claims
The AM Best report found that first-party claims remain the primary driver of cyber claims, topping 12 million reported claims in 2018.

The report states: “Packaged first-party claims breached five million for the first time, while total claims exceeded 10 million—a first for the line. First-party coverage includes costs associated with data breach notifications, credit monitoring services for customers, and business interruption resulting from a cyber incident.”

AM Best suggests that small and medium-sized enterprises are more likely to buy packaged policies, while larger companies tend to purchase standalone cyber policies with much higher limits.

“The smaller insurers that are growing the most are the ones that already have strong distribution channels in place across other lines,” says Laux.

“In the small commercial space, we need to focus on education and distribution. Smaller businesses don’t think they’ll be the victim of a cyber attack, but what they don’t realise is that many attacks are opportunistic.

“Also, reaching small business customers requires a significant distribution network, with agents in many different locations who need education about a product that is rapidly evolving with the risk landscape.”

A huge challenge for cyber insurers has become managing new risks arising from emerging technologies.

“The effects of attacks related to emerging technologies include loss of operations, loss of sensitive data, and harm to the quality of an organisation’s products. With advances in the internet of things and big data, there are more cyber access points susceptible to breaches providing access to ever-increasing volumes of private company data,” according to PwC’s Global Cyber Insurance Survey.