Cyber insurance by 2030: expect ‘remarkable’ growth, not rocket ride
Cyber insurance market will change “remarkably” by 2030. But don’t expect a rocket ride — cyber attacks may temper the pace and the extent of growth might not meet industry predictions. Overcoming such obstacles to growth will require improvements in data quality, tackling cyber threats more effectively, further understanding of loss aggregation, and an increase in capital from both the reinsurance market and third-party investors.
This was the view of a panel of senior industry executives speaking at the Intelligent Insurer’s Re/insurance Outlook Europe 2023, in Zurich this week (June 19 and 20).
Delegates in a thought-provoking session, titled ‘Cyber Insurance in 2030: how to overcome current challenges to unlock its full potential’, deliberated on the potential market size, the taxonomy of cyber attacks, and the appetite for growth. Amid escalating premiums, rising ransomware threats and withdrawal of some reinsurers from this challenging space, they debated the question: is cyber on the brink of becoming uninsurable?
Panel speakers included Catherine Rudow, global head of cyber reinsurance at Everest Re, René Buff, head of cyber committee, group underwriting at Helvetia, and Michael Stahel, partner, LGT ILS Partners. The session was moderated by Gabor Jaimes of Swiss Insurance Association.
Buff stated that the cyber market will witness a “remarkable” transformation in the next few years, albeit not necessarily reaching the lofty predictions being drawn in comparison to property premiums. He foresees a surge in demand, with the functions of distribution and insurers also undergoing a significant evolution and becoming more customer-driven.
“I believe that the market behaviour for primary insurance, considering we are also challenged by plenty of insurtechs and small providers coming into this niche market, the market will look different in 2030 from what it does now,” he said.
“The distribution will be different and also the role of the insurers - as a pure loss provider, pure safety net for covering losses - will be different to what it is in the current market. In the future, our role will move even more towards that of service providers. We have to follow the needs of our customers. We will have to be there for them in the pre-incident as well as an after-incident phase of cyber attacks,” he added.
Rudow echoed his sentiment and emphasised that growth in the cyber insurance market will necessitate support from the reinsurance market and third-party capital.
She said: “Growth doesn’t happen without the support of the reinsurance market and or some type of third party capital. So how would we get there? There are still some things that are waiting to happen before this market grows.”
From a reinsurance perspective, she added that “a further understanding of aggregation is needed to get there. Another thing that will help is an improvement in the data that can be used. Maybe a better understanding of what losses or aggregated losses could look like.
“The models are already starting to refine, they will be a little different than some of those initial models that we used to see. At the end of the day, if you want to open up the capital of the reinsurance market in order to support all this growth, then you’re probably going to need that quality of data, the modelling data to unleash some of that third party capital.”
Meanwhile, Stahel, who “represents that third party capital”, anticipates that cyber risk will soon become an area where traditional insurers reach their capacity limits. He believes that insurance-linked securities (ILS) will step in to play a role, particularly in extreme cyber event scenarios. However, this would only occur when the capacity provided by the reinsurance community is insufficient to meet demand.
“There is no fundamental need for this capital,” he argued. “But there are certain risks where it will be that insurance companies are at the limit in terms of capacity. They don’t want to take that risk anymore or they can’t take anymore, for either regulatory or rating reasons.”
“I fundamentally believe cyber will develop very soon into one of those events where individual companies will have their capacity and it’s either because they ultimately decide this is how much money we can put aside for a single event or maybe because the regulators step in. The rating agencies will finally pick up on this and put it into their character models,” he added.
Stahel, however, “acknowledged” that a massive cyber attack could potentially lead to significant property damage, which will “be very uncomfortable” in the current scenario.
“We are very conscious of that,” he said. “It is definitely worth it to try to figure out: do we have a cyber issue? Do we have cyber exposure? If so, can we manage it? Do we know how much it is? And if so, are we getting paid for it or can we exclude it?
“If there is a massive cat cyber event, I think this will be a catalyst for the market in a positive way. But that will help us, and certainly the cat capital market investors, to acknowledge the element of risk.
“It's a big exposure for the industry and maybe we should support the industry. If you look at how many markets have developed in the past, a big event has always been a bit of a catalyst in order to get the market rolling,” he noted.
Rudow, on the other hand, highlighted the irony in managing risks – only after it has occurred and caused the damage. “It’s funny how you need an event to get comfortable with the risk. It’s a little bit backwards,” she said. “Petya is a perfect example of how impactful a loss could be.”
Buff added that although the industry has made substantial strides in introducing clear clauses and provisions for cyber risks, “we are not completely there yet. There is still a lot of effort that is needed to get more certainty and clarity in our earnings and our current definitions.”
One of the major challenges, he pointed out, is the standardisation in cyber risk insurance compared to property exposure. Unlike clear-cut cases of fire or earthquake insurance, he said, the industry lacks a common understanding of what exactly constitutes cyber coverage. He suggested that more efforts are required to reach a clearer, more universally accepted definition of cyber risk and its associated coverage.
Rudow agreed and stressed that looking at the current trend of losses and the increasing aggression of threat actors, it is evident that the industry still has considerable ground to cover.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
