The cyber insurance market has faced challenges in recent years. Increased ransomware attacks have driven higher loss ratios. Russia’s attack on Ukraine has raised concerns about catastrophic global cyber events. With news that the U.S. government might create a government-backed national cyber insurance program, some people wonder whether private cyber insurance will become obsolete. The IT and cyber security community has questions about the future viability of the cyber insurance market.
We want to understand the potential threats to the cyber insurance market. We see three main risks from these threats:
- Insurance companies who are worried about large potential losses.
- The government creating a national cyber insurance program that will crowd out the private market.
- Prices for cyber insurance becoming so expensive that the coverage becomes unappealing to most.
Although these threats can disrupt the future of cyber insurance with some plausibility, ultimately we find them unlikely. Let’s take each in turn.
The fear that insurance companies will simply retreat from the market due to the threat of large potential losses may be the most pressing concern. We can assess this threat better with some perspective on the history of the overall cyber insurance market and its position in the global insurance market.
Although 2021 was a bad year for cyber losses, the overall performance of the cyber insurance market in its 20-year history gives us confidence. Cyber insurance continues to be among the most profitable lines of business for global property and casualty (P&C) insurance. For more than 10 years, the cyber insurance market has grown steadily and is likely to continue growing.
Cyber risk continues to be among the top three risks cited by global risk managers, affecting every aspect of business and society. From cars to manufacturing, and building systems, to the very nature of workers’ everyday lives, technology affects every area of business and thus the insurance covering the risks it brings with it. Therefore, insurance companies struggle to ignore the attractiveness of the growing and profitable cyber insurance market, particularly in a world with few other options.
Rather than avoid the market, insurers are trying to improve their overall performance in cyber insurance. They are increasing prices and tightening underwriting standards with more requirements for cyber security. How these changes impact loss trends has yet to be fully visible, but overall prices and requirements have moved at a greater pace in 2022 than in the previous two years.
Perhaps the greatest risk for massive losses is the risk of a nation-state-related catastrophic event. We see the insurance industry addressing this concern now.
Since the early days of insurance, insurance companies have recognized that war can create enough damage to bankrupt the entire industry. Every insurance policy, including cyber, excludes war-related losses. However, determining when a nation-state-related cyber attack constitutes a “war-like” action is a legal gray area.
Therefore, some insurance companies have started explicitly redefining “war” to include these nation-state-related attacks. For example, as of July 2022, Lloyds requires that cyber policies exclude coverage for nation-state-related attacks. Although this change might see painful losses for individual companies in the short term, it allows the cyber insurance market to thrive in the long term. By excluding these exorbitantly expensive and difficult-to-model losses as “war-related actions,” this change essentially aligns cyber insurance with more traditional insurance.
Recognizing nation-state-related cyber attacks as war-related actions leads to the second main risk: the U.S. government might create a national cyber insurance program to protect companies from these attacks, and companies might then decide that private cyber insurance is no longer necessary.
Rather than replace a functional private market, we find that the U.S. government typically intervenes only where the private market struggles to provide coverage. For example, after the 9/11 terrorist attacks, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide government-backed funding for insured losses from large-scale acts of terrorism. This successful program is a potential model for a cyber insurance fund for nation-state-related attacks, which can then be included in private cyber insurance policies.
Finally, the third threat—that prices will become so high as to make coverage unappealing to most companies—is also possible but unlikely. Cyber insurance is relatively inexpensive, often less than 10% of a company’s total cyber security expenses. We do expect the application and underwriting process to get longer and more involved, as underwriters bring more requirements and scrutiny to these risks. However, we also see insurance companies and technology firms working together to reduce the frequency and severity of cyber attacks. Efforts to reduce catastrophic events help make long-term price increases more manageable.
We expect cyber insurance to continue to be a vibrant and growing market, with the entrance of more companies offering more and better protection. Even as we see some volatility and change in the near term, as underwriters refine their process further and governments find their role, we expect cyber insurance to be essential for many companies for a very long time.