Cyber market’s dimensions remain poorly defined
As leaders in the cyber insurance industry prepare to gather for the PLUS cyber symposium in Chicago, consensus around the development of the global cyber market remains a hot button issue.
In February, Lloyd's CEO Inga Beale bemoaned the market as "frustratingly immature" and called for further research and development in the market.
CFC chief innovation officer Graeme Newman fired back that the cyber insurance market had developed “relatively quickly” in recent years.
The US currently leads the world in premium volume to cover the risk that began to emerge in the late 1990s as the internet came into its own.
The US standalone cyber market could reach $5.6bn in annual gross written premium by 2020, according to a 2017 Aon report.
Commercial cyber liability premium alone could hit $6.2bn in the US by 2020, up from $2.5bn in 2016, according to a report by data analytics firm Verisk.
However, demand for standalone policies has been increasing in Europe and may accelerate as implications of the general data protection regulation (GDPR) become clearer. The new rules take effect near the end of May.
“You can get in hot water with regulators even if you don’t have a data breach,” cybersecurity analyst Judy Selby said about the new rules. “It’s become more about what you’re doing with your data.”
In response to growing demand, AIG said in October that it would add cyber coverage to its commercial casualty insurance in 2018, a step that clarifies how the risk would be handled under those policies. AIG is also the leader by market share for standalone cyber insurance premiums.
Whether certain types of policies cover cyber issues has been a source of confusion in the market, leading some to add language to various policies that specifically states when cyber losses are covered.
Highly public and large-scale cyber attacks underscore growth in the market, leaving the industry grappling with how to prepare for claims that may result.
For example, the the NotPetya malware attack hit US pharmaceutical giant Merck mid-2017, and went straight through the top of its cyber cover. The firm is also understood to be preparing a claim on its property policy that the market initially feared could result in losses of between $1bn and $1.5bn.
Merck reported later that month that the event had cost it $135mn in lost sales.
A dip in rates
At the same time, new entrants in the US and UK markets offering standalone policies are pushing down rates, according to insurers.
Sources recently told this publication that larger US accounts are experiencing rate decreases of around 5 percent to 10 percent, as London competes with the large US domestic players to write the business.
For international accounts the market is softer, with rate decreases of roughly 10 percent to 15 percent.
“In the small and middle market companies there’s a lot of competition, and the result of the competition is lower rates,” said Chris Keegan, senior managing director at broker Beecher Carlson.
The fall in rates also may be considered a rate rationalisation after large losses a few years ago caused rates to spike higher, according to Bob Parisi, managing director and cyber product leader at Marsh.
“We’ve now seen rates come down in the non-traditional and non-historic buyers of cyber,” Parisi said, partly because of rising demand as new buyers enter the market.
He also notes that broadening terms in conditions on policies of cyber policies – particularly around business interruption and “system outage” wordings – have also led to increased competition in the marketplace.
Notionally, there’s about $2bn for capacity in the marketplace, which is more than enough to meet demand, according to Parisi.
A 2017 Marsh survey on cyber capacity says it stands at around at $1bn, though Keegan puts the figure at between $700mn and $900mn.
Fortune 1000 companies and their underwriters have been looking for higher and higher loss limits, with more $500mn or even $600mn reinsurance coverage towers appearing in the market, Kara Owens, then-head of global cyber risk at Trans Re, said at an AIR Worldwide seminar on cyber risk in March.
Insurers are also increasingly using reinsurance to manage their cyber exposures, according to a recent study from PricewaterhouseCoopers.
Keegan sees insurers broadening the terms and conditions of cyber policies to allow first-party coverages to better protect tangential risks such as privacy exposures as a result of a cyber-attack.
However, while some insurers are building out their policies, some reinsurers are openly wary of underwriters’ ability to write cyber risk.
At the 2017 Monte Carlo Rendez-Vous, Swiss Re CEO Christian Mumenthaler expressed extreme scepticism that cyber risk can be properly written.
“The more you talk to specialists, the more you come to the conclusion that it's more likely that's probably not insurable,” Mumenthaler said.
Other sources have told The Insurance Insider they are sceptical that insurers have the technical capacity to underwrite cyber risk effectively, aligning with Beale’s claim that more development is needed in the industry.
It remains a concern among insurers that a single cyber event could lead to claims across various stand-alone cyber policies, due in part to the interconnectedness of cyber risks, as well as the ensuing business interruptions that often result.
Close to 75 percent of the markets that provide cyber and liability policies are adding on business interruption coverage, according to Keegan.
A catastrophic cyber event has the potential to cause a $3bn to $4bn loss, essentially wiping out a carrier, according to Keegan.
“All of the markets in the marketplace could be used to pay for a single incident,” he said.
In that scenario, the event could wipe out several players, Keegan notes, but would also likely drive up demand and rates.
That kind of event will likely separate carriers that have sufficient capital in place to underwrite risk from ones that do not, according to PwC.
On the other hand, that kind of event may not happen at all, according to Parisi, who said the term “massive cyber attack” may be “a bit of a misnomer”.
“It’s unlikely to have that perfect storm – truly knock out companies in one fell swoop,” Parisi said. He notes that while companies often buy the same technology from the same suppliers, they often use it in vastly differently ways.
“The market continues to grow and be aggressive, but only time will tell,” he said.