Cyber insurance is experiencing a capacity crunch right now, and although that is expected to continue through at least the end of the year, it’s not all bad news, according to Brittany Baker, senior director of technical sales at CyberCube, in Carrier Management’s latest Strategy Sessions webinar.

She said this is pushing policyholders to ramp up their cybersecurity efforts to secure the coverage they need.

“Companies are understanding more so than ever before that this is an insurance policy that they need to have,” she said.

As growing frequency and severity of ransomware events has pushed many capacity providers to exercise increased scrutiny, it’s requiring policyholders to have a better understanding of their cyber risk exposures, she said.

“You need to be able to demonstrate to capacity providers that you know these exposures and are measuring them in a way that makes sense for cyber risk,” she said. “It’s no longer good enough to…just provide conservative limits and only provide aggregate exposure views to your capacity providers. They are wanting more detailed data on those underlying risks and they really want you to be demonstrating that you know and understand these exposures.”

The tight capacity environment is also leading more alternative capital to enter the space, Baker said, as the cyber insurance industry explores different transaction types than it has in the past.

Insurance Journal reported just a couple of years ago in 2020 that insurance broker Aon plc launched a new product with Hudson Structured Capital Management Ltd.—an asset manager undertaking its re/insurance business as HSCM Bermuda—to protect insurers and reinsurers against systemic and catastrophic cyber events. The cover allows for limits of up to $70 million and will protect against increasing cyber loss aggregations on re/insurers’ balance sheets.

Edouard von Herberstein, partner and chief underwriting officer at HSCM Bermuda, said in the report that this is an example of the insurance and insurance-linked securities markets offering risk transfer solutions for intangible assets, an area of the market where he expects to see “a growing number of opportunities in the years to come.”

Baker echoed these thoughts in the webinar, adding that investment funds are starting to create dedicated teams or allocate resources to cyber, and she expects that momentum to continue.

“We’ve been having conversations with groups in the alternative capital space for a while now, but there really does seem to be a momentum shift. Real traction feels like it’s coming up right now,” she said. “The casual, educational, coffee conversations that we had been having are much more focused and specific now.”

While she said she thinks the development of a cyber insurance-linked securities market could develop to help with the financial impact of cyber-related events is a much greater possibility than in the past, there’s still a long way to go.

“The more traditional financial markets players still require a good bit of education on how we can model cyber risk, the differing perils that sit under this umbrella, before they’re comfortable entering the space in a real way,” she said. “And we’ve heard from various groups with quite different expectations as far as how to structure these transactions, so there’s still quite a gap that needs to be bridged to bring both sides together.”

However, she sees this as a potential benefit in the future if it does develop.

“If reinsurers are feeling that they’re getting more capacity and able to transfer some to the financial markets, they’ll be able to take on more capacity and provide that downstream as well,” she said.

Baker added that she believes bringing more players into the insurance space from throughout the financial services sector will also add more expertise across the value chain, which could lead to a healthier cyber insurance market overall.

“There will be better, higher-level conversations and knowledge around these exposures that will just get all sorts of different groups more comfortable playing in this area,” she said.

As an ever-evolving segment of insurance, there are plenty of opportunities in cyber, but this doesn’t come without challenges. On the carrier side, one big challenge Baker sees is around data.

“If you think about malware or ransomware, it gets a bit murkier. It’s less black and white. How do you truly measure the impact and the spread and the depth of an attack like that, even as it’s systemic and getting a lot of attention?” she said. “Cyber is a line of business where carriers are holding all of that data really close to the vest still, and so you don’t have the type of reporting that you might see in the nat-cat space or just other P/C areas.”

However, even after data is collected and analyzed, there are hurdles, she added.

“Cyber risk just moves so much more quickly, so even if we did have 20 or 30 years of data, a lot of that will become insignificant,” she said. “You won’t want to put weight on that anyway because of the changing and evolving landscape, so I think it’s less so getting more data and more so understanding how to separate out the noise from the real signal here. What are the cybersecurity signals that are really linked to losses and experience? And being able to just put more weight on that and use that more specifically, as opposed to kind of looking at 50, 60, 70 different data points and trying to tie that all together.”

For policyholders, capacity challenges have created difficulty securing the right limits in some cases, Baker said, but she believes that over the long term, this will continue to motivate policyholders to boost their cybersecurity posture and secure the limits they’re looking for.

“I think you’ll continue to see capacity providers demanding true knowledge and demonstration of the exposures underlying the policies that they’re being asked to cover,” she said. “And I think we’ll certainly see policyholders having to prove themselves out that they are a good risk, that they do understand their own exposure. So, I think that trend will just continue.”

To learn what else Baker had to say, register to watch the full webinar here.