With the cyber risk hazard environment—ransomware, business interruption and aggregation—worsening significantly, “prospects for the U.S. cyber insurance market are grim,” according to a report from AM Best.
According to the global rating agency’s analysts, insurers “urgently need to reassess all aspects of their cyber risk, including their appetite, risk controls, modeling, stress testing and pricing, to remain a viable long-term partner dealing with cyber risk.”
The reassessment is needed because cyber insurance, which began as a diversifying, secondary line and another endorsement on policies, is now a “primary component of a corporation’s risk management and insurance purchasing decisions,” notes Best’s in its report, “Ransomware and Aggregation Issues Call for New Approaches to Cyber Risk.”
The loss ratio for cyber insurance rose dramatically in 2020, to 67.8 percent from 44.8 percent in 2019. However, the increase was not limited to just a few insurers—the loss ratio rose for 15 of the 20 largest cyber insurers, AM Best reports.
“The rate increases for cyber insurance outpaced that of the broader property/casualty industry, but the increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow,” said Sridhar Manyem, director, industry research and analytics.
Of special note, defense and cost containment (DCC) expenses are rising and “could become a significant issue because of potentially significant costs to defend claims as a result of either ambiguous coverage language or regulatory investigations that may involve defense costs,” the report adds.
According to the report, the challenges the cyber insurance market are facing include:
- Rapid growth in exposure without adequate underwriting controls;
- The growing sophistication of cyber criminals that have exploited malware and cyber vulnerabilities faster than companies that may have been late in protecting themselves; and
- The far-reaching implications of the cascading effects of cyber risks and the lack of geographic or commercial boundaries.
Direct written premiums for cyber insurance grew 22 percent in 2020, to $2.7 billion, which AM Best attributes to increases in both rates and demand for cyber insurance in the wake of well-known firms such as SolarWinds, Facebook and Capital One becoming victims. The average annual growth rate in premium has been 20 percent the past four years , while the average growth in claims has been 39.2 percent.
“Rapid growth is viewed with a healthy skepticism, as it comes with underwriting and reserving risks,” the authors comment.
Standalone cyber insurance policies, up 28 percent in 2020, have seen a higher rate of growth compared with packaged policies, which the report indicates signal organizations’ escalating concerns about cyber risk. Frequency on standalone policies also has increased faster than for packaged policies the last three years.
Hackers are becoming more sophisticated in their attacks and moving toward larger targets. The report also notes that hackers’ motives also appear to be changing as well, from stealing identities (third-party claims) to shutting down systems for ransom (first-party claims).
Total claims rose 18 percent in 2020 owing strictly to first-party ransomware claims, which were up 35 percent in 2020 and now account for 75 percent of cyber claims.
“The recent Colonial Pipeline hack—for a multi-million dollar ransom—is an example of first-party claims that have become so prevalent,” said Christopher Graham, senior industry analyst, AM Best.
Although AM Best said it views the industry as being well-capitalized, it also warns that individual insurers that venture into cyber risk without a thorough understanding of the market can find themselves in a vulnerable situation.
Noting that the industry has not yet faced a systemic event that challenges traditional underwriting categories of region, industry, size, the authors urge insurers to hire experts to help with mitigation and to take steps to improve their abilities to quantify their exposure and define their risk appetites.
“An insurer whose risk management approach is deficient can find itself subject to accumulation risk beyond its tolerance and could face ratings pressure,” said Fred Eslami, associate director, AM Best.