Cyber insurance is only a few claims away from disaster. This is why it matters

Cyber insurance may still be in its infancy, but over the past few years, we have seen rapid growth followed by what we all hope to be a temporary plateau. Insurers are issuing more policies. The amounts of protection are increasing. In fact, our community has finally seen the first cyber insurance programme to exceed $1 billion. Meanwhile, the breadth of coverage continues to expand. Absent the slowing of growth, it would seem that cyber insurance is maturing, and that businesses are adapting to the new and emerging cybersecurity threat.

Unfortunately, cyberattacks have become more frequent and severe. We’ve seen ransomware perpetrators become emboldened, with ransoms swelling from five- and six-figure price tags to a reported $10 million earlier this year. Hiscox Re reports insured cyber losses of $1.8 billion in 2019, up by 50% year over year. Aggregate losses of that amount against estimated premiums of more than $5 billion is certainly not cause for alarm, even with the 50% growth in claims. Caution, perhaps. But not alarm. If you want to worry about cyber insurance, you need to look at the companies that don’t have it.

Despite the rapid growth described above, original insureds often don’t have enough cyber insurance – if any at all. The “big guys” – insured firms with protection of at least $200 million – account for about 20% of what is believed to be $5.5 billion in global cyber insurance premium, according to internal research conducted by PCS Global Cyber. That’s roughly $1.1 billion in premium.

Already, we can see how delicate this environment is. With approximately 250 insurance programmes in this cohort, it would take only four insured losses of $300 million to wipe out an entire year’s premium - and would likely take decades for insurers to earn back such losses. Even worse, consider the 40 or so companies with coverage of at least $500 million. Two large losses could wipe out a year’s premium and take half a century to recover.

On this basis, it would seem that it’s just not worth it to provide protection for cyber-risk. Even for companies occupying the tier directly below the big guys - from $100 million to $199 million in premium – the decision to be in this market is tricky (see figure below). We believe there are around 500 companies in this cohort, and that they account for another 25% of global insurance premium. Likely more. Again, it would only take a handful of losses to decimate this cohort’s $1.4 billion in premium.

So, prices are low and the risk is high. This dynamic has negatively influenced the market’s ability to continue to grow at its previous aggressive rate – and has led to a profound shortage of cyber insurance. The easiest way to assess this is to consider the companies in the Fortune 500. With only around 250 insurance programmes of at least $200 million in coverage, you’d have to guess that half the Fortune 500 doesn’t have that amount of cover. Nearly 10 of the 50 largest cyber insurance programmes cover private companies—with three of those covers ultimately benefitting one insured (in different ways). There’s even less cyber insurance in the Fortune 500 than you may think. Broaden your area of concern, and it doesn’t take long to see just how few companies have any cyber insurance protection, let alone enough to make a difference.

In the global re/insurance industry, it’s no secret that the cyber insurance market has run into some structural issues. The entire pricing exercise – although sophisticated and effective in getting the market as far as it has come – hasn’t been tested by a major loss event. And the lack of cyber insurance penetration would blunt the effectiveness of such a scenario, to be frank. More challenging, though, is the fact that more capital isn’t being allocated to the sector. Especially for large risk programmes, insurers need to deploy significant amounts of capital. Historically, they have relied heavily on reinsurance support. (We hear an estimated 40% of cyber insurance premium is ceded to reinsurance). Reinsurers, currently, aren’t deploying more capacity to the sector.

There are two ways more capital could flow into cyber insurance. The first is data. In the early days of the cyber insurance market, there was no industrywide view of cyber insurance data. After all, the market was so concentrated that nobody needed such a mechanism. The handful of players in the market pretty much saw everything. Since then, as the market has grown, it has also become increasingly siloed. And while the largest cyber insurance underwriters may still see a lot, there are wide swathes of the market they don’t – reinsurers also often do not get the full picture. As you can see from the analysis above, we’ve begun to find ways to remedy this problem, but the PCS team is still in the early stages of that effort.

The second way to get more capacity into the cyber insurance market (which would benefit from improved and increased data) is retrocession. As insurers purchase protection from reinsurers, reinsurers also purchase protection on their portfolios – in the retro market. To date, retro has only been available on a limited, tactical basis for cyber reinsurers. There are few players with capital to allocate to the space who don’t face unreasonable increases in concentration risk by writing retro. The problem is further exacerbated by an unwillingness of retro buyers to share data, because they are likely buying protection from an existing or future competitor. Developing a consistent, reliable, and robust retro market would help provide increased capacity all the way down to the original insured.