In March 2021, US insurance giant CNA Financial fell victim to a ransomware attack after hackers breached an employee’s workstation using a fake browser update. The attackers spent two weeks exploring CNA’s IT environment undetected. They disabled monitoring and security tools, destroyed company back-up files and copied sensitive data before deploying ransomware that prompted CNA to disconnect systems globally to contain the crisis. Bloomberg reports the insurer paid a US$40 million ransom to regain control of its network.
CNA Financial, which provides cyber insurance, has firsthand experience of the growing threat of cybercrime and the risks it presents to the insurance industry. Among the challenges, however, is limited reinsurance capacity to support cyber insurance growth.
The role of cyber reinsurance
Data from cybercrime researcher and publisher Cybersecurity Ventures estimates global cybercrime costs will reach US$10.5 trillion a year by 2025, up from US$3 trillion in 2015.
The costs include damage and destruction of data, stolen money, lost productivity, theft of personal and financial data, fraud, forensic investigation and reputational harm.
Insurers are also grappling with the emergence of ‘silent cyber’ risks, which refer to potential cyber-related losses stemming from traditional property and liability policies.
In 2021, cyber insurers increased pricing and improved underwriting controls across the market. Data from Marsh’s latest Global Insurance Market Index shows cyber pricing increased 96 per cent in the third quarter — a 40 per cent increase over the second quarter and the largest lift since 2015.
Michael Parrant, client director and cyber insurance practice leader at Aon, says the cyber market has ‘moved sharply’ to address the threat of ransomware attacks.
‘Controls that are aligned with reducing this threat are now considered essential,’ he says. ‘The market no longer provides leeway for organisations to have a plan on implementing certain controls. Now the market will only consider providing quotations when certain controls are fully implemented and tested.
‘The speed of the change has caught us all by surprise, and the trend of improving controls will continue throughout 2022 and into the future.’
Is cyber reinsurance changing the industry?
The question, however, is whether these changes will increase the appetite for cyber risk among reinsurers.
Nick Sordon, head of casualty underwriting — Australia and New Zealand — at Swiss Re, says reinsurers are already helping insurers to limit their losses from cyber claims.
‘Reinsurers currently do heavily support the [cyber] market with risk capacity, perhaps more so than in many other lines of business,’ he says. ‘We estimate roughly 40 per cent of the market premium to be ceded to the reinsurance market.’
Sordon estimates the global cyber insurance market for 2021 amounted to approximately US$8 billion and says Swiss Re expects it to increase at a compound annual growth rate of between 20–30 per cent.
‘This is not just in terms of premiums, but also exposure,’ he says. ‘Coupled with the growing catastrophe risk, capacity needs for cyber insurance will therefore increase at a rapid pace.’
However, given the volatility of cyber risks, reinsurers are applying a stronger risk management approach in the market.
‘Despite the efforts of the cybersecurity industry — and, more recently, the growing involvement of governmental bodies — to curb these attacks, there is no apparent end in sight,’ says Scott Hawkins, managing director, Munich Re, Australasia.
‘Furthermore, cyber is a systemic line of business with the potential for significant aggregation of losses. While a catastrophic event is yet to materialise, the potential for such losses clearly exists and insurers need to reconcile short-term profitability with long-term sustainability.’
Risk ratios on the rise
According to the National Association of Insurance Commissioners’ 2020 report into cyber risk in the United States, the top 20 groups in the cyber insurance market reported direct loss ratios in the range of 24.6–114.1 per cent. In comparison, the normal loss ratios for auto and property insurance lines are 40–60 per cent.
‘Typically, and this varies across jurisdiction and insurer, a loss ratio of 70 per cent is bordering on unprofitable for the carrier,’ says Aon’s Michael Parrant.
‘Such loss ratios of an individual or group of insurers will almost certainly impact reinsurers’ pricing and availability of capacity and, in turn, cause reinsurers to consider coverage, terms and conditions offered to insurers. This will have a direct impact on the terms and conditions that insurers can offer to direct insureds.’
The evolving cyber insurance risks
A 2021 cyber market report from S&P Global Ratings shows reinsurers’ underwriting and modelling expertise could help to build up the market.
Parrant says reinsurers play a key role in bringing data and global understanding to local cyber markets.
‘This enables insurers to determine what risks are able to remain within existing property and casualty portfolios, as well as silent cyber considerations, what costs need to be factored in to limit a social inflation factor, and the risks that need to be removed and insured into the cyber market as direct risks,’ he says.
Sordon says the insurance industry is still building knowledge of evolving cyber risk.
‘Some of the larger scenarios are too big to be borne by the private insurance industry alone,’ he says. ‘It is the right time now to discuss and design specific pools and government-backed solutions to allow for insurers to pay claims sustainably and innovate in this mercurial risk class.’
Sordon says Swiss Re is working with universities and regulators to create the right ‘boundary conditions’ for a sustainable cyber insurance market.
‘We support our clients in the development of cyber insurance products for small and medium-sized companies that require end-to-end cyber solutions to protect their business,’ he says. ‘Similarly, we support our clients in the personal-lines segment by providing a product development toolkit to address key elements across the entire value chain.
‘We do this by providing access to our global expertise and saving our clients time and resources by absorbing the initial cyber insurance product development effort, while sharing the risk.’
Opportunities for growth
Despite the challenges, reinsurers say there are opportunities for growth in cyber risk appetite. Parrant says market development requires a collaborative approach.
‘Reinsurers, and the overall market, continue to grapple with significantly large risks within a growing but modest common pool,’ he says.
‘Regionally, there is capital and expertise throughout every level of the market. Those trying to draw equilibrium between client, insurer and reinsurer needs, and allowing access to the upside of sharing cyber risk and not just the downside, are perceived as more likely to succeed longer term.’
Sordon adds that further capacity may be found in capital markets. ‘Cyber risk capacity is tightening while demand is still growing,’ he says. ‘Access to risk capacity from capital markets and / or government-backed schemes for the worst accumulation scenarios are options that should be explored. In order not to exhaust available capacity altogether, new capacity needs to be generated.’