CyberCube’s CEO Explains Why You Should Expect Cyber Insurance Markets to Continue to Be Difficult Over the Next Year

A hard cyber market may be the "new normal'" but greater usage of alternative risk transfer and capital flow mechanisms may soften the future landscape.
By: | January 26, 2022
Topics: Cyber

Given the dramatic transformation of a relatively “young” sector of insurance in a relatively short period of time, there is much uncertainty around the future of cyber.

In the report “CyberCube Predictions 2022,” ten of the organization’s top experts offer their best prognostications for what this evolving insurance landscape will look like over the next 12 months.

Hard Market’s Here to Stay

Above all, CyberCube contends that the hardened cyber market is not a passing phase. Head of client success Oliver Brew pinpoints underlying causes such as the increase of recent cyber claims, including those associated with ransomware attacks and related rate increases; demand outstripping supply with reduced capacity for expansive risk; and a glut in providers chasing market share.

It’s not all bad news, though. Brew believes that rates won’t rise forever, at least not at the current pace.

“In time, rates will stabilize, though a return to an aggressive soft market is unlikely. The cyber hard market is the ‘new normal.’ Increasing use of captives and other alternative risk transfer will mitigate some of the gap,” he said.

Reflecting current market trends and industry adaptations to this “new normal,” CyberCube CEO Pascal Millaire expects to see a widening gap in the performance between carriers.

“In 2021, many carriers doubled down on more rigorous underwriting standards, increased use of data-driven underwriting tools and instituted disciplined underwriting strategies that resulted in them walking away from unattractive accounts. As a result in 2022, we expect there to be a greater speed between the loss ratios of top quintile carriers and bottom quintile carriers.”

At the same time, Millaire anticipates that more alternative capital will flow into cyber, which “in the years ahead could become a material source of capacity for the global cyber insurance market” and will be “a strategically important development disproportionate to the size of the alternative capital transactions.”

Risks at Play Today and into 2022

Of course, cyber insurance will largely be shaped by the constantly evolving risks in play. In 2022, incoming threats will likely include more extensive ransomware attacks with new distribution techniques and the targeting of single points of failure, all leading to bigger and more costly ransoms.

Another major concern is the increase of data manipulation — the worry that bad actors will not only lock down and extract data but alter it or use it in a way that creates a vector for extortion or ransom demands.

Given the grievous supply chain failures of 2021, supply chains remain a critical attack target and an important area for risk management.

“We’re advising our customers to, wherever possible, analyze their insureds in terms of not just the software they are using, but the software supply chains that they are reliant on, as well as the service supply chains,” said Darren Thomson, head of cyber security strategy at CyberCube.

Among the specific supply chain vulnerabilities CyberCube experts are focusing on are cloud service providers with a single point of failure that would impact a high number of dependencies.

Key to risk mitigation for insurers and insureds will be more advanced data and analytics, moving to increasingly granular data that can detail emerging risks and vulnerabilities and show how clients are responding to them in real time.

“Groups tasked with understanding the accumulation risk across a portfolio of risks previously wanted to focus on loss drivers and cyber catastrophe scenarios within the models, but now want services that provide them with the expected insurance impact of events happening in the real world,” said Brittany Baker, CyberCube’s director of technical sales.

“When senior leadership is asking how exposed their company is to an outage, it is vital that updated, tailored event footprints and details are written in insurance language versus cyber security language.”

Looking Ahead

Going forward, the insurance industry will have to continue to adapt with the development of new cyber products and more capital to expand capacity, both for regular cyber and “cyber cat,” said Michael Millette, managing partner at Hudson Structured Capital Management, Ltd., and board director at CyberCube.

On the enterprise level, resilience will be required — with detailed plans for business continuity amid inevitable attacks and disruptions.

“Organizations would be well served to spend some time on building their resiliency,” said Admiral (ret.) Michael S. Rogers, former director of the NSA and commander of U.S. Cyber Command. “This takes a lot of work and involves a broader set of partners internally than just focusing on keeping an adversary out.” &

Elisa Ludwig is a contract writer based outside Philadelphia. She has written extensively about cybersecurity issues for the Junto blog on the eRiskHub. She can be reached at [email protected].

More from Risk & Insurance