Here’s What’s Happening With the U.S. Cyber Market
Cyber insurance rates are going down, competition in the segment is only getting fiercer and loss ratios remain low.
These are some of the conclusions of the latest U.S. Cyber Market Update by Aon, which also shows that carriers are feeling confident enough to target small and medium companies with standardized cyber policies.
The report’s broad conclusions may lead one to believe that cyber risks are no longer as frightening as they used to be. But a closer look at the data reveals that there are some clouds on the horizon, and rather than decreasing, cyber risks faced by companies are actually on the rise.
Here are the main takeaways of the report:
Growth Has Slowed Down
By crunching data from the NAIC cyber supplement, Aon calculated that cyber insurance premiums increased by 10% in 2018, which is a far cry below the over 30% rates of growth posted in 2016 and 2017.
Nonetheless, cyber continues to be a profitable line that is attracting new players, and despite consolidation in the industry, the number of cyber insurers in the U.S. market increased from 170 to 184 in 2018.
It is too early to tell whether slower growth is a trend or if the market will resume the stellar rates of yore. If it becomes the norm, however, it could be an issue for the industry, especially if catastrophic cyber events take place.
“Cyber insurance is a line with potential catastrophic exposure, and some degree of catastrophic risk needs to be allocated to premiums,” said Jon Laux, the head of cyber analytics at Aon.
In other words, margins could narrow, affecting profitability levels and, ultimately, prices. Right now, however, the situation looks pretty comfortable. Cyber insurers’ combined ratio reached a modest 65.3% last year, one basis point lower than in 2017.
New Clients Are Wanted
One of the reasons why premium growth has slowed down is the fact that the low hanging fruit has already been picked by insurers.
In other words, large corporations in sectors with high exposure to data privacy risks, such as retail, hospitality and health care, already have cyber program in place.
The tendency is for insurers to look elsewhere for new business. Industries where operational risks trump privacy concerns, such as manufacturing and transportation, are obvious targets. But the real prize is in the market for small and medium enterprises, where premiums increased by 19% last year and 42% in 2017.
“For most insurance companies I’ve talked to recently, the SME space is where they are excited for growth,” Laux said.
There are some challenges though, like the need to have a comprehensive distribution network to reach out to this market and to invest in the education of both SMEs and their brokers about the value of cyber insurance.
Ransomware Is Now the Top Threat
Gone are the days when criminals focused on big-game hacking, where they would try to make a kill by stealing data from large companies. These are still a thing, as it was shown by the mammoth Marriott breach in November, but crooks seem to have realized that several smaller attacks provide an easier and more profitable road to the cyber riches.
Aon has concluded that ransomware attacks, where criminals block a company’s access to its own IT systems until they pay a hefty ransom, have become the crime-of-choice in the cyber underworld. As a result, the cyber market faces a situation where, although the intensity of the risk has increased, the average size of claims has diminished, from $56,688 per claim in 2017 to $50,401 last year.
This is a development that cyber carriers are likely taking into account as they target SMEs, which are less equipped to deal with this kind of threat, which is, so to say, pretty democratic.
Laux remarked that any company, no matter its size, is exposed to ransomware. With criminals feeling bolder as their attacks deliver the goods, the value of claims seems to be going up again.
“A few years ago, ransoms in the six-figure range were extremely rare,” he said. “Now they are becoming increasingly common.”
We are talking about a product that is known as “cyber liability” insurance, but, in reality, the liability part of the equation is largely missing.
Last year, 68% of the 12,829 claims made covered first-party losses, which is to say, they paid damages suffered by the companies that directly endured the attacks.
But this could change soon.
Data privacy rules are mushrooming around the world, and the likes of Europe’s GDPR is beginning to hit steep fines on companies. And a big test for the market could come next year, when the California Consumer Privacy Act kicks in. It could go some way into establishing a dominant cyber liability theory that, in Laux’s view, still does not exist today. &