The rise in ransomware claims has caused attritional loss ratios to swell and pressurised profitability in the class, pushing it towards what we termed late last year as cyber’s “coming of age” moment – a full recalibration in the assessment of cyber risk, and what looks set to be a multi-year correction in rates.
With rates currently up in the 20%-30% range on average and a market-wide effort underway to improve cyber risk management among buyers, it’s heads down and sleeves rolled up for market practitioners at the moment in a concerted effort to get this unruly exposure under control.
Aon figures from December show an average rate rise of 16% on primary layers, and 29% on first excess. (See graph above.)
However, as the market faces down the attritional threat to profitability, there is still one fundamental question which is yet to be figured out – and that is the question of cat risk.
Cyber often sits in financial lines, but it is in fact the ultimate hybrid product, straddling first-party (e.g., ransomware), third-party (data breach) and catastrophe exposures.
Therefore, there is no real precedent or playbook that tells you what a “good” loss ratio looks like for such a product, nor how long the tail can be.
Some in the past have likened the loss profile of cyber to be akin to property cat – a low frequency, high severity play, where underwriters would expect good margin to absorb or compensate for volatility.
However, the rise in frequency and severity of first-party ransomware claims is now rendering a class with substantial cat tail risk unprofitable even when there have been no real cat losses to speak of.
People talk of the “cyber hurricane” – a single cyberattack which affects multiple insureds – as the extreme cat scenario to threaten market profitability, but the buffer to absorb any aggregation of claims from a single event has been severely eroded.
One senior underwriting source said that on the 2019 and 2020 underwriting years, “you don’t need much of an aggregation event – maybe just five or six clients in some scenarios – to wipe out a whole year”.
And even though re-underwriting work is hoped to bring these attritional loss ratios down and create more buffer, there is still no real consensus on what a suitable cat load is for cyber – and if there was, it would be soon rendered unsuitable with the rapid changes in the threat landscape. Cyber models exist, but they are underdeveloped.
Conversations among the most established cyber players are starting to seriously think about how to attempt to put bounds around cyber catastrophe risk – how to define it, and how to price for it – although it is not clear that these discussions are happening uniformly across the market.
But the need to address this cat question is getting more urgent.
In recent months, there have been a number of what one source called “warning shots” in the form of cyberattacks with loss aggregation potential – SolarWinds, Sita, and just this weekend, reports emerged of 30,000 US organisations hacked via holes in Microsoft’s email software.
In all these cases the claims impact is unclear at this stage – certainly the SolarWinds and Sita incidents seem to have factors that could limit payouts – but the scenario behind the attacks is theoretically the cat-style aggregation event which the market fears.
But even these warning shots aside, if the primary market is to grow to its full potential, it needs to start managing the cat element of cyber more effectively than it is at the moment.
Negative headlines aside, the future looks bright for cyber if it can push through this difficult phase – for the macro factors which also influence this class look promising for growth.
Already the cyber market was registering double-digit premium growth. Recession-related concerns about cyber falling into the “discretionary spend” category of insurance do not seem to have come to fruition (at least not yet), and there are many in the market who believe that in a post-pandemic hybrid working environment, the demand for cyber coverage from businesses will be even greater with so many of us working from home.
Munich Re figures published on its website give cyber market GWP expectations of $9.1bn for 2021, growing to $20.2bn by 2025, although it is not clear whether the impact of the pandemic and the changing working environment have been factored into these assumptions.
This is a growth class, and the consumer need for an insurance solution for this risk is increasing – but if the primary market is to grow to its full potential, it needs to start managing the cat element of cyber more effectively than it is at the moment.
For the primary cyber market to expand significantly, it will need the support of its reinsurers – which are currently wary of aggregation issues and cedants’ current ability to properly price the risk they are taking on.
After all, after years of intense competition and market softening, cyber insurance still encompasses wordings which could bring substantial systemic risk – particularly around losses stemming from outages at third-party service providers.
Crucial to reinsurance support going forward will be cedants’ ability to prove to their reinsurers that this current ransomware issue is a wobble rather than a deep-rooted issue with the product – and that the re-underwriting work they are taking is more than pushing rate, it also involves tightening of wordings, better risk selection and exposure management.
The more market penetration grows, so does the potential for aggregation – particularly in a world where everything is becoming more connected.
But ask 10 different people how to solve the cyber cat risk question and you will get 10 different answers.
There are suggestions of splitting out the elements of coverage which bring aggregation – such as cloud outage or non-IT BI – and pricing accordingly as a separate cyber cat product, bought as an add-on to a traditional cyber insurance policy. Similar debates are also going on about splitting the product between first and third-party exposures.
Others believe that better definitions and triggers around what constitutes a cyber cat event would encourage more reinsurance capacity to come forward – potentially in the form of ILS or other third-party capital products, which to date have seen limited take up.
The cyber catastrophe is one of the biggest “known unknowns” out there, and it will require market collaboration and consensus to try to understand and underwrite that risk better.
And until the cyber market can do that, there will be limits to how far it can go.
Insurance Insider delivers global wholesale, specialty, and (re)insurance intelligence that enables you to act first. Redeem your complimentary 14-day trial for more premium content from Insurance Insider.
Scan here to download the app