Q4 2022 Cyber Market Update: The Surprises Continue
Unlike the Cyber insurance market’s predictable patterns of 2021 and 2022, 2023 is more appropriately described as “dynamic.”
When talking to clients about cyber insurance, one important concept to explain is "cyber capacity" and how it relates to insurance. Having a solid understanding of how cyber capacity affects many wholesale partners and insurance carriers is essential to providing strong advice and service.
To understand cyber capacity, it's important to review what capacity means on a basic level. How does underwriting capacity affect the world of risk management, and what do clients and wholesalers need to know about it?
Underwriting capacity is the total amount of risk that an insurance group or wholesaler is willing to assume. Some groups decide a high level of overall risk is acceptable, while others are comfortable with less risk.
Each active policy that a company holds has a level of likelihood that the company will pay on a claim and a level of exposure — the amount they will pay. When combined, these two factors are the liability that the company is exposed to when backing a policy.
A company arrives at its overall capacity by adding the liability of all policies it backs and computing the likelihood of having to default at any given moment. If too many claims come through at the same time, then a company won't have the money to cover all of them. On the other hand, if a company holds too much money in reserve to cover claims, they're not taking full advantage of their available capital.
Striking this balance is extremely important for insurance groups to get right, as it often makes up the difference between a successful and a failing business.
Insurance groups that work in different fields and under different conditions have different acceptable amounts of risk. Each field and individual business is unique, so the ideal underwriting capacity for each company is always different. And as companies grow, their total capacity should always be changing, as being profitable allows companies to reinvest in the business, thus increasing their capacity.
The closer a company comes to consistently hitting this moving target, the more successful the company is.
Underwriting capacity for cyber insurance has changed radically in the last few years as the number and severity of hacks have risen. Two major forces are driving this change:
The rise of ransomware. Ransomware has exploded in recent years, with hackers holding essential data hostage at many high-profile companies. The incidence of ransomware attacks has skyrocketed compared to pre-COVID-19 pandemic levels. As ransomware hackers become bolder, their success has invigorated other hacking groups to follow in their footsteps, vastly increasing the overall number of hacks that companies need to fend off.
The increase in ransoms amounts. Hackers are realizing just how much they can demand from their targets. In 2022, the average cost of a ransomware attack was $4.45 million.1 Ransomware as a business has become much more effective, allowing many hackers to ask for ransoms that would have seemed preposterous just a few years ago.
The risk of an expensive ransomware claim contributes to a much lower cap for insurance underwriting capacity. Because both the risk and cost of a successful breach have increased dramatically, the ability of many companies to provide affordable and strong cyber insurance has decreased.
And that is showing up in premiums.
Most notably, costs for cyber liability insurance have risen by between 50% and 100% in many cases,2 making it much harder for businesses and individuals to get coverage for their organizations.
Insurers have become more careful when considering the type and amount of coverage that they can offer, which has an outsized effect on the stability of pricing. Because the risks and exposures of cyber coverage are changing so quickly, companies can't be sure what claims they might be on the hook for during the term of the policy.
These imbalances in the cyber insurance market could all be temporary — most likely a sign of the insurance world struggling to adjust to a post-COVID-19 model of business. But in the interim, it can be useful to understand cyber underwriting capacity so you can better communicate with carriers and wholesale partners who are struggling with this concept.
1"Cost of a Data Breach Report 2022," IBM Corporation, Jul 2022. PDF file.
2Greenwald, Julie. "Cyber Cover Costs Explode, Capacity Limited," Business Insurance, 1 Nov 2021