The current state of the cyber insurance market can be explained with the simplest concept in economics: supply and demand.
The Cyber Capacity Issue
Cyber risk is as high as ever, with no sign of slowing down. This leads to organizations’ increased appetite for cyber insurance.
On the other hand, insurers and reinsurers see the threat landscape becoming increasingly risky, with attacks more frequent and more costly. This results in a pullback in overall supply or capacity.
High demand and low supply result in skyrocketing premiums, with Marsh’s Global Insurance Index indicating a stunning 96% increase in premiums year-over-year in Q3 2021.
On the demand side, organizations see an ever-evolving threat landscape, with new vulnerabilities, threat actors, motives, and tactics. Organizations are keen to defend themselves from cyber threats when loss of data, money, and reputation are at stake.
Recent attacks, such as the one targeting Okta — a global leader in authentication services — saw ransomware group LAPSUS$ accessing accounts of large enterprise customers such as AWS, Salesforce, and Zoom. This incident proved that even a FedRAMP-certified organization focused on cybersecurity and providing security services is still susceptible to attacks.
The current geopolitical landscape also has organizations on high alert, with Russia invading neighboring Ukraine. Russia is known to sponsor hacking groups to carry out attacks and espionage on its enemies worldwide. If Russia is willing to use physical force, cyberattacks and incidents will likely be on the rise.
In sum, organizations are at a critical stage of assessing their cyber risk. The risk has increased their demand for cyber insurance policies, hoping to cover at least a portion of the cost of an attack when one inevitably occurs.
On the supply side, insurers and reinsurers are increasingly hesitant to take on more cyber risk for the same reasons outlined above.
As a relatively newer market, cyber risk is difficult to quantify. How susceptible is an organization to an attack? It could depend on the industry, type of technology used, data stored, location, and many others.
A bank, for example, would be a massive target for hackers looking for an easy payday. Banks are also susceptible to government regulations that require cyber controls to mitigate the likelihood of an attack.
On the other hand, a small industrial company might be of little interest to hackers but could have very weak security controls. These scenarios are only the beginning of the considerations cyber insurers must consider.
Insurers are increasingly doing more due diligence before writing a policy, asking organizations to fill out detailed questionnaires related to their cybersecurity infrastructure, exposure, and controls.
In general, insurers have difficulty quantifying cyber risk. As such, insurers and reinsurers are hesitant to take on more cyber exposure. This results in lower overall capacity in the cyber insurance market, tightening the supply of policies. Limited supply, coupled with skyrocketing demand, has increased the price of cyber insurance premiums.
As the market for cyber insurance matures, insurers and reinsurers will better understand and be able to quantity cyber risk and exposure. Insurers are learning which questions to ask prospective customers to better understand the organization's risks and capabilities. Actuaries studying cyber insurance and risk have access to more data and more knowledge at their fingertips to understand the state of the market and model potential losses.
With the current state of the cyber insurance market, organizations and insurers must understand their options. An insurtech platform like Relay can help brokers match their customers with insurers with available cyber risk capacity.
The current market shows no signs of slowing down; however, as insurers and organizations better understand their risks, the market, in general, should even out with demand flattening and increasing supply, resulting in more tenable premiums.