Cyber insurance back from the brink after ransomware attacks
(Bloomberg) –The cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage.
Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh’s cyber practice leader.
The reversal would follow a wave of digital intrusions that dominated the work-from-home era and forced insurers to recalibrate both how they write policies and their risk appetites. Those attacks also pushed their clients to adopt stronger cybersecurity measures. The brutal conditions in the market have let up since then, with claim frequency declining in the fourth quarter of 2022 even as severity remained elevated, according to Marsh.
“What we’re left with is a very, very, very different market than what we went into two or three years ago,” said Paul Bantick, the global head of cyber risks at London-based insurer Beazley Plc. “We have a mature market that has stood up against a huge test.”
The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers.
Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.
The cyber insurance market is primed for growth amid that uncertain backdrop. Reinsurer Swiss Re AG said in a report late last year that insurers worldwide wrote $10 billion in cyber premiums in 2021. The firm estimated that figure is set to exceed $23 billion by 2025. More than half of businesses have cyber policies, but fewer than 20% have limits on those policies exceeding the median ransomware demand, Swiss Re said.
The cyber attacks that proliferated during the pandemic’s work-from-home boom pressured insurers to become more discerning when writing policies. Since then, underwriters have fine-tuned their coverage, while clients appear to have sturdier defenses in place.
“The cyber market is continuing to evolve and will continue to do so as the threat actors change over time,” Aon Plc President Eric Andersen said on a conference call with investors and analysts earlier this month. “When you think about the cyber market today and where it’s going, I would say the insurers have actually gone back to basics.”
These changes have paved the way for new capital looking to enter the market.
IQUW, a Lloyd’s of London insurance syndicate, launched in July 2021 and started writing cyber policies in 2022 to “offer meaningful capital at a time when demand was high,” said Andrew Lewis, IQUW’s lead cyber underwriter.
Bowhead Specialty Underwriters Inc. also started writing cyber policies in 2022 after the firm decided the coverage would align well with its other lines of business, according to Chief Executive Officer Stephen Sills.
“There was a relative shortage of capacity for a while,” Sills said in a phone interview. “There’s a belief on our part that the amount of claims and the number of severe claims has dropped of late.”
Newcomers coming into the market are creating “a lot more competition,” according to Adam Lantrip, who leads the cyber insurance practice at brokerage CAC Specialty. That’s helping rates to normalize while allowing companies to rebuild the stack of insurance policies they use to protect themselves against an attack.
It’s not just new entrants bringing more capital to bear on the market. Beazley launched a $45 million cyber catastrophe bond in January that it touted as the first of its kind. The security is meant to protect against a widespread event that inflicts more than $300 million in losses — the sort of attack that would represent a major threat to the industry.
The issuance points to how much the market has matured, and how insurers are continuing to think about how to innovate in the space.
“We want to be there for the future. We want to be a sustainable business,” said Michela Moro, a regional cyber head with insurer Allianz SA. “That’s definitely had an impact on the way we handle the underwriting process but also how we try to provide support and thought leadership for our clients.”
(Updates to attribute executive comment in 11th paragraph.)
–With assistance from Jack Gillum.