Cyber risk is widely considered the top growth opportunity for the insurance industry and global cyber insurance premiums are expected to grow rapidly over next several years. Despite these projections, insurers need to realize that this market is not without its challenges. We’ve previously discussed several challenges in the cyber insurance market such as a lack of policy wording standardization and data collection. In this blog we will discuss how cyber insurance is being priced and what insurers should consider when pricing cyber.
Softening Cyber Insurance Market
The historical pricing index of U.S. cyber liability insurance shows that during the last several years, the market has been softening and pricing has been declining. This is so despite several prominent incidents, such as the WannaCry and Petya ransomware attacks and the Equifax breach, which drastically increased pricing. This market’s softening is due to the increasing competition among cyber insurers as more enter the market seeking to grow a new revenue source. The outcome of this is that insurance buyers are benefiting from the availability of cyber policies with attractive pricing, terms, and conditions. Insurers must deal with the fact that underwriting and pricing decisions are determined by what buyers are willing to accept and not necessarily the technical risk.
Are insurers mispricing cyber risk?
Given this market dynamic, how have cyber underwriters been performing? According to Aon, U.S. cyber insurance combined ratios averaged 70% from 2015 to 2017. These indicate a highly profitable segment, but we need to keep in mind that it’s likely the industry hasn’t faced extreme losses that would require significant payouts. Cyber insurers have also taken on a conservative approach that leads them to limit their exposure to large loss incidents.
To better understand this situation, AIR analyzed thousands of cyber insurance accounts and compared their cyber premiums being charged against the expected loss that would result from security breach incidents (Figure 1). The security breach loss estimates are an output of AIR’s probabilistic cyber model. We found that these two are mostly in line with each other, even though cyber policies typically include coverage for other types of loss such as business income loss and ransom payments. This tells us that it’s likely that premiums being charged in the market are less than adequate to fully cover all sources of insured loss.
Staying Ahead in the Market
No cyber insurer would want to be labeled as “naïve capital” or be forced to exit the market if an unexpectedly large loss is experienced. To avoid this, insurers who are already writing cyber risk or are looking to enter the market need to find ways to answer the following questions:
- Given the current market conditions and the policies already written, how deep in the red could my business go?
- As we evaluate new risks, how can we ensure profitability through proper risk selection?
- How can we grow the business and take advantage of untapped segments without exceeding risk appetites?
Modeling and analytics play a critical role in answering those questions since they consider cyber incidents that haven’t occurred before and provide forward-looking insights. AIR’s probabilistic cyber model is uniquely capable of answering these questions because it empowers underwriters to better differentiate risks and implement their own views as the market evolves. This model is available now within ARC, AIR’s cyber risk modeling platform, and cyber insurers can use the modeling insights to optimize their underwriting strategies.