Key Takeaways
- Prices in the cyber re/insurance market could rise sharply over 2021-2023; in some cases, doubling from the current levels. The pandemic accelerated digital transformation and increased systemic vulnerabilities, causing economic and insured losses from cyber to skyrocket.
- We estimate that primary insurers pass 35%-45% of global cyber premium to reinsurers and rely on them for their expertise in managing potential accumulation risk and exposure to cyber risk.
- Partnership between reinsurers and primary insurers could strengthen coverage and give greater balance sheet protection against frequent and high-severity losses. It could also support access to cyber-related services.
- A more mature retrocession and insurance-linked securitization (ILS) market could increase capacity and support cyber market growth and could lead to better returns on capital because of efficient capital management further down the re/insurance chain.
The pandemic has changed the ways we shop, learn, and work, changing the shape of the cyber risk landscape. E-commerce is booming, brick-and-mortar retailers are shifting to digital platforms, and schools and offices have adapted to remote learning and working. In S&P Global Ratings' view, these digitalization trends are here to stay and will inevitably lead to a higher likelihood of cyber incidents.
The demand for cyber re/insurance coverage has increased significantly, mainly because of a heightened and rising awareness of cyber risks. The pandemic exacerbated the huge cyber reinsurance protection gap by causing existing and new clients to request larger limits and more inclusions in their policies' terms and conditions (T&C). In addition, some insurers are offering more-advanced services, including value-added assistance services, and we have seen a shift from nonaffirmative to affirmative (explicit) cyber coverage, leading to previously unrecognized premium volume.
As Losses Multiply, Rates Ramp Up
Unsurprisingly, given the boom in digitalization, the re/insurance industry has seen a substantial pick-up in cyber losses, with far higher combined ratios in 2020 and 2021 than in previous years. According to AON PLC, the cyber combined ratio in the U.S. increased by more than 20 percentage points to 95.4% in 2020, from 74.5% in 2019. This was mainly attributed to the growing frequency and severity of ransomware and social engineering claims. These include claims for business interruption, rising incident response costs, and extortion demands. As a result, market rates for cyber protection in the U.S. have shot up since 2019, based on the increase in reference premium. Even after this increase in premium, cyber business lines were not as profitable for the re/insurance players in 2020 as they had been previously (see chart 1).
Chart 1
To sustain long-term profitability, we anticipate that insurers will continue to restructure their cyber insurance offerings--increasing rates further and adjusting their T&Cs, particularly the exclusions. Some insurers also intend to further reduce their pay out limits, especially where contracts include ransomware or business interruption components. At the same time, they hope to increase retention levels through 2021-2023. Depending on the region and T&Cs, policyholders could expect rate adjustments of up to 100% because the risk level has fundamentally changed.
Reinsurers Offer Expertise Where Data Is Limited
Reinsurers' expertise in underwriting and modeling could help to build up the market. In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focus on risk differentiation, strong underwriting, and assistance services. Such services could help to reward customers whose cyber management is stronger (see "Cyber Risk In A New Era: Insurers Can Be Part Of The Solution," published on Sept. 2, 2020).
The market would benefit from the development of a comprehensive retrocession market, and the use of ILS or alternative capital to improve capacity. The market faces increasing demand, but limited supply. In our opinion, lack of capacity could be holding back the development of a sustainable cyber re/insurance market.
There is a significant demand for cyber coverage and we expect this business line to be one of the fastest growing insurance markets over the next decade. The dynamic change in claims pattern, rise of cyber threats, and huge accumulation risk creates an opportunity for larger reinsurance capacity. The number of reinsurers and insurers offering cyber coverage is rising in response. But with such a new segment, we think it is important for reinsurers to offer primary insurers support in managing the underwriting and risk management processes for cyber, as they do for natural catastrophe exposures.
Primary insurers rely relatively heavily on the reinsurance market for cyber insurance because it has a relatively short track record compared with more traditional and mature property/casualty lines of business. We estimate that they pass 35%-45% of global cyber premium to reinsurers, with some regional variation. In general, we consider reinsurers well-placed to enable further development of the cyber insurance market. The global multiline insurers usually have in-house expertise, but some midsize and more regionally focused insurers do not have the resources to boost their cyber skills. Therefore, they are more reliant on the external know-how offered by reinsurers.
That said, reinsurers also have to cope with structural challenges and systemic risks, the increase in cyber attacks, and an accumulation of exposures. These could include the nonaffirmative exposures we refer to as "silent cyber" (see "Cyber Risk In A New Era: Let's Not Be Quiet About Insurers' Exposure To Silent Cyber," published on March 2, 2021).
Silent Cyber
When cyber risk is neither explicitly included nor excluded within insurance policies, insurers can be exposed to additional cyber risks. We refer to these nonaffirmative cyber risks as "silent cyber." Where policies carry this type of uncertainty, insurers can find themselves facing losses to settle unexpected cyber-related claims.
Cyber underwriters have become more experienced and can base decisions on exponentially improved data sets. Nevertheless, they have been cautious about expanding insurance limits and T&Cs. Given how volatile cyber risks have been, we consider this restrained approach appropriate and that it indicates stronger risk management in the global reinsurance sector. We see a strong correlation between the sophistication of insurers' risk management and their approach to managing cyber risk. Generally speaking, reinsurers are pioneers in the assessment of cyber risk thanks to their complex enterprise risk management frameworks and investment in expertise.
Reinsurers As Partners
Reinsurers have taken on an even more important role in the cyber insurance ecosystem over the past two years. They provide cyber security, share underwriting knowledge, give actuarial support, and help managing accumulation risk, in addition to enabling the pure risk transfer. Providing cyber services could increase the value and relevance of the policy for clients. For example, many clients would appreciate comprehensive IT expertise and services associated with prevention measures, crisis management, and data recovery. Transparent and proper legal and crisis communication is also key to avoiding or minimizing regulatory fines, third-party legal claims, and reputational damage.
Table 1
| How Reinsurers Can Help | ||||
|---|---|---|---|---|
| Problems in the cyber insurance market | Reinsurer's role | |||
| Large accumulation risk, given the potential for interrelated losses | Accumulation consultation and actuarial support, as well as access to a broad range of data and comprehensive scenario-modeling activities | |||
| Nonaffirmative, silent cyber exposure | Quantification of silent cyber and support in defining clear exclusions or adequately pricing extended coverage. Support in shifting nonaffirmative cover to affirmative cyber policies. | |||
| Short data history and very dynamic nature of cyber risks complicate the calculation of a risk-adequate premium | Provide data analytics and risk management platforms | |||
| The benefit of taking out insurance is limited where maximum payouts prove inadequate and cyber policies have many exclusions | Reinsurance capacity, cyber underwriting, and claims training | |||
| Lack of transparency and uncertainty regarding what elements are covered within cyber policies | Screening for clear wording, with defined limits and coverage, to improve transparency | |||
| Lack of IT expertise | Cyber security expertise, including a pool of knowledge and experts, plus a network of pre- and post-incident third-party vendors | |||
| Source: S&P Global Ratings. | ||||
For primary insurers, the support of their reinsurers has become critical to helping them manage cyber risk efficiently, strengthen their cyber risk resilience, perform cyber risk assessments, conduct a cyber defense strategy, and continuously monitor for upcoming cyber vulnerabilities. Understanding the risks is of the utmost importance. As a risk consultant, reinsurers can help primary insurers to design products and improve underwriting processes. The reinsurance industry continues to invest in building-up a strong network and developing strong partnerships so they can provide a broad spectrum of pre- and post-incident cyber solutions.
The cyber reinsurance market is still young, compared with the traditional reinsurance lines. As it establishes itself, it must overcome the issue of its limited loss experience and data history. The reinsurance industry has been further improving its dataset by collecting information based on the coverage it provides to the primary insurance market. This helps it enhance its value proposition. Therefore, we expect reinsurers to play a major role in cyber risk management and in providing adequately priced protection.
The Market Is Gaining In Diversity
The proportional cyber treaty market is now well established, with more providers and more products on offer. Reinsurers have been able to increase their premiums, although profitability depends on the underlying primary insurance market. The stronger demand, combined with the hardening market, should help sustain risk-adjusted returns. As more reinsurers enter the market and the premium base expands, we expect them to gather an increased quantity of better-quality data. This will lead to improved modeling of risks and will likely reduce concentration risk as exposures are spread across a larger pool of reinsurers.
Most affirmative cyber insurance is still ceded via stand-alone proportional covers, most of which are quota shares. Typically, when primary insurers start to underwrite cyber risk, they pass more than 50% of the risk via quota share to a larger reinsurer. That said, as primary insurers gain in expertise, we are seeing a growing trend toward excess-of-loss and aggregate stop-loss cyber reinsurance. Specifically, there has been an increase in demand for aggregate excess-of-loss cover.
According to Swiss Re, the total market limit of aggregate excess-of-loss cyber reinsurance placed (excluding retrocession) increased by about a third to $2 billion in 2020, from $1.5 billion in 2019. This followed an increase of 100% in 2019, relative to 2018. However, only a limited number of players are operating in the facultative cyber market. As a result, the overall market is showing a shortfall in capacity, particularly for larger programs.
Most of the capacity for cyber reinsurance has been provided by large carriers. We expect this concentration to reduce in the next few years as more reinsurers enter the cyber reinsurance market, cautiously increase insurance limits, or expand their cyber product range. This should help establish stronger diversification in both the treaty and facultative market and will also support innovation in quantitative modeling, scenario analysis, and data quality.
The Circle Of Retrocession Providers Is Still Small
So far, retrocession capacity for cyber reinsurers has been limited--only a few large reinsurers have allocated capacity to this submarket because they wish to avoid a potential increase in accumulation and concentration risk across their cyber portfolios. In addition, because most retrocession is offered by potential competitors in the reinsurance market for this line of business, reinsurers have also hesitated to share underwriting and claims pattern data with retrocessionaires. This has hindered the industry's ability to establish a comprehensive retrocession market. We have seen a bottlenecking effect down the value chain leading to reinsurance and primary insurers.
Excess-of-loss retrocession on proportional portfolios is already available, but the traditional excess-of-loss retrocession market has yet to develop beyond the very early stages. In our view, a sound and reliable retrocession market would promote the development of a robust cyber re/insurance market. A more mature retrocession market could also enable reinsurers and primary insurers to manage capital more effectively, which could lead to stronger returns on capital.
Looking To Alternative Capital
The cyber market has limited capacity at every level--primary, reinsurance, and retro. Anywhere we see a lack of capacity, especially in a market which has enormous potential for economic losses, we believe that with risk-adequate pricing re/insurers have an opportunity to partner with the capital markets and so increase capacity (see chart 2). The global cyber protection market could follow the pattern used earlier, when natural catastrophe risks were first transferred to investors via catastrophe bonds.
Chart 2
For years, market participants have discussed the significant role ILS could play in adding capacity for cyber risk coverage, but the actual development of this submarket has been slow. We chiefly attribute this to:
- The lack of historical data;
- The inherent complexity of modeling and reserving, especially given the uncertainty stemming from silent cyber; and
- Pricing adequacy.
In addition, the cyber market's initial focus was on capacity in proportional reinsurance, instead of excess-of-loss reinsurance structures, which ILS investors prefer. The few excess-of-loss contracts written were on a risk-attaching basis. This is not attractive to investors as their exposure is not confined to the period of the contract, and could last multiple years. The recent move to claims-made structures, which shorten the tail of the exposure to a year, could make cyber insurance more interesting to ILS investors.
It is evident that the market needs improved, comprehensive products that are backed by risk capital. However, capital market investors may still prefer to invest in natural catastrophe risk because it is less correlated to market risks. This gives them a clearer diversification profile and shorter tail. By contrast, a big cyber event could trigger a decline in stock and bond market values, increasing the correlation with capital markets.
The anticipated improvement in rates on line and the evolution of product components that have a tail of less than a year could encourage the expansion of ILS capacity. The key challenge is to gain clarity on what a cyber catastrophe could look like, given the limited history against which to evaluate such an event. It would also help to standardize event definitions and loss triggers.
It might be easiest for the ILS sector to first focus on affirmative cyber and to build up industry loss warranty (ILW) products that have a cyber industry loss index trigger. This cautious move would help investors to improve their understanding of cyber tail risk. Firms such as PCS in the U.S. have started to provide industry loss estimates for cyber loss events, which could be used to define trigger events in ILWs. Overall, given the relative infancy of the cyber re/insurance and retrocession market, we anticipate that it will take some time before the capital markets are ready to take on a bigger share of the risk. Investors typically rely heavily on historical claims data and risk modeling when taking on insurance underwriting risks.
Tackling Cyber-Related Terrorism With Government Backing
The Singaporean government has set up the first example of a commercial cyber risk pool. The pool brings together traditional insurance and the ILS market to bolster capacity. In our opinion, this innovative and forward-looking solution offers a model that could be repeated in other markets.
In 2018, Pool Re, which is the U.K. government-backed provider of terrorism reinsurance, extended its cover to include certain cyber terrorism events. It is intended to provide protection in scenarios where the policyholder suffers substantial financial loss and operational disruption. The attack can originate anywhere, but it has to affect IT property/systems based in England, Wales, or Scotland.
Cyber risk pools can act as an insurance hub, collect data, and help to tackle dynamically changing cyber threats. Furthermore, such pools could support more risk-adequate pricing and underwriting through their increased focus on analytics and modeling. This may enable the provision of larger insurance limits and fewer exclusions within cyber insurance for policyholders.
20 Years On, Adequately Priced Capacity Is Key
It is more than 20 years since re/insurers in the U.S. started underwriting cyber risks, but the global market is still small and immature, particularly in Europe and Asia. This offers reinsurers a key growth area in which they could build long-term relationships with cedents.
Given the recent significant increases in the frequency and severity of cyber insurance claims, we believe the market is facing a period of rate increases and portfolio optimization. For participants, this requires balancing adequate rate increases, adjustments in coverage and T&C, accumulation management, and retention levels to optimize risk-adjusted returns. In our view, reinsurers' underwriting expertise and sophisticated risk management will be essential to this process. Risk differentiation, which means incorporating security standards and linking improvements in customers' information security levels to pricing considerations, will play a key role in developing a sustainable market.
That said, the market faces increasing demand and limited supply. The biggest risk to the development of a sustainable cyber re/insurance market is that capacity remains constrained. We are currently seeing undersupply in certain areas of reinsurance, retrocession, and alternative capital. As the underlying market continues to grow, so will the demand for capital further up the insurance value chain. In our opinion, the cyber re/insurance market would benefit from the evolution of a more comprehensive retrocession and ILS market in the next few years, supported by government risk pools. We see these steps as necessary to speeding up the expansion of capacity.
Related Research
- Global Reinsurers Grapple With Climate Change Risks, Sept. 23, 2021
- Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity, July 14, 2021
- Cyber Risk In A New Era: Let's Not Be Quiet About Insurers' Exposure To Silent Cyber, March 2, 2021
- Cyber Risk In A New Era: Remedy First, Prevent Second, Sept. 17, 2020
- Cyber Risk In A New Era: Insurers Can Be Part Of The Solution, Sept. 2, 2020
This report does not constitute a rating action.
| Primary Credit Analyst: | Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com |
| Secondary Contacts: | Maren Josefs, London + 44 20 7176 7050; maren.josefs@spglobal.com |
| Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com | |
| Johannes Bender, Frankfurt + 49 693 399 9196; johannes.bender@spglobal.com | |
| Taoufik Gharib, New York + 1 (212) 438 7253; taoufik.gharib@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.