Key Takeaways
- The global cyber insurance market has recently returned to profitability following two years of rate increases and tightening terms and conditions.
- Annual premiums reached about $12 billion at year-end 2022, and are likely to increase by 25%-30% per year to reach about $23 billion by 2025.
- S&P Global Ratings' survey of global multiline insurers and reinsurers suggests that growth in cyber insurance will depend heavily on reinsurance to provide capital and manage accumulation risk.
- Positively, our analysis of cyber exposure data suggests that global multiline insurers and the largest reinsurers could withstand a direct cyberattack on their own operations with no material effect on their capital.
Cyber insurance is still the fastest-growing subsector of the global insurance market. Global cyber insurance premiums reached about $12 billion in 2022, and in S&P Global Ratings' view, are likely to increase by an average 25%-30% per year to about $23 billion by 2025. Cyber insurance relies to a great extent on reinsurance protection, and we believe reinsurers remain critical to the sustainable growth of the market.
The opportunities for reinsurers and insurers (re/insurers) are clear, but how much of an underwriting risk does cyber present? To find out, we surveyed global multiline insurers (GMIs), large primary insurers, and reinsurers underwriting cyber re/insurance to assess market growth, profitability, risk appetite, and the types of reinsurance offered.
Insurers and reinsurers are not immune to cyberattacks on their operations, and any service disruptions or data breaches will likely affect their bottom lines and potentially their capital positions. To better understand the impact, we analyzed cyber exposure data from cybersecurity specialist, Guidewire, using its Cyence cyber risk model. We found that, on average, GMIs and the global reinsurers we rate could withstand a direct cyberattack on their organizations, with a limited impact on capital. However, a direct cyberattack could hit the earnings of some insurers significantly.
Cyber Risk And Our Insurance Ratings
Although we have taken only a modest number of cross-practice rating actions, and no rating actions on insurers, because of cyber risk to date, organizations' increasing dependence on technology and global interconnectedness mean the risk remains elevated. Our analysis of cyber incidents among insurers we rate illustrates the mounting likelihood of a more significant impact on these companies' business and financial profiles in the future.
Should a re/insurer aggressively expand in the cyber risk market without the requisite expertise, that could change our assessment of its risk exposure, especially if we believe the higher exposure could lead to volatile capital and earnings. That said, building a strong ecosystem of internal and external cyber-related expertise early on may lay the foundations for an improved competitive position and stronger profitability. Therefore, we closely monitor rated re/insurers' expansion in this area and how they deal with the challenges and potentially large losses associated with insuring and reinsuring cyber risk.
Cyber also presents an operational risk for re/insurers, given the huge amount of sensitive data they handle. We could change our assessment of a re/insurer's governance framework if we observe insufficient cyber risk management, including potential inability to identify and detect cyber risks, a lack of prevention measures, and an inadequate cyber-claim response strategy. We incorporate our view of a re/insurer's cybersecurity into our overall assessment of risk management, looking at how the entity prepares for, responds to, and recovers from cyberattacks.
The Cyber Insurance Sector Is Expanding Rapidly
The frequency and severity of cyber claims, especially those involving ransomware attacks, have undermined the market's profitability in recent years. In response, re/insurers have reduced their exposure, increased rates materially, and tightened policy wording. Consequently, much of the recent increase in premiums was due to substantial rate increases, rather than underlying growth in the size or volume of contracts.
However, we believe the industry will need to encourage more sustainable underlying growth that is not largely led by rate increases. This growth will depend heavily on market participants addressing systemic cyber risk, more insurers providing coverage with the support and expansion of the reinsurance, retrocession, and insurance-linked securities markets, as well as more small-to-midsize enterprises purchasing cyber insurance.
If the industry acts to encourage more sustainable underlying growth, we expect global cyber insurance premiums to increase by an average of 25%-30% to about $23 billion by 2025 from $12 billion in 2022 (see chart 1).
Chart 1
The U.S. Accounts For Most Cyber Insurance Premiums, While Latin America And Asia-Pacific Show The Fastest Growth
In the primary cyber insurance market, Latin America and Asia-Pacific have seen the highest premium growth rates in the past five years (see table 1). The cyber insurance markets are larger and more mature in North America and Western Europe, which explains the lower growth rates in these markets.
Table 1
| Historically high growth rates underscore the dynamic development of cyber (re)insurance premium | ||||||
|---|---|---|---|---|---|---|
| Gross premium written growth (%) | CAGR 2018-2022 (%) primary insurance | CAGR 2018-2022 (%) reinsurance | ||||
| North America | 35.2 | 55.7 | ||||
| Europe, Middle East, and Africa | 35.4 | 63.2 | ||||
| Asia-Pacific | 51.2 | 43.4 | ||||
| Latin America | 56.8 | 57.4 | ||||
| Total | 36.2 | 58.0 | ||||
| CAGR--Compound annual growth rate. Data is based on our cyber insurance survey for global multiline insurers and global reinsurance groups. Source: S&P Global Ratings. | ||||||
About 56% of gross premiums written (GPW) on affirmative cyber insurance--which explicitly covers cyber risk--are generated in North America; about 37% in Europe, the Middle East, and Africa; 6% in Asia-Pacific, and 1% in Latin America (see chart 2).
Chart 2
Reinsurers Are Essential To Cyber Market Growth
In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market. Cyber insurers use a significant amount of reinsurance. Primary insurers ceded about 50%-65% of cyber insurance premiums to reinsurers in 2022, depending on the region (see chart 3). The reinsurance market and, eventually, the retrocession market will therefore be extremely important in providing capital and capacity to support further GPW growth.
Chart 3
Reinsurers' expertise in underwriting and modeling is also helping to develop the market. In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focuses on risk differentiation, strong underwriting, and the provision of assistance services along the lines of prevention measures, crisis management, and data recovery.
Changes in claims patterns, the rise of cyber threats, and huge accumulation risk all create opportunities to increase reinsurance capacity. The number of reinsurers offering cyber coverage is rising in response.
Reinsurers' Rates Will Continue To Increase
Many reinsurers are nearing the limits of the amount of cyber exposure they can and want to handle. However, we don't expect the market to soften as it has for primary cyber insurance. This is evident from the reinsurance segment's higher rate adjustments so far in 2023. Reinsurers also need to regain underwriting profitability in their cyber portfolios.
Reinsurers had a difficult 2022 due to low profitability and even underwriting losses in their cyber portfolios. Their gross and net combined (loss and expense) ratios underperformed the primary insurance segment on average. The gross combined ratio was 107% and the net combined ratio 101% in 2022 for global reinsurance groups for the cyber business they reinsured (see charts 4 and 5).
We therefore expect more rate increases for cyber reinsurance business this year, as we have seen in the cyber primary insurance segment over the past two years. However, we believe primary cyber insurance underwriters can absorb the increases without passing them on to policyholders. This may be vital in the development of a sustainable cyber insurance market.
Cyber reinsurers' profitability was under pressure in 2022
Chart 4
Chart 5
Primary Cyber Insurers' Rates Are Stabilizing As They Enhance Their Risk-Return Profiles
Primary cyber insurance rate increases have decelerated recently. According to the Council of Insurance Agents and Brokers, in the first quarter of 2023, the average increase in cyber insurance premiums fell below 10.0% for the first time in ten quarters (see chart 6). The increase was 15.0% in the fourth quarter of 2022 and only 3.6% in the second quarter of 2023, down from a peak of 34.3% in the last quarter of 2021. Besides increased competition as more carriers offer cyber insurance, this indicates the measures insurers have taken to reduce their exposure and increase rates have also helped them establish a better risk-return profile.
Chart 6
Primary Cyber Insurers' Profitability Has Improved But Will Remain Volatile
The primary cyber insurance segment's rate increases and tightening of terms and conditions to offset pressure from high claims frequency have paid off. In 2022, the gross combined ratios of global insurers in the primary insurance segment improved to 64%-87%, depending on the region, indicating solid underlying technical profitability (see charts 7 and 8).
However, we believe profitability will remain volatile due to the dynamic nature of the threat landscape. Furthermore, many insurers are still building their exposure to cyber insurance, optimizing their reinsurance structures, and diversifying and scaling their portfolios by region and industry to improve their risk-return profiles.
Primary insurers' combined ratios improved significantly in 2022
Chart 7
Chart 8
Cyber Insurance Will See More Rate Fluctuations
Rate fluctuations will arise from the emergence of new risk-differentiation models and cyber security standards, alongside improvements in cyber security systems. These underwriting techniques have become a mainstay of insurers' efforts to create what they deem to be sustainable cyber insurance products. In some cases, it has also led to the cancellation of contracts where policyholders have failed to meet security standards and thus provide an acceptable risk-return profile for insurers.
Insurers have also adjusted contract terms and conditions; increased retention levels, meaning policyholders retain more risk; and reduced coverage for specific types of loss, especially in relation to ransomware and business interruption coverage. Those changes partly stem from the significant number of insurers whose loss ratios increased sharply, mainly due to larger and more frequent ransomware-related claims in 2020 and 2021.
An unfortunate side effect of the price increases and tightening of terms and conditions over the past two years is the perception of cyber insurance being unaffordable, especially for small-to-midsize enterprises. That, in turn, has led some companies and government entities to eschew cyber coverage altogether. This course of action offers upfront cost savings, but it could also make recovering from a cyberattack more difficult.
The Market Stands To Benefit From More Retrocession Providers
So far, retrocession capacity for cyber reinsurers has been limited; total retrocession utilization is only 11% according to our statistics. Only a few large reinsurers have allocated capacity to this submarket. We understand this is because they wish to avoid a potential increase in accumulation and concentration risks across their cyber portfolios. In addition, because most retrocession offerings come from potential competitors in the reinsurance market for this line of business, reinsurers have hesitated to share underwriting and claims data with retrocessionaires. This has hindered the industry's ability to establish a comprehensive retrocession market.
In our opinion, the cyber re/insurance market would benefit from the development of a more comprehensive retrocession and insurance-linked securities market, supported by government risk pools (see "Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain," published Aug. 24, 2022, on RatingsDirect).
Proportional Quota-Share Reinsurance Dominates
Most affirmative cyber insurance is still ceded via stand-alone proportional cover, most of which comprises quota share (87% in 2022; see chart 9). Despite the relative dominance of proportional quota-share reinsurance, the nonproportional market is also expanding in absolute terms. We see rising demand for event-based structures like aggregate excess-of-loss, aggregate stop-loss, and tail-risk occurrence cyber reinsurance, especially from larger players.
Chart 9
Large carriers provide most of the capacity for cyber reinsurance. We expect this concentration to fall in the next few years as more reinsurers enter the market, and existing players cautiously increase their insurance limits or broaden their cyber product ranges. This should help strengthen diversification in both the treaty and facultative markets, and also support innovation in quantitative modeling, scenario analysis, and data quality.
Technical Insurance Risk Is Not Re/Insurers' Only Cyber Threat
Like other corporations, insurers and reinsurers are also exposed to operational cyber risks, such as interruptions of dependent services, shutdowns of IT systems, breaches of client data, and ransomware attacks and their side effects. In our view, the COVID-19 pandemic accelerated the digitalization of insurance businesses and increased insurers' vulnerability to cybersecurity breaches.
Nevertheless, we believe that, on average, GMIs and reinsurers can manage their direct cyber risk exposures, thanks to their sophisticated enterprise risk management, robust capitalization, and the insights they have gained through cyber insurance underwriting. In contrast, a direct cyberattack on re/insurers could hit some of them hard, eating up a significant amount of their annual average earnings.
Huge Amounts Of Sensitive And Confidential Data Make Re/Insurers Vulnerable To Attack
Cyber incidents have so far had a minimal impact on our view of global re/insurers financial strength. However, this situation could change quickly and dramatically. Cyber criminals are rapidly becoming more sophisticated, and insurers possess large amounts of personal information about their customers, which makes them an attractive target.
A cyberattack could lead to a severe financial loss for insurers due to a direct theft of funds or ransom demands for stolen data, but also due to business disruption and regulatory fines. Besides the direct financial consequences, cyber incidents can also result in severe and long-lasting operational issues. The reputational damage may also be substantial, or even irreversible. It could also lead to a decline in new business or stymie access to capital markets. Protecting internal sensitive data from cyber criminality is therefore paramount for insurers.
Insurers globally are migrating toward digital channels and focusing increasingly on technology-led customer value chains in an effort to improve customer relationships and offer innovative products. Insurers are also working on advanced models and advanced risk management tools to deal with the complexity of cyber insurance products. Streamlining technology by using online policy application tools, digital claims handling, and mobile-based applications is an important part of their strategy. Yet a digital environment also introduces new attack gateways for cyber hackers.
Most Large Re/Insurers Could Withstand A Direct Cyberattack
Analyzing the operational cyber risk (using Guidewire's Cyence model) of the GMIs and global reinsurers we rate revealed that potential cyber losses may have a small effect on their capital (see chart 10). The data indicates that, on average, these large re/insurers would be able to withstand a direct cyberattack, since they have well-diversified earnings streams and do not depend on a single line of business or region.
Chart 10
The average probability (0.1%) of cyber loss in the tail for very large insurers with more than $50 billion of GPW is only about 7% of earnings, compared to about 12% for insurers with less than $30 billion of GPW (see chart 11).
Chart 11
However, cyber losses could be material for some rated insurers. For one insurer in our sample, we estimate a significant cyber tail loss of about 90% of average annual earnings over a five-year period (see chart 12). This estimate demonstrates that, for several insurers, potential cyber losses may be well above the average for the sample, due to lower profitability or structural shortcomings in cyber risk management and, consequently, lower protection against cyberattacks. This could strain insurers' earnings and, in the long term, curb the buildup of capital buffers, leading to a potential weakening of creditworthiness.
Chart 12
Collaboration Is Key To Innovative Underwriting
As the cyber insurance market develops, the cyber reinsurance market will mature as well. Despite larger reinsurers signaling that they are close to capacity, we see other reinsurers exploring opportunities to increase their exposure to cyber risk. This would help the market expand responsibly, with a diverse range of reinsurers.
Another mechanism to foster such growth is collaboration among participants in the cyber insurance market. Insurers, reinsurers, brokers, and managing general agents have developed innovative data-rich analytics to enhance their underwriting and aggregation-risk management. We expect to see increasing numbers of partnerships among these players in the future.
However, the cyber insurance market remains especially difficult for those in the cyber re/insurance value chain, given the enormous potential for economic losses. We therefore believe re/insurers need to diversify their sources of back-up protection when expanding in the cyber space. With risk-adequate pricing, we see an opportunity for re/insurers to partner with the capital markets and increase their capacity. In our view, despite the many challenges, third-party capital could become a vital component in the development of a mature cyber insurance market.
Related Research
- Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain, Aug. 24, 2022
- Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
- Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market, Sept. 29, 2021
- Cyber Risk In A New Era: Let's Not Be Quiet About Insurers' Exposure To Silent Cyber, March 2, 2021
This report does not constitute a rating action.
| Primary Credit Analysts: | Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com |
| Koshiro Emura, Tokyo (81) 3-4550-8307; koshiro.emura@spglobal.com | |
| Secondary Contacts: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
| Cristina Polizu, PhD, New York + 1 (212) 438 2576; cristina.polizu@spglobal.com | |
| Johannes Bender, Frankfurt + 49 693 399 9196; johannes.bender@spglobal.com | |
| Taoufik Gharib, New York + 1 (212) 438 7253; taoufik.gharib@spglobal.com | |
| Volker Kudszus, Frankfurt + 49 693 399 9192; volker.kudszus@spglobal.com | |
| Marc-Philippe Juilliard, Paris + 33 14 075 2510; m-philippe.juilliard@spglobal.com | |
| Research Contributor: | Tushar Jain, Pune; tushar.jain@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.