When analyzing an issuer, S&P Global Ratings views insurance as just one component of risk management. Insurance is one of the most dynamic sectors of risk management, and is changing rapidly, testing issuers from both an IT infrastructure and a cost perspective. Across the entire insurance industry, we've seen gradual shifts in cyber coverage premiums and other insurance eligibility elements, and believe U.S. public finance (USPF) issuers should consider all these elements when building their cyber security system. We've heard from issuers we rate that costs are increasing, in some cases to a level where certain entities, usually smaller ones, have decided to forgo insurance altogether, or explore other means of insurance. Cyber security is an ever-evolving credit risk and we'll continue to monitor this complex insurance component of it.

Insurance Demand

Insurance providers can play an important role in improving network resilience of policyholders by providing an ecosystem (see chart 1) of cyber services--such as IT expertise, crisis management, data recovery--to prevent claims, or investigate any attacks for a policyholder quickly. Still, many insurers have restrictive coverage for systemic risks such as those relating to compromised software infrastructure or cyber attacks deemed acts of war, having higher retention levels for public entities or coinsurance requirements for ransom payments, which could make it more difficult for public entities to be fully compensated in such a scenario.

Chart 1

Demand for cyber insurance has been increasing but limited capacity on the supply side has led to rapidly rising premiums, as well as adjustments in coverage, terms, and conditions. Globally, cyber insurance premiums reached almost $12 billion in 2022, according to Munich Re. In our view, that figure is likely to increase at an average of 25% per year to about $23 billion by 2025 (see chart 2). The growth of the past two years might seem to be a sign of a burgeoning cyber insurance market, but rising rates accounted for much of the increase in total premiums, rather than an increase in the number or size of insurance contracts.

Chart 2

Cyber insurance rate increases have decelerated recently (see chart 3). According to the Council of Insurance Agents and Brokers, the average increase in premiums fell below 20% for the first time in six quarters, leading to a rise of 15% in fourth-quarter 2022 and 8.4% in first-quarter 2023. This is down from a peak of 34.3% in the last quarter of 2021, indicating improved profitability for insurance companies underwriting cyber insurance.

Chart 3

The market remains tough but the cyber insurance industry has improved slightly due to:

• Enhanced risk management capabilities;
• New capacity as insurers and innovative managing general agents continue to enter the market;
• Policyholders improving their network hygiene (to prevent data breaches by protecting sensitive data, backups, encryption, patch management, multifactor authentication, and so forth); and
• Better understanding of ransomware, following investment in employee awareness, technological defenses, and operational resilience, taking pressure off the claim dynamic.

The insurance industry has improved cyber risk management and gone through a period of portfolio optimization. This puts it in a more sustainable position to underwrite a higher number of risks, which could lead to a material increase in the number of contracts. For more information, see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," published July 26, 2022, on RatingsDirect.

Insurance Is An Key Part Of An Issuer's Risk Management Strategy

We incorporate our view of an issuer's cyber security preparedness into our overall assessment of risk management, looking at how an issuer prepares for, responds to, and recovers from cyber attacks (for more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021). Cyber insurance can be a critical part of an issuer's response plans and ability to recover from an attack. Given the change in the insurance market, it may seem that USPF issuers have elevated risks; however, this is just one element of an organization's holistic cyber risk management strategy. A lack of insurance can be partially mitigated by following strong practices in other areas, such as rapid detection, which can disrupt the cyber attack lifecycle; comprehensive training; strong IT asset management; and robust continuation of operations planning, with adequate backups and other measures to ensure a rapid recovery in the event of an attack. Furthermore, some issuers are relying on self-insurance or other dedicated financial resources to assist with response and recovery after an attack.

The Credit Implications Of Insurance

We consider cyber insurance under various management principles in our USPF criteria. In our view, insurance is just one component of an entity's risk management stance. However, a lack of insurance, self-insurance, or other dedicated resources to mitigate cyber attacks, could negatively affect our view of an entity's management profile, particularly if it reduces an issuer's ability to adequately respond to and recover from an attack depending on potential mitigating factors. These could include robust practices regarding preparation, such as active IT asset management, an active management team with leadership that quickly adapts to a changing threat landscape, or significant liquidity. For more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance."

For USPF Issuers, Getting Cyber Insurance Is Difficult But Not Impossible

Because costs and system requirements are rising, issuers are taking other routes for insurance protection, such as joining a municipal pool, like the Texas Municipal League, or even using self-insurance for cyber security.

For cyber insurers, losses have increased significantly in the public sector. Cyber incidents and data breaches have become a part of daily life. Threats are evolving as attackers relentlessly exploit system flaws and defenders patch them.

Governments and public agencies make an attractive target for cyber criminals. For example, a city or town delivers services and might store and use confidential and sensitive data. As a result, USPF entities often fit hackers' target criteria. At the same time, issuers might have fewer cyber security staff and limited budgets dedicated to cyber security, along with aging networks. Public entities can't afford for their systems to be offline. That's why hackers often use ransomware, as they believe many public organizations will pay a ransom: The Sophos State of Ransomware 2023 report indicates that in 2023, a higher proportion of U.S. local governments paid ransoms above $1 million than in 2022, and 34% of organizations reported paying ransoms to recover data.

The Cyber Insurance Ecosystem

For any organization, a cyber incident can lead to service interruption, ransom payments, a drop in reputation, and potential fines from regulators or state governments. This can mean several adverse consequences as organizations rebuild databases and manage reputational and operational damage. Especially for public entities with limited cyber security staff, we believe cyber insurers can act as an orchestrator by building an ecosystem of internal and external expertise to prevent cyber claims and investigate attacks quickly.

Public entities will continue to face hurdles in obtaining cyber insurance in the form of increased requirements for coverage and higher costs. Insurers that still offer coverage are making it harder to obtain: High premiums, very detailed questionnaires, and comprehensive web screenings make applying for a policy excessively complex. However, the upside is that by meeting an insurer's requirements, an organization's network becomes more cyber secure.

We expect insurers will continue focusing on risk differentiation by incorporating security standards in the underwriting process and linking improvements in organizations' information security to pricing consideration for cyber insurance contracts, especially in the public sector. That means organizations with a more resilient cyber security strategy will receive better insurance rates, which could motivate them (as policyholders) to fortify their cyber hygiene.

Third-Party Vendors Aren't A Quick Fix Or Substitute For Good Practices

Third-party vendors, including IT suppliers, are convenient for issuers, especially those with limited cyber security resources or potentially limited insurance options. However, when these vendors are used, management teams should review their cyber security insurance policies and verify if any coverage is applicable to their vendor as part of their assessment of the risks associated with outsourcing and development of risk management plans. Management teams need to understand if their third-party vendor should experience a cyber threat or breach, how this will affect the issuer; if the vendor's insurance policy protects the outsourcing entity, and if the entity's insurance policy covers the damages they might face due to the third party's threat or breach. Although third-party vendors are convenient, they aren't a substitute for healthy cyber hygiene practices because they present additional risks. For more information, see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?" published Oct. 25, 2021.

Federal Help Could Be On The Way

In the U.S., recent regulatory actions, including the National Cyber Workforce and Education Strategy, support proactive cyber security practices. In addition to cyber education, skill building, and workforce development, a major contribution in the strategy is a cyber insurance backstop, which would offer a federal insurance backstop should a catastrophic cyber event occur. With this backstop in place, some risks of coverage could be transferred to the U.S. government, thereby potentially increasing private insurers' willingness to insure additional entities. This strategy could provide some relief to USPF issuers that have faced difficulty when attempting to obtain cyber security insurance; however, with this higher demand for insurance, insurers are likely to raise minimum cyber hygiene standards for policyholders, thereby raising cyber-related costs for issuers. For more information, see "Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost" published Aug. 3, 2023.

In some sectors, such as public power, more established regulations exist. Of note, it's mandatory for public power utilities to comply with the Critical Infrastructure Projection reliability standards, developed by the North American Electric Reliability Corp., with a focus on bulk electric systems. For more information, see "Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark," published May 11, 2023.

Insurance is progressing beyond just financial compensation for damages to also provide recovery services and assistance in handling an attack. As threats evolve, issuers need to enhance their protection with insurers, all while fitting these expenditures within a limited budget. S&P Global Ratings will continue to monitor changes in the cyber insurance market and how they could affect USPF issuers' credit quality.

Related Research

• Global Cyber Insurance: Reinsurance Remains Key To Growth, Aug. 29, 2023
• Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
• Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
• Cyber Risk Insights: Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
• Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
• Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
• Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain, Aug. 24, 2022
• The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
• Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market, Sept. 29, 2021