articles Ratings /ratings/en/research/articles/241127-cyber-insurance-market-outlook-2025-cycle-management-will-be-key-to-sustaining-profits-13323968 content esgSubNav
In This List
COMMENTS

Cyber Insurance Market Outlook 2025: Cycle Management Will Be Key To Sustaining Profits

European Insurance Outlook 2025 Video

COMMENTS

Highlights From The European Insurance Conference 2024

NEWS

Report Says A Prolonged Financial Market Downturn Would Erode Insurers' Surplus Capital Across EMEA

COMMENTS

A Prolonged Financial Market Downturn Would Erode Insurers' Surplus Capital Across EMEA


Cyber Insurance Market Outlook 2025: Cycle Management Will Be Key To Sustaining Profits

image

S&P Global Ratings' stable view of the global cyber insurance and reinsurance industry is supported by its solid underwriting profitability in 2023 and 2024, and our expectation that this will continue over 2025. The industry is still benefiting from substantial increases in rates on cyber insurance and a tightening of the terms and conditions on cyber policies, which was mainly implemented in 2021 and 2022.

Why it matters:  Given the dynamic threat landscape, a combination of stagnant or even declining cyber rates and a sharp increase in underlying cyber claims could quickly result in a material decline in profitability.

Over 2025-2026, it is thus crucial that the cyber re/insurance industry pursues efforts to encourage policyholders to strengthen their cyber security posture; focuses on clear policy wording; selectively adjusts rates; and cautiously manages retentions and insurance limits. The combination of those actions should help safeguard sustainable profitability for the global cyber insurance market and serve to build-up capital in line with exposure growth.

Annual cyber insurance premiums are expected to reach about $23 billion in 2026, up from about $14 billion at year-end 2023, with a projected growth of 15-20% annually (see chart 1). The fastest growth rates are anticipated in the Asia-Pacific and Latin America regions, where cyber insurance markets are smaller and less mature than in the United States and Europe. Overall, cyber insurance remains one of the fastest-growing subsectors of the global insurance market, meaning that a key priority will be the development of a sustainable model for insuring cyber risks that both meets rising demand and effectively responds to the rapidly evolving risk landscape.

Chart 1

image

Over the last two years, re/insurers and managing general agents (MGAs) have entered the cyber insurance market, leading to an increase in capacity and competition, especially in the U.S. Furthermore, following several years of increasing premiums and capacity constraints, the past two years of cyber insurance renewals reflected softening conditions that have led to a lowering of expected growth rates.

Stronger competition has also resulted in lower retention rates and premiums and an easing of required sub-limits for policyholders. We will closely monitor any resulting reduction in margins for a potential negative impact on capital, earnings, and our risk exposure assessment of the insurers and reinsurers that we rate which offer cyber re/insurance.

Widespread AI Adoption Will Increase The Frequency Of Cyber Attacks

AI is accelerating the automation of hacking. That is particularly the case with regards to personalized and tailored phishing and email extortion, which can be efficiently and convincingly translated into multiple languages, enabling scaling across numerous regions. Ransomware-as-a-Service (RaaS), whereby criminals deploy predeveloped ransomware tools, is also expected to increase with the support of AI. The result is likely to be an expansion of cyber criminality as new markets become increasingly accessible and economically attractive.

We expect that understanding the implications of AI for cyber insurance will be a key focus for the industry over the next two years and that the threat landscape will continue to evolve dynamically, shaped by the battle between attackers seeking to exploit vulnerabilities and defenders seeking to close them. That interaction will influence claims development and, consequently, the loss ratios within the cyber insurance industry in the years ahead, as will the industry's own approach to adopting to AI tools, notably to effectively evaluate and price emerging risks.

Systemic Risk Remains A Major Challenge

The insurance industry's understanding and pricing of everyday attritional cyber losses encountered by businesses has improved, even as the frequency of claims continues to increase. That said, the modelling of systemic risk and the potential for catastrophic cyber events remains a major challenge. Large-scale cyber incidents, such as coordinated ransomware attacks or widespread malware, could impact multiple businesses simultaneously.

In 2024, evolving privacy regulations contributed to legal uncertainty that created the conditions for a rise in cyber claims. According to Allianz's commercial claims analysis, in the first six months of 2024, the frequency of large cyber claims rose by 14%, while the size of those claims increased by 17%. In addition, ransomware attacks increased in sophistication, and resulting business interruption and extortion proved more frequent, according to Allianz's data. The CrowdStrike outage, caused by a faulty update to cyber security software, affected millions of systems across multiple industries and highlighted software supply chain risks (see box: The CrowdStrike Outage: A Manageable Shock For Insurers).

We are monitoring the development of accumulation risk management among our rated insurers. In particular, we would consider that an overly aggressive expansion into the cyber insurance market, without robust risk controls, to be potentially detrimental to an insurer's risk exposure, capital strength, and earnings stability.

Non-US Markets Are Fueling Cyber Insurance Expansion

Insurance limits vary, and underwriting requirements are adapting to evolving threat landscapes in the various global regions. Non-US markets are currently playing a significant role in driving growth, amid heightened awareness and regulatory demands for cyber hygiene. The cyber cover penetration gap will drive demand for protection due to elevated cyber awareness (across small and midsize enterprises (SMEs), larger organizations, and critical infrastructure) and evolving regulation, in particular with regards to data privacy.

In the primary cyber insurance market, Latin America and Asia-Pacific have witnessed the highest growth rates in premiums over the past five years (see table 1). Cyber insurance markets are larger and more mature in North America and Western Europe, which explains the lower growth rates in these markets.

Table 1

Regional growth in cyber re/insurance markets have driven premium increases
Gross premium written growth (%)
CAGR 2019-2023 (%) primary insurance CAGR 2019-2023 (%) reinsurance
North America 35% 57%
Europe, Middle East, and Africa 35% 53%
Asia-Pacific 68% 69%
Latin America 88% 53%
Total 38% 56%
Data is based on our cyber insurance survey of global multiline insurers and large reinsurance groups. CAGR--Compound annual growth rate. Source: S&P Global Ratings.

Rates in the U.S. were almost stable over 2024, with rate adjustments of 0.2% to 1.6% over the period from Q3 2023 to Q2 2024. That results from ample market capacity and a competitive environment that created a more buyer-friendly cyber insurance market characterized by decelerating primary cyber insurance rate increases. The average increase in cyber insurance premiums fell below 1% over Q1 2024, down from an average increase of above 20% in 2022 and a peak of 34.3% in the last quarter of 2021, according to the Council of Insurance Agents and Brokers (see chart 2).

Chart 2

image

Based on our cyber insurance survey, North America accounts for about 51% of gross premiums written (GPW) on affirmative cyber insurance--which explicitly covers cyber risk; Europe, the Middle East, and Africa (EMEA) about 38%; Asia-Pacific (APAC) 9%; and Latin America (LATAM) 3% (see chart 3). We expect the relative share of the U.S. to gradually fall and, especially, APAC and LATAM to increase over 2025-2026.

Chart 3

image

Cycle Management Will Be Key For Cyber Insurers Over 2025-2026

The primary cyber insurance segment's rate increases and tightening of terms and conditions in 2021 and 2022 have paid off. In 2023, the net combined ratios of global insurers in the primary insurance segment remained relatively stable at 75%-88%, depending on the region, indicating strong underlying technical profitability (see chart 4).

Chart 4

image

The cyber insurance industry is currently navigating a soft rate environment. This line of business is still young compared to other lines of business. As a result, price fluctuations are likely to be an ongoing characteristic, not least due to the emergence of new risk-differentiation models and cyber security standards, alongside improvements in cyber security risk management frameworks.

On the one hand, underwriting requirements are dynamically changing. There is a clear trend towards using more sophisticated models and tools that enable data-driven scenario analysis. For example, quantitative underwriting involves gathering signals and data, including internal and external security data, enterprise statistics, and supply chain data, including loss and exposure information. This enables more individualized risk underwriting and decision making at a portfolio level, including forward-looking scenario analysis. It also facilitates quantitative comparisons of quality within portfolios and facilitates better capture of changes in cyber risk dynamics that, ultimately, improves confidence in the market.

The increased focus on advanced risk-selection technologies and claims management (including incident response and even specialized ransomware response teams) is helping to make the cyber insurance industry more sustainable and propelling its development. We consider the current margins to be sustainable and expect this will contribute to market development and the ongoing accrual of reserves for long-tail events.

On the other hand, the industry is facing large increases in the frequency and severity of claims and increasing competition. The resultant potential for stagnating rates, or rate reductions, could quickly lead to insufficient margins. We will closely be monitoring progress in modelling and the cycle management of cyber insurers over 2025-2026, including pricing levels, the competitive landscape, underwriting discipline, and policy wording.

Cyber Insurance's Growth Will Continue To Rely On Reinsurance's Ability To Provide Capital

In our view, reinsurers will remain an important pillar in the development of a sustainable and effective cyber insurance market (see "Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market," Sept. 29, 2021). Cyber insurers use a significant amount of reinsurance, with primary insurers, on average, ceding around 56% of cyber insurance premiums to reinsurers in 2023, according to our survey (see chart 5). The reinsurance market will remain extremely important in providing capital and capacity to support further revenue growth.

Chart 5

image

Cyber reinsurers' average net combined ratio underperformed the primary insurance segment over the last three years. However, in 2023, strict underwriting and higher rate adjustments, compared to primary cyber insurers, helped reinsurers to achieve underwriting profitability in their cyber portfolios, with a net combined ratio of 89% for 2023, compared to 99% in 2022, and 104% in 2021 (see chart 6). We expect this trend continued in 2024, leading to currently sustainable margins for cyber reinsurers.

Chart 6

image

Most affirmative cyber insurance is still ceded (sold on to reinsurers) on a stand-alone, proportional basis, where reinsurers pay a share of the losses as a quota share. That quota share was about 76% in 2023 (see chart 7). A combination of improved profitability and cyber underwriters that are better equipped to manage and absorb attritional losses, has seen reinsurers move toward excess-of-loss treaties (which pay compensation for losses that exceed a specified limit) that focus on high-severity events. This could be an early sign of a maturing cyber reinsurance market. Overall, we forecast rising demand for event-based structures, like event excess-of-loss reinsurance, and aggregate stop-loss agreements, especially from larger insurance groups.

Chart 7

image

Currently, most of the capacity for cyber reinsurance comes from large and specialty carriers. However, in the coming years, we anticipate this concentration will decrease as more reinsurers enter the market and as existing players gradually raise their insurance limits to expand their cyber product offerings. This shift should enhance diversification in both treaty and facultative markets, while also fostering advancements in quantitative modeling, scenario analysis, and data quality.

Re/Insurers Operations Are Also Exposed To Cyber Threats

Like other industries, insurers and reinsurers are exposed to operational cyber risks, including interruption of IT systems, outages of dependent third-party IT services, data breaches, defense costs, liability for security events, and ransomware attacks. We consider that the vulnerability of insurers to cyber attacks is increasing, driven by the sector's digitalization and the greater adoption and concentration of shared network infrastructure and service providers. The CrowdStrike outage impacted insurers and reinsurers, with some (re)insurers forced to suspend web-based services as a result. However, on average, the outage did not have a significantly negative direct impact on the industry.

We continue to believe that, on average, global multiline insurers and reinsurers can manage their direct cyber risk exposure, thanks to their sophisticated enterprise risk management, robust capital, the regulatory oversights they are exposed to, and the insights they gain through underwriting cyber insurance. However, we remain wary of the possibility that a direct cyber attack could affect re/insurers, and that a significant event could cost them a significant portion of their average annual earnings.

Large-Scale Data Breaches Are A Concern For Re/Insurers

So far, cyber incidents have had minimal impact on the creditworthiness of global re/insurers. However, that could change rapidly and dramatically. Cyber criminals are rapidly becoming more sophisticated, and insurance companies are attractive targets for attacks due to the large amounts of valuable customer personal information they hold.

Events have highlighted the risks posed to insurance groups:

  • In February 2024, U.S.-based Change Healthcare, part of UnitedHealth Group, suffered a ransomware attack by a threat actor known as ALPHV/Blackcat. Change Healthcare's system was disconnected from its parent group to contain the cyber attack, resulting in disruptions to insurance claim processes that affected patients and healthcare professionals across the U.S. (see "Bulletin: Cyber Attack At Change Healthcare Poses Reputational Risks For UnitedHealth Group Inc.; Uncertainties Remain," March 11, 2024). The financial cost of the attack is expected to be about $2.2 billion this year (based on Q3 2024 guidance), which we consider manageable for UnitedHealth. While most processes and products have been fully restored, we consider that the event exposes the company to increased reputational risk. The outages at Change Healthcare also highlighted the interconnected nature of the healthcare system and how an attack can cripple the industry at large.
  • In March 2021, U.S.-based CNA Financial Corp. discovered a cyber security breach, prompting it to launch swift remediation efforts focused on identifying, containing, and mitigating the impact of the attack. The group's operating subsidiaries were largely unaffected by the incident. The company's rapid response--including communication with employees, customers, brokers/agents, and regulators--mitigated our concerns about effects on its brand reputation and competitive position (see "Bulletin: CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position," March 26, 2021). The company also said it was able to absorb the potential financial consequences of the breach due to its cyber insurance coverage.

Most Large Re/Insurers Appear Able To Resist The Financial Impacts Of Direct Cyber Attacks

Global multi-line insurers and reinsurers appear likely to be able to manage the capital impact of a potential cyber attack on their own companies, according to our analysis, which was conducted using Guidewire's Cyence model (see chart 8). The data suggests that large re/insurers have, on average, sufficient revenue and financial buffers to withstand operational cyber risks, due to: well diversified revenue streams that aren't dependent on a single business area or region; and strong capital adequacy, that is a result of strong and prudential regulation.

Chart 8

image

Our analysis also suggests that damage from a cyber incident could vary significantly on a case-by-case basis. For one insurer in our sample, we estimate the tail loss of a cyber incident at about 75% of the average annual income over five years (see chart 9). That highlights the fact that, for some insurers, the potential for damage from a cyber attack could be significantly higher than the average due to lower profitability and structural deficiencies in risk management that reduce their cyber resilience. We believe such weaknesses could weigh on insurers' earnings and reduce the accumulation of capital buffers in the long run (especially when combined with other tail risks such as natural disasters and sluggish investment environments), which could lead to deteriorating creditworthiness.

Chart 9

image

Looking at the estimated losses (based on Guidewire's Cyence model) resulting from different types of cyber attacks, we see that direct and indirect business disruptions tend to result in the greatest loss, followed by liability-related and data breach losses (see chart 10).

We note that the survey suggests that damage from cyber ransoms appears to be relatively small, but we counsel against underestimating the potential impact of ransomware attacks (see survey results illustrated in chart 10). That is because the survey's outcome for cyber ransoms includes only loss estimates and forensic costs caused directly by ransom payments, while other (and often related) losses are attributed to the other types of cyber damage.

In fact, targeted ransomware attacks are the biggest contributor to damages from cyber incidents for re/insurers in our analysis. That is supported by the survey's results, which show that the vast majority, about 75%, of cyber incidents are targeted events, including ransomware attacks and data breaches. The remaining 25% are large-accumulation incidents such as cloud service provider outages and mass malware events.

In addition to direct financial impacts, cyber incidents (including ransomware attacks) can also cause serious and long-term business problems. That notably includes reputational damage, which can lead to declining new business and disrupt access to capital markets. We believe the risk of this secondary damage needs to be recognized and factored in to the potential harm that can be caused by a cyber incident.

Chart 10

image

Editor: Paul Whitfield

Related Research

This report does not constitute a rating action.

Primary Credit Analysts:Manuel Adam, Frankfurt + 49 693 399 9199;
manuel.adam@spglobal.com
Koshiro Emura, Tokyo (81) 3-4550-8307;
koshiro.emura@spglobal.com
Secondary Contacts:Simon Ashworth, London + 44 20 7176 7243;
simon.ashworth@spglobal.com
Cristina Polizu, PhD, New York + 1 (212) 438 2576;
cristina.polizu@spglobal.com
Research Contributor:Satish Kolli, Research Contributor, Hyderabad;
Satish.Kolli@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in