This report does not constitute a rating action.
Key Takeaways
- S&P Global Ratings hosted a webinar and Q&A on the changing face of the cyber insurance market featuring a panel of our top insurance analysts and industry experts.
- The cyber insurance market is maturing, as evidenced by stable premiums, but remains small compared to similar markets and subject to a rapid evolution of risk and demand for new methods of quantification and mitigation.
- Cyber insurance-linked securities offer a means to spread risk across the broader capital markets but remain constrained by investor wariness due to a lack of standardization, clarity regarding underlying risk, and the need for investor education.
Cyber insurance is maturing but still undergoing change. Years of demand growth, evolving risk, and increasing premiums have attracted new entrants, expanded the availability of coverage, and delivered innovation and new products. Signs of market maturity are becoming more evident, most notably in premium rates, which appear to be stabilizing in 2025.
At the same time, the market remains in a state of flux. Evolving and often growing risks are demanding new methods of quantification and mitigation. Companies are grappling with identifying and modeling their exposure, implementing the necessary risk controls, and ascertaining the point at which it is both prudent and functional to transfer risk to the insurance market.
Those issues and insurers' responses to them, including in terms of financing, were key themes for a panel of cyber insurance experts who met for S&P Global Ratings' webinar and Q&A on cyber insurance: "The Changing Face Of Cyber Insurance." A replay of the webinar is available at: https://event.on24.com/wcc/r/4812014/7DA55E11DA84EB3E6FBCCF4D3B809C6E.
"The risks companies are having to deal with, the changing nature of those risks, how market participants view them, and how they are managing them--these factors are driving the needs to which insurers and reinsurers are responding," said S&P Global Ratings analyst Ron Joas. "The need for alternate forms of capacity has led insurers and reinsurers to the capital markets and the issuance of cyber insurance-linked securities (ILS)."
Limited Scope, Limited Penetration
The panelists discussed how the insurance industry's approach to helping clients manage their cyber risk remains dominated by the provision of indemnity coverage, though the penetration of that coverage remains very uneven. In the UK, for example, the penetration rates are as little as 5% to 10% of small- and medium-sized enterprises holding cyber insurance. Moreover, panelists noted a persistent difference between the economic losses from cyber incidents and the insured losses, leading them to suggest that cyber insurers may be struggling to convince the market of the value of cyber insurance.
More sophisticated insurance providers are increasingly augmenting coverage with services that both add value to their offering and provide risk mitigation that could serve to reduce the frequency and size of claims. Those services include threat intelligence, the identification of supply chain risks, and actionable information to improve client cyber hygiene and the management of their policy lifecycles.
The panel noted that new cyber insurance products are making their way to market, but that the pace of change can make demand ephemeral and may be hampering innovation, while there remains uncertainty about how to quantify cyber risks and thus price them.
Cyber ILS: A Financial Opportunity Faced With Constraints
Cyber ILS, also known as cyber catastrophe bonds, offer primary insurers and reinsurers a means to reduce their exposure to insured cyber risks by transferring some of that risk to the capital markets (see "Cyber Risk Insights: Cyber Catastrophe Bonds Offer Greater Scope For Risk Mitigation," March 17, 2025).
The panel discussed the likelihood that "growth in the primary insurance space will push demand for reinsurance and risk transfers." It also noted that the issuance of cyber ILS (there have been five cedents so far) is constrained by the size of the cyber insurance market. For example, natural catastrophe bonds (which are similar to cyber catastrophe bonds) are underpinned by about $52 billion of outstanding natural catastrophe issuance, compared to about $1 billion for cyber.
There was consensus that growth in cyber ILS will ultimately be driven by growth in the underlying cyber insurance market, whose complexity and potential size make it a strong candidate for the sharing of risk across balance sheets. Yet the experts also warned that a lack of standardization in ILS contracts, a lack of clarity about the underlying risk, and generally limited investor understanding of the ILS market and ILS modeling would likely inhibit near-term growth.
Related Research
- Cyber Risk Insights: Cyber Catastrophe Bonds Offer Greater Scope For Risk Mitigation, March 17, 2025
- Cyber Insurance Market Outlook 2025: Cycle Management Will Be Key To Sustaining Profits, Nov. 27, 2024
- Cyber Risk Insights: Navigating Digital Disruption, July 7, 2024
| Primary Contact: | Ron A Joas, CPA, New York 1-212-438-3131; ron.joas@spglobal.com |
| Secondary Contact: | Alexander J Gombach, New York 1-212-438-2882; alexander.gombach@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.