A supply and demand imbalance is driving the cyber market, with claims rising, capacity shrinking and underwriting profitability under pressure, according to Howden’s latest report “Cyber Insurance: A Hard Reset”, launched in July.

Shay Simkin, global head of cyber at Howden, sat down with the Re/nsurance Lounge, Intelligent Insurer’s digital hub for interviews, debates and panel discussions, to discuss the report and his thoughts on the future of the cyber market.

Opportunities and crunches

Until recently, cyber has been a lucrative business for re/insurers—gross written premium (GWP) has more than doubled since 2016, growing at a compound annual growth rate of 22 percent—significantly outpacing the broader P&C commercial sector.

“I sold my first cyber policy in 1997, but we started marketing cyber in only 2015/16,” said Simkin. “I thought the rates were never very sustainable and there were many insurers coming into the market.”

These “opportunistic” underwriters who entered the market when it was cheap and relaxed have since “fled to the mountains”, according to Simkin. He added: “We saw that that market is very, very unstable and you need to be on top of things.

“You need to understand technology and fully understand what you’re underwriting. Those that remain in the market have done two things: adjusted rates and lowered capacity.”

Discussions around rates being unsustainable began in 2019, when the market saw the claims ratio go up.

“In 2021, everybody in the whole insurance industry needed to go back to the drawing board to see what we have done wrong to hit such a high loss ratio. They needed not just to amend their underwriting criteria but also to amend the pricing,” explained Simkin.

Howden’s research found that global cyber insurance pricing has increased by an average of 32 percent year on year in June 2021. However, Simkin believes, it could be closer to 50 percent as he sees much higher premiums coming and “it almost feels like they are selling capacity, not risk”.

“Two to three years ago, we saw some carriers put on primary lines of $15/20/25 million. Today, we’re seeing a lot of underwriters unhappy to sit on the primary, and limiting capacity to $5/10 million. There is a real capacity crunch when you’re trying to build a tower of above $100/200 million,” he said.

Those looking to build these large towers will need to deal with many different underwriters, very small limits of liability, lots of demands on the underwriting side, different demands from different carriers, and lots of paperwork and information requests, he added, and he doesn’t see this trend ending in 2022 or 2023.

The three Rs

Aside from higher rates, rampant ransomware attacks and shifting regulation (dubbed “the three Rs” by Howden) are driving the cyber market today.

Ransomware was the main driver of claims in 2020, said Simkin, and it’s happening again in 2021.

Howden labelled this a “digital pandemic”—according to the report, industry data revealed that the number of ransomware attacks worldwide increased by 170 percent (Q4 2020 compared to Q1 2019).

“We see sometimes on a weekly basis, six or seven claims coming in. In the past, there would be one claim every six months,” Simkin explained.

While the role ransomware is playing in the market may be a newer phenomenon, from the early days of the industry, regulation has been a driver of growth, with the Health Insurance Portability and Accountability Act of 1996 pushing the American market to buy cyber, followed by the General Data Protection Regulation in the EU.

While most regulations centre on data and privacy, some are beginning to look at ransomware-focused regulation.

“In some places, we are already seeing the government take action,” he said, adding: “I think the next wave of regulation will not just be around data. It will be interesting to see how governments and regulators deal with the payment of ransomware and how active they’ll be.”

A tech threshold

Looking towards the future of the market, Simkin is confident that cyber insurance will continue to grow. Howden’s report predicts a similar rate of expansion to previous years, with GWP approaching $20 billion by 2025.

“I don’t think you can be a board member, chief executive, risk manager or anybody running a business today anywhere in the world, and say ‘cyber is not really interesting, let’s deal with it in 2023’,” he explained.

However, despite the predictions for solid growth, confusion remains. Every day, big and small clients are confronted with differing demands from carriers on the technology they use. If they don’t have this technology, they won’t be insured, warned Simkin.

“Everyone is asking for and demanding different technology. As an industry, we need to create a technology threshold. We’re saying ‘if you haven’t reached that threshold go and invest more in cybersecurity and hygiene before getting insurance’. But, once you’ve reached the threshold, the market for getting insurance opens up.”

Simkin also calls for more education in the industry, which he deems the biggest hurdle to growth of the product.

“Insurance has been around for 400 years—we will deal with the rates and underwriting and data, but education is key for the market to develop and become professional. If we want to be valuable to clients we need to fully understand the pain and be able to relate,” he said.

“If we are not able to share insights and use big data and analytics, we will have to wait for decades until we will reach the place where our sisters and brothers are in P&C.

“If we truly want to benefit the industry and clients and ourselves we will need to find ways to share data, because data is crucial,” he concluded.

To view the full Re/insurance Lounge session click here

Image courtesy of Shutterstock / CookiesForDevo