Cyber Insurance
,
Governance & Risk Management
Credit Rating Business Says Cyber Insurance Market ‘Poised for Significant Growth’
The cyber insurance market is poised to explode amid surging demand that could lead to decreases in insurance premiums caused by new market entrants, close observers say.
New players are underwriting policies despite concerns over the systemic risk that cyber incidents can pose, leading to a “moderate” decrease in insurance premiums after several years of rate increases, Moody’s Ratings reported this week.
“The cyber insurance market is poised for significant growth over the next few years as cyberattacks continue to grow in number and sophistication with the potential to cause significant financial and reputational damage and disrupt business operations,” Moody’s said.
See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined
Insurers see strong potential further demand for their cyber offerings. Multinational insurance giant Munich Reinsurance Company earlier this year surveyed 7,500 C-level decision-makers across 15 countries about their views on cyber risk and cyber insurance and found 87% don’t think they’re adequately safeguarded against online threats.
Those worried will propel the global cyber insurance market from $14 billion in 2023 – already double the 2018 market – to reach around $29 billion by 2027, Munich Re predicts. The company in February reported writing $2 billion in gross cyber premiums and said its cyber insurance business had yet to generate an underwriting loss.
Ransomware, business email compromise attacks and data theft “will remain the main loss drivers for risk owners and cyber insurers,” Munich Re reported. Also relevant is the increasing adoption of new technologies such as artificial intelligence, cloud computing and data analytics tools, as well as supply chain and geopolitical risks.
Regulations are an additional factor. “Significant growth potential will be driven in particular by increased reporting requirements and regulations that go beyond data protection laws, as well as growing liability for decision-makers,” it said.
While more organizations are looking to cyber insurance to better manage their risk, “there is still a long way to go in bridging the gap between insured losses and economic losses,” Munich Re said.
The recent global outage triggered by a faulty CrowdStrike software update, which crashed 8.5 million Windows hosts, shows both the interconnectedness of today’s systems and supply chains and the prevalence of single points of failure.
For underwriters, predicting the likelihood and impact of large-scale attacks or outages remains challenging.
“Cyber modeling has advanced, but the risks are constantly evolving, which creates uncertainty around return periods and the likelihood of an event,” it said. “Recent large losses and supply chain attacks will prompt further scrutiny of policy language, risk aggregations and modeling practices,” beyond what the all-out war in Ukraine has already prompted.
Munich Re said building accurate models remains complicated owing to a lack of solid data, despite major outages or breaches tied to CrowdStrike, Progress Software’s MoveIT secure file transfer tool, Microsoft Exchange online, SolarWinds, managed service provider Kaseya or Change Healthcare, which while damaging, “so far have fallen short” of being “the big one,” it said.
This is contributing to the cyber insurance market still not being mature, Moody’s said, which is reflected in the “meaningful variations in policy language, terms and conditions across the industry. In addition, many cyber risks remain underinsured or uninsured, which could pose significant risks to businesses and the global economy.”
Underwriters are reacting to those uncertainties through exclusions for war-related events and “sublimits around other systemic events,” Moody’s warned (see: Breach Roundup: Cyber Insurance Doesn’t Cover Breach Costs).
The recent CrowdStrike outage highlights shortfalls between cyber insurance coverage and actual damages. Cloud outage risk modeler and underwriting agency Parametrix Solutions said one-quarter of the 500 most profitable publicly traded U.S. companies were affected by the outage and would collectively see $5.4 billion in direct losses as a result. Insurers, it predicted, would only be covering $400 million to $1.5 billion of those losses.
Joachim Wenning, chair of the board of management at Munich Re, said insurers will never be able to manage the risk posed the most damaging, catastrophic types of cyber events and that government-level involvement would be required to do so. “Promising dialogues on ‘government backstops’ for catastrophic events have already begun,” he said earlier this year.
“Policymakers in Germany and Europe as a whole should discuss such a backstop; a dialogue on this is already underway in the United States,” Munich Re said.