As the Roman God Janus (for which, of course, the month January takes its name) reflects both looking backwards and forwards in transition, the dawn of a New Year provides a great opportunity to pause and consider where the cyber insurance industry is heading in 2023. To bastardize an overused quotation from Niels Bohr (the Danish Physicist), cyber risk predictions are hard, especially about the future. The cyber insurance industry is young enough to claim adolescence as the reason for frequent rapid changes in the market, but old enough to know better than to expect to avoid scrutiny.
Insurance has a key role in society to address, by definition, unexpected events. If an event is foreseeable, no insurance would be needed. As has been well documented, cyber risk has additional layers of complexity compared to more static risks, such as weather. With its anthropogenic origins, complex interaction between the risks associated with technological change, and the increasing corporate dependence on key interdependencies, cyber risk can become a moving target for underprepared (re)insurers. It also now has a proven track record of profitable growth over the long term and remains one of the fastest growing commercial lines of insurance. The reaction to these factors will determine the long-term success of the industry. For now, 2023 has all the characteristics of an interesting and potentially challenging time, together with the huge potential growth opportunities for the coming year and beyond.
Below are some of the key themes to look for in 2023 for the direction of travel of the cyber insurance industry — some trends are already underway and will accelerate, while others are new. The usual caveats to any list apply, in that it is non-exhaustive, and I welcome debate and discussion of those themes I have missed. Honorable mentions of themes which could also be included here: the use and convergence of war exclusions; growing common understanding of internet infrastructure definitions; and the impact of the ongoing war in Ukraine on cyber criminal activity.
- Rates stabilize and underwriting discipline continues.
Unless hiding under a rock, there have been two obvious underwriting trends in the cyber market over the last couple of years. Firstly, there has been significant compound rate increases, and secondly, there has been a parallel sharp increased focus on underwriting standards. Both trends have been in response to a jump in loss ratios, driven primarily by the growing range of ransomware threats. Rate changes have created the desired effect, and loss ratios are beginning to flatten out. The number of new entrants continues to increase as a result. These factors will combine to bring competitive pressures on rates, such that rates will likely be at or close to flat over the coming 12 months.
I do not anticipate a sharp drop of rates to pre-2019 levels but rather a stabilization of the current position. The focus on technical and procedural risk management standards (such as multi-factor authentication, endpoint detection and response, offsite backups, etc.) has raised the floor in terms of risks being accepted by cyber insurers, and frankly is long overdue. I think the higher expectations will broadly remain (albeit with varying levels of rigor in terms of implementation based on the market segment), and just as property insurers influenced building codes over a much longer time frame, so those seeking insurance should expect to have the cybersecurity house in order, proportionate to their operations.
- Regulators sharpen their focus on systemic risk.
For good reason, systemic risk in the context of cyber insurance is the itch that won’t go away. It is self-evident that the hyper-connectivity of the 21st economy has created technological pinch points which could create widespread impacts (whether accidental or with malicious intent). The challenge is that there are few, if any (depending on loss / definition thresholds), historic examples to act as benchmarks or guides of how severe these events could be. Given the speed of change to the threat landscape, any systemic event of the last few years is unlikely to be indicative of events which could happen in the coming year or beyond. The inherent uncertainty of estimating realistic disaster scenarios has created headaches for chief risk officers at (re)insurers. It takes a thoughtful and data-driven approach to plan and anticipate downside risk in the absence of a major cyber catastrophe, but the counterfactual is that without planning for systemic risks, both financial and logistical, the ability to withstand a major event is massively reduced.
Long-term stability of the cyber insurance industry is built upon the financial resilience of assessing catastrophe risks as part of the components of cyber insurance pricing and modeling. For all these reasons, 2023 will see increased attention from regulators on systemic cyber risks. The UK PRA have run a General Insurance Stress Test, which incorporates an initial assessment of the potential impact of major cyber event. The outputs of this will likely be reviewed in 2023. Additionally, the U.S. Federal Insurance Office (FIO) as well as the European insurance regulators EIOPA have initiated discussions with industry about the nature and approach of these. Taken together, the need for a well-thought-through and credible approach to systemic risk will become critical for the industry in its interaction with regulators.
- The trend away from quota share reinsurance will continue.
In the early days of cyber insurance, there was really only one option for reinsurance support: quota share. The thought process was that by sharing the risk from the first dollar, a partnership between reinsurer and insurer was cultivated and mutual interest and alignment maintained. Reinsurers were benefitting from the front-line experience of primary carriers, and insurers benefitted from the capital relief, given the immaturity of the line of business. As the market has evolved, risk excess of loss reinsurance products have emerged, applying experience learned from the property-catastrophe reinsurance market. Risk models, developed in house and by specialist providers, as well as loss experience, have provided improved measurement of attachment points and pricing, reducing uncertainty for insurers.
As the varying performance of differently constructed portfolios has illustrated, protection needs for primary insurers has varied as well. Quota share structures are absolutely appropriate in certain circumstances but can be a somewhat blunt instrument to protect balance sheets. They provide more limited tail-risk protection in a world of tightening loss ratio caps. As experience is gained, and more is understood about the loss profile of cyber risks, other structures will become more common in 2023, such as the emergence of occurrence-based event covers. This aligns with the catastrophe component of cyber risk addressed above and provides more efficient use of capital to enable more capacity to be deployed.
- Analytics will become increasingly integrated into all aspects of the cyber insurance value chain.
Back in 2006, the phrase “data is the new oil” was first attributed to British mathematician Clive Humby. More than 15 years later, this analogy has broadly held up, as unless its potential is harnessed through refinement and product innovation, the raw material of data has limited value in its unrefined state. There is no shortage of data relating to cyber risks, both in terms of incidents from the plethora of cybersecurity companies, as well as insurance data relating to losses. The historic challenge for the industry has been to leverage the variety of data sources effectively to provide actionable insights. There has been progress among carriers and the InsurTech ecosystem to improve data collection, governance and overall approach.
2023 will see the use of analytics tools become much more widely adopted across all aspects of the value chain. This includes at the point of underwriting, where external scan signals are used to supplement (and in some cases mostly replace) traditional application forms. Data relating to technological dependencies informs potential sources of concentration risk. Catastrophe models provide guidance on how the exceedance probability curves develop for portfolios. Taken together, effective data capture and use will be a key component in 2023 to developing successful long-term strategies.
- ILS investors will (finally) meet their match with (re)insurers.
The potential opportunities of the use of investment vehicles from insurance-linked securities (ILS) investors in the cyber insurance market is well documented. 2023 will finally see this potential begin to be fulfilled, after recent years of speculation but limited activity for a variety of reasons. There has been a perceived lack of confidence in early cyber risk models and debate over the definition of what types of cyber perils are most appropriate to be included in an ILS transaction.
Many of these concerns originate from a lack of familiarity of cyber risks within the ILS investor community. As education and knowledge has been built up, so the concerns have receded. Given the ongoing challenge of the imbalance of supply and demand for insurance capacity, the opportunity for material ILS transactions to occur is there to be seized in 2023. This year could prove to be an inflection point, in which ILS becomes a regular source of capital to address the catastrophe components of cyber risk. This will provide much needed additional capacity to flow into the market.
There are certainly themes I have missed. If there is one certainty about this year, with particular resonance for the burgeoning cyber insurance market, as the American commentator and author George Will said: “The future has a way of arriving unannounced.”