Cyber threats pose a more direct risk to businesses than ever before. Globally, cyber attacks rose 7 percent in the first quarter of 2023, and Cybersecurity Ventures predicts ransomware will cost victims $265 billion annually by 2031, with new attacks occurring every two seconds.
It’s no wonder the cyber insurance market has exploded and is forecast to continue growing exponentially.
Executive Summary
“The days of 25-page self-attestation reports manually analyzed by human underwriters are gone,” writes Cyberwrite’s Harmut Mai, expressing the view that carriers need data, AI, and automation to keep up with the evolving threat landscape. Mai believes that with AI to support underwriters, correlations within historical data that are usually invisible to the human mind are made visible.The market could swell to nearly $85 billion by 2030, according to Fortune Business Insights. Forget for a moment the gargantuan monetary valuation—how could this growth actually be achieved? The key to insurance of any kind is accurately assessing risk, and there simply aren’t enough well-trained and experienced underwriters of cyber risk on the planet to support such a boom.
Cyber insurance has changed dramatically since I introduced a global cyber standalone policy in 2013. If the market’s rapid growth continues, the underwriting process needs to evolve to sustain it. Automation that leverages artificial intelligence (AI) will help underwriters better analyze risk based on vast amounts of data, reduce underwriting bias, and enable insurers to balance their portfolios.
Let’s look back at how far the industry has come and what needs to be done to turn the growth forecast into a profitable reality.
How The Market Got Its Start
Cyber risk used to be insured under different programs. For example, in Germany, Elektronikversicherung—electronic insurance—was the umbrella that often covered cyber. Some cyber components were covered under property and other kinds of policies. Similar scenarios played out in other territories as well.
In the last decade, an increasing number of companies required the need to buy a standalone cyber policy as they became more digital. Clients appreciated the intellectual discussions with underwriters to understand exposures and opportunities in the market to transfer risk, but at the end of the day, very few organizations were buying the coverage.
When I wrote one of the first cyber policies, the $20 million coverage limit was considered a drop in the bucket compared to the exposure large corporations were facing. Based on this feedback, I built a limit of $100 million with support from the reinsurance market, but growth didn’t pick up significantly as now the coverage was deemed too expensive. The lack of data to support underwriting, markets, and losses led to this trial-and-error approach, which ultimately helped to mature this line of business to where it is today, where multiple types of cyber insurance products exist for different kinds of organizations.
Further, carriers started taking a more holistic risk management approach to cyber and understood that transferring the risk to insurers wasn’t enough. Post-loss services like data recovery—experts who could rush in once a client starts experiencing a cyber breach—changed the landscape and made cyber coverage more appealing.
Big companies faced the potential of tremendous cyber losses, but the market couldn’t provide coverage limits accordingly, particularly if a breach affected the company’s supply chain. The service packages changed their philosophy because the value went beyond pure risk transfer to a more holistic risk management approach.
When the market emerged, no data was available to determine whether pricing was fair, and there was simply no transparency around that. We’ve come a long way.
Why Traditional Underwriting Needs To Evolve
Over the past 10 years, the market has gained experience and data about losses and trends. This quick maturation spurred so much growth that the cyber insurance market blossomed into an industry worth more than $13 billion last year. (Source: Fortune Business Insights; Editor’s Note: Munich Re estimates $12 billion for 2022.) With a wealth of experience, carriers can now be more transparent about pricing philosophy and what coverage limits are appropriate for customers in different sectors.
There are roughly 100 million small- and medium-sized enterprises (SMEs) and mid-market businesses in need of cyber insurance in the very near future (Cyberwrite estimate). If the industry stays on this unprecedented growth trajectory, carriers can no longer rely on manual, subjective assessments from underwriters. There aren’t enough underwriters to assess cyber risk for new entrants if the market grows by more than 25 percent annually.
The human touch creates a lot of underwriting bias—a human’s cognitive assessments—and risk and premiums aren’t assessed accurately. This is where the power of AI to support underwriters comes into effect. Correlations with historical data that are usually invisible to the human mind are made visible, and risk clarity is made available. This enables the risk management of very large portfolios.
These calculations are objective because they use data, which leads to more accurate and consistent decisions. As a result, carriers can be more confident in their risks and diversify across clients of different sizes and risk profiles.
Automation’s Role in the Growth of Cyber Insurance
With AI models and automation, insurance carriers can digitize the same way their customer bases have. The days of 25-page self-attestation reports manually analyzed by human underwriters are gone. Those underwriters can better quantify risk by scraping risk-related data from the Internet and dark web to understand a customer’s risk profile better.
Through automation, underwriters can see in real-time, and even via ongoing alerts throughout the life cycle of the policy, where a customer might have exposures and vulnerabilities—and they can pass that information on to the customer to mitigate those vulnerabilities and increase the company’s security posture. This information exchange is largely missing from today’s market because, in most cases, underwriters draft policies based only on what the customer tells them.
Insurers can confidently expand into previously untapped customer segments in need of cyber insurance, such as the SME and mid-market segment, and create fairer pricing mechanisms by making underwriting decisions based on data rather than gut feel. This improved risk quantification allows the market to unlock the profitable growth and stability that’s been forecasted.
Without data, AI, and automation, the market can never keep up with the evolving threat landscape.