The influence of cyber risk on insurer ratings is likely to be neutral or gradual as long as insurers continue take a cautious approach to the business, according to Fitch Ratings.
At its recent cyber conference in New York, Fitch Ratings analysts said they expect cyber insurance business to be ratings neutral for most highly-rated insurers with sound underwriting, particularly since cyber represents a relatively small part of overall risk exposure and insurers are taking a cautious approach to growing coverage due to uncertainty about cyber claims potential and how to price claims.
“Controlled growth, as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be credit neutral,” Fitch said.
However, the ratings firm warned that aggressive growth in cyber — or a high portfolio concentration — would be credit negative, “as underwriting, pricing and reserving uncertainties would outweigh the potential earnings growth benefits.”
Cyber business has so far been profitable for early market entrants that see it is an opportunity for business growth and diversification. The proliferation of connected devices and the large amounts of personal data held by organizations are increasing cyber risk. Regulation will drive demand for cyber insurance, particularly in the financial services sector.
This is not the first time Fitch analysts have urged caution. They also urged caution in May after noting that ransomware attacks in more than 150 countries showed the widening scope of corporations’ cyber risk exposure and were likely to increase demand for insurance.
The analysts at the New York conference earlier this month described a scenario where cyber exposure is continuing to grow, profit margins are likely to shrink and some insurers are likely to suffer losses.
As the cyber insurance market develops, Fitch analysts see competition likely eroding profit margins and new underwriters with limited experience entering the market, underpricing cyber risk or accumulating large concentrations of cyber exposure relative to the overall business and capital.
They warned that cyber attacks on electronic grids or transportation systems, large cloud intrusions and mass “denial of service” attacks could give rise to large claims. Cyber insurance buyers at the Fitch conference cited exposure to vendor systems as an area of particular concern.
Cyber exposure could generate material losses for some insurers, given the possibility of unpredictable extreme events and also the risk from what analysts termed “silent” cyber exposure that insurers may not have recognized within traditional commercial insurance products. Silent cyber exposure means insurers not actively writing standalone cyber insurance may still be exposed to cyber losses.
Brokers at the conference conference highlighted the potential for disputes and litigation over claims where coverage may be unclear. Insurers are gradually introducing specific cyber policy language, sub-limits and exclusions to contracts to limit silent exposure, attendees noted.
Property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best.More than 130 insurance organizations reported writing cyber premiums last year.
Overall, cyber insurance was profitable — the direct loss ratio decreased from 51.4 percent in 2015 to 46.9 percent in 2016. A.M. Best attributed the decline to the majority of reported cyber attacks being related to ransomware heists, on which losses were well below the deductibles and a simple backup recovery worked to prevent negative long-term effects.
Source: Fitch Ratings