Blog(Click here to get to the blog overview page)

The year cyber insurance became a teenager

I have three teenagers at home. One is actually only ten, but he still thinks he's a teenager. Thus, I can observe on a daily basis that the teen years, and with them the accompanying puberty, are a time of great change. It is a wondrous time, but it can also be tough for everybody, kids and parents alike. Regardless of how it manifests itself and how long it takes, puberty is an important and necessary step in the development of a young person.

This year, I felt like I had an additional teenager at work. Here, I am talking about the cyber insurance market. For years now I have talked about the cyber insurance market as still being in its infancy. It was very young, quite small, and it could not walk straight yet. We did not really understand it very well. It was basically a market in its fledgling stages. Now, however, I believe it has entered into the next phase.

That something had changed materially became obvious when a journalist titled an article 'Cyber insurance market encounters 'crisis moment' as ransomware costs pile up'. Naturally, I immediately read it and was - honestly - a bit underwhelmed. Not by the article, which I found to be excellent, but by the evidence of the crisis

Rising risk awareness

Ransomware claims in particular have hit insurance portfolios heavily over the last two years and insurers have done what they are here for: they have paid out valid claims to cyber insurance policy holders. Lots of them. Due to that, prices have gone up significantly to keep pace with the increased risk level and to enable insurers to pay for future claims. A sign of crisis? I don’t see one. I see a 'normal,' if rapid, market development.

At the same time, the demand to buy cyber insurance has increased. While a couple of years ago we were still discussing missing risk awareness as one of the reasons for the very large protection gap, I don’t believe that this argument is still valid. Today, buying cyber insurance is part of most companies' considerations when evaluating and managing their risks. The market definitely has matured in this respect. However, there is still a long way to go for insurers and business leaders to really understand commercial cyber risks, for businesses to link those risks to accompanying insurance products, and on a market level to standardize coverages and increase the simplicity and clarity of wordings.

Signs of a maturing market

Over the last year, insurers have taken a long, hard look at their own cyber portfolio strategy and re-confirmed or re-aligned where they want to play. Do they want to write primary or high-excess layers? Do they want their portfolio to be balanced in terms of industries, company sizes, regions? How do they allocate risk capacity to this risk class?

Potentially, some of these thoughts were triggered by the rising claims ratios, but honestly, these are strategic decisions that all insurers have to take in view of their overall portfolio strategy and goals. If this means that some insurers draw back from the market or from certain segments, I consider this again a normal development in a maturing market.

Another change (and in my view a step into the right direction) has been for insurers to have a stronger focus on risk selection and clearly enforcing their own underwriting standards. This means that insurers are asking more questions and require stronger cyber security postures before signing on risks. That might be cumbersome and difficult to understand for policy applicants, but in the long run this is the way to go, since there is no cyber insurance market without good cyber hygiene for the insured companies.

So, in my view this is not a sign of crisis but a step to making the market more sustainable. A crisis would ensue if a large portion of the risk capacity would be called back, and if no new risk capacity came into the market. Or if prices soared so high that companies could no longer afford the premiums and if minimum security requirements were set so high that a normal business could not comply with them.

New risk capacity crucial

In my estimation, we are not in a crisis right now, but we do have to watch out for the above-mentioned harbingers of potential problems. Bringing new risk capacity into the market will be crucial, and work needs to be done right now to allow for that. This includes tapping into capital markets as well as finding ways to manage catastrophic cyber events, a process which asks for a collaboration between insurance companies, governments, and other stakeholders.

When I said earlier that the cyber insurance market has entered puberty I don’t mean that it has suddenly become all grown up. In contrast, I am pretty sure we have a few exciting development years ahead of us, including a lot of hair tearing and shoulder shrugging. But hopefully the current teenager will emerge as a matured and responsible market to the benefit of the overall economy, and to the insurance industry. We as an industry have to get this right, for cyber and digital risks are an integral part of the risk family and are worth being supported through even difficult times.


See further cyber related content

  • Blog ​Cyber risk: Why we need a new approach to handling this explosive threat

    Maya Bundt Lead Cyber Practice