Finding a Life Raft in the Shifting Tides of Cyber Insurance

October 19, 2022

In late September 2022, the U.S. Department of the Treasury released a request for comment on the possible creation of a new federal program to help organizations respond to catastrophic cyber incidents. This comes on the heels of the August 2022 Lloyd’s of London Market Bulletin that sent shockwaves throughout the cyber insurance industry. In this announcement, Lloyd’s stated its intentions to begin excluding liability for losses arising from any state-sponsored cyberattacks.

Announcements of this magnitude so close together cannot be overlooked and provide foreshadowing as to what the future of cyber insurance may look like. However, they are not surprising based on the cyber insurance market trends that have developed over the past two to three years.

How did we get here?

Cyber insurance is not new, as it has been around in some form for the past 25 years. What makes cyber insurance unique is how quickly it transitioned from its initial use cases (predominantly specialized product organizations protecting themselves against internet liability), to an absolutely essential coverage that the majority of organizations use to transfer cyber risk. Rapid advancements in technology and a dynamic threat landscape created the need for cyber insurance. An equally dynamic insurance market enabled growth by expanding coverage based on market demand and threats. It also eliminated coverage exclusions, building trust with buyers and streamlining underwriting requirements to encourage adoption. Intense competition for market share made robust coverage available for businesses of all shapes and sizes at incredibly affordable rates.

These actions, as well as other factors, have fueled rapid cyber insurance growth and broad adoption. Unfortunately, this growth has become unsustainable due to a slew of market changes (discussed later in this blog). Insurance only works when the risks being covered are insurable, meaning the premiums coming in must be able to profitably cover the costs of claims being paid out.

Insurable risk also requires some level of predictability. While it’s impossible to predict specific events or losses, many traditional insurance products are more conducive to modeling and follow commonly accepted insurance principles, like the law of large numbers. Traditional property and casualty insurance policies also attempt to exclude risks that are not insurable. This doesn’t make individual claims any more predictable, but it does help insurers and actuaries determine the typical outcomes and average losses for many similar events and claims. This lets the insurance industry effectively set rates, segment risks and create a market where risk exposure and loss ratios decrease as more policies are written.

Cyber insurance assumes that traditional insurance strategies and models work when assessing cyber risk and that historical data is an accurate representation of the future. Cyber risk is clearly different in those regards.

Is cyber risk insurable?

The challenge when insuring cyber risk is that it’s susceptible to unanticipated extreme events that can’t be foreseen using historic data. What we know about current controls, threats and risks are helpful, but not as important as the unknown events yet to happen. Due to the ever-shifting tide of technological advances and the increasing sophistication of the cyber adversary, no organization is completely immune or insulated from new and unpredictable cyber events.

In practice, this insuring risk that is hard to model, vulnerable to extreme unforeseen events and difficult to segment, results in loss ratios increasing and claim activity growing as more cyber insurance policies are written. Direct U.S. cyber insurance industry loss ratios are currently sitting around 65%. This is better than 72% in 2020, but up significantly from 47% in 2019. A study published by Fitch Ratings in May of 2022 reported that “claims rose by 100% annually in the past three years. Claims closed with payment grew by 200% annually over the same period, with 8,100 claims paid in 2021.” If nothing changes, cyber risk may not be insurable in the long term.

Premium increases have helped improve the profitability of the cyber insurance industry, but they alone are not enough. It’s also unlikely that buyers will continue to accept paying another 50% or higher for far less coverage. In parallel, insurers must work to craft policy language that provides adequate coverage while limiting the impacts of the widespread, systemic and catastrophic cyber events that they deem uninsurable.

Possible government intervention to soften the blow of uninsurable cyber risk could give cover to cyber insurers as they work to find the appropriate balance of coverage for today’s threat landscape. The proposed government program, Potential Federal Insurance Response to Catastrophic Cyber Incidents, similar to the Terrorism Risk Insurance Act (TRIA) that passed shortly after Sept. 11, could also help ease consumer fears that cyber insurance won’t help them in their time of need. However, such a program would also likely give other cyber insurers the green light to pursue similar coverage restrictions, making catastrophic cyber risk exclusions the norm. In fact, other major cyber insurers like Chubb have also announced new language to help provide affirmative coverage for specific events, while also reigning in the scope of losses caused by catastrophic attacks.

Is cyber insurance worth it?

The cyber insurance industry is by no means innocent as we examine its role in fueling some of the conditions that are now in need of correcting. However, cyber insurance works and has helped countless organizations respond to significant incidents they may not have otherwise been able to withstand. The U.S. Department of the Treasury echoes this sentiment, calling it “a significant risk-transfer mechanism,” and stating, “the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency.” Cyber insurance has also allowed organizations to adopt and capitalize on new technologies without having to assume risks of unknown vulnerabilities, not to mention vendor and human error.

With added costs, complexity and confusion, some organizations may consider dropping limits or eliminating coverage altogether. But savvy leaders will recognize that cyber insurance still offers value, serving as a useful backstop to manage uncontrollable or unpredictable cyber risk. This will require buyers to take a more active role in the cyber insurance process by anticipating underwriting changes and coming to the table with their insurance agents and brokers prepared with a strategy, structure and plan. Buyers also need to be prepared to show cyber insurers that they have a personal stake. Those seeking insurance must be willing to accept higher retentions/deductibles and demonstrate their organization is implementing appropriate controls based on industry, size and risk profile.

The cyber industry has changed and there’s no turning back. Insurers will continue to refine coverage in the face of unpredictable cyber risk. The state-backed cyberattack restrictions released by Lloyd’s are only the first ripples in the ocean of change ahead. Whether governments step in to help make cyber risk insurable in the long term remains to be seen. For now, organizations should continue to take advantage of cyber insurance. They should also, however, align risk transfer with the appropriate controls, as some cyber risk may simply no longer be insurable.