The state of the cyber insurance market

In Part 3 of ‘One byte at a time: a series on cyber insurance’, Kitty Ho examines the roots of the global cyber insurance market, a space which has exploded into a multi-billion dollar industry in the US. 

Size and premium volume

Globally, the US cyber insurance market is by far the most developed in terms of premium volume. In 2015, US represents about 90% of the global cyber insurance market by premium. Growth has been phenomenal as well, according to Aon’s 2018 US Cyber Market Update, the total direct written premium doubled from US$1bn in 2015 to US$2.03bn in 2018.  In the three years to 2018, the number of US cyber insurers grew from 119 to 184.

In Australia, Aon Australia estimated the local cyber insurance market premium totals to be about A$60mn in 2018.

Aon, an Australian Insurance Broker, has reaped the benefits of the rise in the cyber insurance industry. Photo: Getty Images

Growth has been driven by an array of factors. Firstly, post-malware events such as Wannacry and NotPetya have raised the awareness of the importance of cyber security. Secondly, the stricter regulatory environments regarding data protection – introduction of General Data Protection Regulation (GDPR) in May 2018 and similar regulations in the US. Thirdly, cyber coverage is increasingly being carved out of traditional insurance policies, so the insured have to take out separate cyber insurance policies to ensure adequate protection.

Another trend is the increase in uptake of cyber coverage by SMEs. Whilst it is common large corporates (especially global ones) take out standalone cyber policies, SMEs are also including cyber coverage as part of their packages purchase.

From an outlook perspective, various forecasts have been made. Globally, Allied Market Research forecasted the cyber insurance market premium to reach US$14bn by 2022. Aon forecasted a slower compound growth rate of 15% per annual with global premium reaching US$7bn by 2022, with majority of growth coming from non-US markets.

Loss ratios and profitability

In AM Best’s June 2019 Market Segment Report on Cyber, in years 2015 to 2018, US cyber paid loss ratios range between 15% to 30%, in both standalone or packaged policies. Aon’s US Cyber Market Update show loss ratios of 42% and 48% for 2015 and 2016 respectively but this dipped to 32% and 35% in 2017 and 2018. Such trends could be explained by the fact that given high levels of uncertainty in pricing cyber risks, conservative margins were factored into pricing. Furthermore, the increasing uptake of cyber policies by relatively less exposed SME’s may be the reason behind the lower loss ratios for the recent two years. Aon noted that the small jump in loss ratio from 2017 to 2018 is attributed to the increase in claim frequency from 0.35% to 0.42%. Nonetheless, claims frequency is still on the low side. Similar levels are noted in the Australian market.

With respect to claim types in the US, in 2018, 68% claims are first party claims such as costs associated with data breach notification, credit monitoring services for customers and business interruption after a cyber incident. The other 34% are third party claims where coverage is for third party claiming liability against policyholder e.g. software vendor paying their users if data breach occurred and the software was responsible for the breach.

In the US market, coupling these low loss ratios with a 30% expense ratio, the combined ratio has been at around 65% in the three years to 2018. So, it seems so far that cyber insurance market is rather profitable.

But will it last? As with any profitable class of business, new insurers are likely to enter the market and add to the competition. However, they are doing so with caution. Lloyd’s markets are expecting loss ratios will reach to levels of around 50%, not only due to more competition in price, but also due to broadening of terms and coverages. In addition, insurers need to be aware of the cyber aggregation risk they are facing – just think of another NotPetya event. In fact, UK’s Prudential Regulation Authority has urged the insurance industry to invest in their monitoring efforts on cyber risk exposure.

In Australia, the cyber insurance market is yet to mature compared to countries like the US, so there is not much publicly available statistics on its status. However, the Office of the Australian Information Commissioner (OAIC) published the Notifiable Data Breaches Scheme 12-month Insights Report in May 2019, which offers good insight into the current cyber risk and security landscape with respect to data breaches. Some interesting statistics include:

  • Total data breach notifications in 12 months to 31 March 2019 was 964, an increase of 712% from the previous year.
  • 60% of data breaches were due to malicious or criminal attacks, 35% due to human error and 5% due to system faults.
  • 26% of malicious attack driven data breaches were attributed to phishing.
  • 83% of the breaches affected fewer than 1,000 people, 0.3% (or 3 breaches) affected more than 1,000,000 people.

With heightened awareness of cyber threats, the report included a section called “five best practice notifiable data breach tips for entities” to guide institutions in becoming more prepared for cyber risks. It would not be surprising that in the next 2-3 years, as cyber risk and protection measures become more well-known and common, the demand for cyber insurance will also grow as one of the risk management strategies.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.