Cybersecurity Insurance Has a Big Problem

By Tom Johansmeyer for HBR.com

In 2020, the world seemingly entered a new era of cyberattacks. Although there have been decades of viruses, breaches, and other forms of attack, last year saw increased bad actor sophistication, a propensity to pay in ransomware cases, and a broad swath of geopolitical uncertainty — conditions that hackers have found favorable.

The severity of financial consequences has been profound. Ransoms have rocketed from five-figure price tags into the millions, including $10 million reportedly paid by Garmin. Several ransom demands were far higher before being negotiated downward, according to clients of mine worldwide. All of which is further escalation of a worrisome trend: A recent report by Hiscox shows insured cyber losses of $1.8 billion in 2019, up an eye-popping 50% year over year.

Facing the prospect of major financial fallout from an attack, C-suites around the world have turned to cyber insurance. Insurers are issuing more policies, and the amounts of protection available are increasing. In 2020, according to data proprietary to the team I lead, the global insurance community saw the first cyber insurance program to exceed $1 billion — and the second.

However, the momentum that has propelled the sector this far may be running out. The cyber insurance sector may still be in its infancy, but there are signs that it’s hit a (hopefully temporary) plateau. There are a few likely causes for this slowed growth. On the demand side, despite the spate of cyberattacks, some companies are buying less cyber insurance or not buying any at all, as economic strain from Covid-19 has caused some them to look at cyber insurance as a luxury. And while more attacks could stimulate demand, they also create a supply problem, making insurers warier of providing cover and reinsurers (who provide insurance for insurance providers) less interested in backing cyber liabilities. On top of that, the lack of historical loss data (resulting from the sector’s short history) adds another layer of unpredictability for all involved.

Ultimately, though, all these drivers boil down to one simple fact: There just isn’t enough money in cyber insurance. And it’s hard to tell right now if there ever will be.

This is an important moment for the future of the sector. The cyber environment is delicate, given the combination of threat volatility, recent losses, and a nascent commitment that could be reduced or withdrawn by the insurers in the space. A wave of cyberattacks with massive insurance industry implications likely wouldn’t pose a solvency threat, but a worst-case scenario coming to pass could result in structural changes to the cyber class of business — or even an insurance industry that’s just a lot less interested in cyber. That could then result in the loss of an important risk management lever for C-suites and boards with significant technology exposure, which is to say, most major and mid-sized companies.

For companies looking to bring more cyber insurance into their risk management practices — or buy for the first time — a bit of planning is necessary. After all, we’re looking at an environment in which claims are increasing and insurers lack the historical data and overall experience to develop the analytics they’d use in more mature lines of business, such as property. To build up a sufficient amount of cyber insurance, early purchases of smaller amounts with increases over time can help prime the market to grow with the needs of the companies it supports.

The problem that most companies face is in determining how much cyber insurance they need. But, it’s difficult for insurers to understand demand when the buyers themselves are still trying to figure out both their exposure and their buying appetites.

The years where cyber insurance enjoyed significant growth weren’t enough to establish a reliable sense of how much protection companies should actually buy. In fact, most either don’t have enough cyber insurance or any at all. Companies with at least $200 million in cyber insurance account for a bit more than 20% of what is believed to be $5 billion in global cyber insurance premium, according to internal research conducted by PCS — amounting to roughly $1.1 billion in premium.

With around 250 companies buying at least $200 million in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium. That’s only 2% of the companies in the market buying that much coverage. That kind of loss would likely take decades for insurers to earn back such losses.

Now, think about companies with at least $500 million in protection. There are only around 40 of them, according to our data. Two total losses could wipe out a year’s premium. Insurers might have to wait half a century to earn enough premium against those losses. Even for companies buying $100-199 million in premium, the exposure is pretty significant. Our research indicates that there are approximately 500 companies buying that much, and they represent another 25% of global insurance premium (maybe even a bit more than that). It would only take a handful of losses wipe out the $1.44 billion in premium they generate.

Companies looking to buy cyber insurance protection face a fairly volatile environment shaped by low prices for protection and high levels of risk sustained by insurers. That’s the sort of formula that leads to the reductions in allocated capacity we’re unsurprisingly seeing right now. But the underlying problem isn’t going away: Cyber risks will persist and evolve, and companies will need to manage that risk, including securing insurance protection. Because of the imminent and frequent cyber threat and the lack of historical experience as an industry — remember, the sector is still in its infancy — there is no easy way to fix the market.

One of the most difficult barriers to addressing the structural challenges that the cyber insurance sector faces is that insurers have disproportionately relied on reinsurance. Reinsurance — again, casually thought of as insurance for insurance companies — allows insurers to lay off risk to another capital source. Much as you turn to your insurer when you have a claim, insurers may look to reinsurers for support. And in the case of cyber, insurers cede an estimated 50% of the premium they collect to the reinsurance market. So, they don’t retain as much of the risk as you might think.

As a result, the concentration of capital among reinsurers is simply striking. Four reinsurers account for more than 60% of premium — and that cohort’s concentration could grow as a result of market volatility in the coming year, as smaller players reassess their commitment to cyber. In fact, more than 75% of the reinsurers writing cyber reinsurance have less than $100 million in premium, and most of them less than $50 million. With the largest reinsurer in the market likely seeing more than $500 million in premium, it’s roughly the same size as the collection of companies writing less than $100 million, based on known data.

So, what does that mean? Well, based on the insurance and reinsurance market dynamics at hand, there’s the potential for increases in demand over the short and medium term to outpace supply. Conventional thinking would suggest an increase in prices, hardening risk-transfer market, and attendant influx of capital. The reality could be more nuanced: Uncertainty of outcomes could make insurers cautious about (again) quickly responding to increases in demand, even if pricing supports it. Further, scale could become a problem.

Meeting a rapid spike in demand on a relatively new risk could result in a significant increase in losses, too. Accepting that sort of risk in a niche market isn’t the same as doing so more broadly, which ultimately could lead to shortages in capital (and reduced availability in the market) for cyber insurance.

For the C-suites and boards of directors still worried about cyber risks and the availability of insurance, the optimal course forward requires longer-term thinking mixed with near-term action.

Priming the cyber insurance market for the future is important, but it doesn’t meet your needs now, particularly with the rise of ransomware and the business interruption losses it could cause. Insurance is important, but it’s likely to take a back seat to the broader cyber security discussion. For example: I’m an avid cyclist, and I have health insurance, but that doesn’t mean I don’t need a good helmet, too. Insurance helps you recover from a situation, filling in the gaps when problems occur that you can’t prevent, but attempts to prevent problems are still crucial.

When it comes to insurance, it may help to shift your thinking.

For mature lines of business, like property and professional liability, there’s often a target amount available in the market, and the amount you buy (and other coverage issues) may vary a bit year to year based on price and budget. Cyber insurance is a bit different. Instead of looking at it as a year-to-year issue, think about your actual needs. In a perfect world, for example, you may think that $2 billion in protection makes sense.

Today, that sort of purchase isn’t possible — but you can develop a plan for getting there. It may involve buying what you can now, and possibly topping it up with self-insurance mechanisms that range from simply carrying additional capital to address future cyber attacks through the creation of specific risk-financing activities that function like insurers (i.e., captive insurers). Over time, you can add to those partial programs, replace self-insurance with external protection, and add to your overall insurance program. Several companies are already doing this. It just takes, time, effort, and perseverance.

Thirty years of history have shown us that cyber risk is difficult to understand, problematic to hedge, only likely to grow, and characterized by a continually changing threat environment. Tomorrow’s cyberattacks may not look much like today’s — as evidenced by 2020’s spate of ransomware compared to the breaches of 2015 to 2017. For insurers to respond to this unique threat, they’ll have to become comfortable allocating capital to the sector, and that comfort will vary over time, until the industry’s body of knowledge becomes sufficient to treat cyber like mature classes of business. Until then, companies will need to invest in protection while working with their insurers to increase the types and amounts of insurance available. As a buyer, there’s no substitute for having a plan.