The New Battlegrounds in Cyber Insurance

In recent years, cyberattacks have impacted a wide range of governments, companies and individuals, fueling an increase in cybersecurity to stop cyberterrorism and mitigate consequences when it arises.

Insurance companies also play a unique role in both helping companies mitigate exposures as well as providing risk transfer. Aided by an increase in the pace and scale of cyberattacks, cyber insurance has been the most rapidly evolving sector in the insurance industry in the last decade.

“Aided by an increase in the pace and scale of cyberattacks, cyber insurance has been the most rapidly evolving sector in the insurance industry in the last decade.”

Mark Dwelle
Insurance Analyst, RBC Capital Markets

Share      

U.S. cyber claims have nearly quadrupled in the last five years, with policies sold as either standalone, or packaged alongside existing liability products.

Most vulnerable industries

The victims of cybercrimes typically have several things in common. First, they have lots of highly valuable information. Medical records, financial records and other sensitive information on consumers are major targets. Second, they are less technologically savvy. While hackers would love to get into a financial institution’s data, those companies invest millions upon millions into cybersecurity annually.

Data shows that healthcare systems have become a key target in the last few years, likely due to some unpreparedness on the part of these systems. In 2021, manufacturing and utilities groups saw cyberattacks more than triple.

The education sector is another growing target, with a large spike in 2021 as schools continued distance learning in many parts of the U.S. While the information isn’t as valuable, the ease of access likely makes up for the smaller rewards per hack.

The takeaway is that everyone can be a victim of cybercrime, though the type of attack varies depending on how valuable your information is and how easy it is to access.

Cyber risk is already top of mind for regulators and global CEOs, as evidenced by a 2022 Allianz survey noting that cyber risk was rated as the top business risk amongst global companies for only the second time in the survey’s history. We expect CEOs to dedicate plenty of their budgets toward cyber insurance coverage for the foreseeable future.  

Insuring cybercrime losses

A typical cyber policy will cover incidence response, loss of information and regulatory and compliance costs. This will include things such as credit monitoring, notification, cost to fix the breach and/or restore data and any information tech costs. What is typically not covered is consequential damage resulting from fraud associated with the lost information – that is normally self-insured.

The product sold today has changed meaningfully in the last five years and by 2025 we expect further evolution to occur in response to changed attack tactics and evolving buyer need.

“While the market has grown substantially in the past five years, cyber coverage gaps continue to exist across broad areas of the economy.”

Mark Dwelle
Insurance Analyst, RBC Capital Markets

Share      

While the market has grown substantially in the past five years, cyber coverage gaps continue to exist across broad areas of the economy. Cyber coverage is still primarily bought by large companies, not small and mid-market businesses. This is somewhat counterintuitive as larger companies tend to be bigger spenders on cybersecurity, meaning the less well-defended mid- and small-cap companies are both more vulnerable to attack and uncovered.

Most companies have taken it upon themselves to implement robust defensive cyber policies internally to prevent attacks from happening in the first place, including being increasingly proactive on employee-wide email controls and monitoring. Cyber insurers are also pushing companies to improve cybersecurity and, in some cases, insisting minimum thresholds are met in order to provide the necessary coverage.

Who stands to benefit the most from growth in cyber?

The market share amongst major cyber writers is still fairly concentrated (the top 10 had a 67% market share in 2020), leaving room for further participation.

The U.S. cyber insurance market is still in its early phases of growth with most of the major growth coming in the last five years. According to NAIC data, U.S. cyber insurance market direct written premiums, written by U.S. domiciled insurers, grew around 22% year over year to $2.8 billion in 2020 ($4.1 billion including foreign insurers writing U.S. cyber).

Cyber policy counts have also risen significantly (though still arguably vastly underpenetrated). According to NAIC data, there were more than 4 million cyber-related insurance policies in the U.S. during 2020 – nearly double the policy count compared to the end of 2016.

We expect cyber to be among the fastest-growing insurance lines over the next decade, and see the bigger carriers best positioned for growth based on their scale, distribution, expertise, and underwriting capacity.

In some sense, these companies have a first-mover advantage since they have larger market shares and a head start versus the competition. New entrants or newly established writers also may want to ramp up their books quickly, putting market share up for grabs in the coming years.