Cyber Update - Clear and Precise Policy Wording: The Key to a Mature Cyber Insurance Market

 

According to a recent analysis from S&P Global Ratings (S&P), the cyber insurance sector needs “clear and precise policy wording” to build a sustainable market and encourage contract certainty for buyers and insurers.

 

The cyber coverage segment has grown faster than any other subsector of the insurance market, reaching $9.2 billion in global premiums in 2021. What’s more, the segment is likely to expand by an average of 25% to $22.5 billion by 2025, S&P commented in its report, titled “Cyber Risk in a New Era: The Rocky Road to a Mature Cyber Insurance Market.”

 

However, analysts warned that the numbers don’t show the complete picture or indicate the industry is on the right track.

 

“That growth might seem to be a sign of a burgeoning cyber insurance market, but rising rates account for much of the increase in total premiums over the past two years, rather than an increase in the number or size of insurance contracts,” Manuel Adam, a credit analyst with S&P, said in the report.

 

The industry will need to improve risk modeling to bolster market capacity, Adam added.

 

From S&P’s perspective as a ratings agency, the availability of cyber insurance can also affect a business’s creditworthiness. According to the report, price hikes have garnered criticism that cyber coverage is no longer affordable, particularly for small and midsized enterprises. Adam said such price changes have even discouraged some organizations from purchasing insurance.

 

“That, in turn, has led some companies and government entities to eschew or drop cyber coverage—a course of action that offers upfront cost savings, but could also make a recovery from a cyberattack more difficult,” Adam said.

 

S&P acknowledged the reasons behind cyber insurers’ wariness to take on more risk. Accumulation of risk already factors into S&P’s ratings of insurers, and it warned that “an overly aggressive expansion” into the cyber coverage segment for any insurer without effective risk controls would likely have a detrimental effect on corporate capital and earnings.

 

Ransomware attacks drove loss ratios higher in 2020 and 2021, and price increases over the last 18 months haven’t fully resolved the problem. But, with tougher underwriting and tighter terms and conditions, ransomware attacks shouldn’t pose an existential threat to the cyber insurance market.

 

Making a steady profit from the segment will continue to be challenging, S&P said, but insurers with a keen understanding of evolving threats and the ability to understand their insureds’ businesses and promote cyber resilience should succeed.

 

Price fluctuations for cyber coverage are to be expected going forward, according to the report. S&P also said it would be paying close attention to the cyber insurance market’s solutions for war exclusion language. Four model wordings recently drafted by the Lloyd’s Market Association were a good start, but need refining. Quality and consistency are crucial to improve policy transparency and boost risk appetite, S&P advised.

 

“There are other vexing issues that the market still needs to confront with relation to cyber war exclusions, including who bears the burden of proof in establishing the origins of a cyber incident, the extent of state involvement, and the relevance of an attack to a conflict's aims,” the ratings agency said. “Such questions must be answered, and not least because demand for cyber insurance will continue to increase.”