Slowing US cyber insurance market prompts need to further invest in risk prevention
In 2023, direct written premium in the US rose by only 0.1% according to recent numbers reported by AM Best. Intangic explores how a deceleration in the speed of cyber market expansion points to the need for a new approach.
US cyber growth stalls
In 2023, US cyber insurance experienced a reality check. It is the biggest slice of a global cyber market that has been the fastest growing segment of the Property & Casualty (P&C) sector for several years. Globally, it has been projected to skyrocket to as much as $43 billion in GWP globally by 2030 at an approximate 30% compound annual growth rate (CAGR). However, direct written premium (DWP) in the US rose by only 0.1% to $7.2 billion according to recent numbers reported by AM Best. The dramatic slowdown in premium growth came as improved loss ratios drove better underwriting results, despite a record number of reported attacks. This occurred even as underwriters cited continued improvements in cyber controls.
Even before the Crowdstrike outage, risk aggregation concerns persisted and artificial intelligence (AI) worries grow by the week, while significant dependence on the reinsurance market is the ultimate determinant of whether increased capacity will be there to meet the growing demands of the market.
Speed of digital transformation far outpaces ability to manage risks
US cyber DWP reflects about half the ~$14 billion global market, not accounting for non-NAIC numbers or the UK, EU, and Asia. The DWP deceleration could be due in part to the decline in rates rather than a reduction in policy sales or lower limits. But to see any contraction or flatlining this early in the growth cycle, when ~30% CAGR was the expectation, represents a large enough miss that it points to underlying shortcomings in the market.
Who’s the primary loser in this scenario? In our view, it’s insureds, who are continuing to push through with insufficient cover relative to peril and value at risk. In the first half of 2024 and late 2023, we’ve seen some of the most expensive loss events in history – Change Healthcare, MGM, Clorox, and Caesar’s, to name a few. Change Healthcare alone announced that the cost of the breach has exceed $2 billion USD.
The secondary loser would then, of course, be carriers and reinsurers in the US market lacking that high-growth opportunity everyone’s been pursuing and factoring into annual revenue projections.
One thing is certain: the amount of risk exposure only continues to grow as digital transformation efforts far outpace companies’ ability to adequately transfer risk.
Here’s a number for you: the global cyber market in 2023 – approximately $15 billion – is just 3% of the $500 billion that the darling of AI and digital transformation, Nvidia, lost in a week in late June in terms of market capital.
This means the protection gap – which the Global Federation of Insurance Associations put at about $900 billion last year – will continue to increase in the face of a lower-growth cyber market. Improved modeling of the risk has to be part of the equation, as players like Howden Re have recently pointed out, and this starts with understanding and modeling the actual versus the perceived risk.
Underwriters generally claim that two things are responsible for better loss ratios over the past year: better controls adopted by insureds, in part at the insistence of underwriters, and tighter policy wordings. But 2023 saw overall losses from breaches reach new heights. The average cost of a data breach hit a record $4.45 million in 2023 according to IBM, and breach numbers set a new record. So, while loss ratios have improved, the risk management outcomes for insureds have not kept pace, and it’s possible that all the gains for underwriters have already been achieved.
This is more than a question of insureds continuing to improve their cyber controls, particularly for large, sophisticated corporates already investing the lion’s share of the $215 billion spent annually on cybersecurity, or re/insurers providing more excess layer cover. For the cyber market to reach a level that the peril requires it is certainly going to take more than a further decline in rates (already falling 6% globally this year, as per Marsh) to entice buyers to purchase more cover. That’s particularly the case at the primary layer, even if more capacity was available.
Time for a different approach
For the cyber market to reach its potential and sustain the level of growth needed to close the protection gap – something Intangic considers an urgent issue for insureds – there is a need to change the way we assess the risk from an underwriting perspective (more on that in another note) and manage it from an insured perspective.
We need to put solutions in the hands of risk officers and information security teams that don’t just provide more cover, but improve risk management outcomes, lowering the frequency and severity of losses.
This starts with a more preventative approach towards assessing the risk. We need more of an emphasis on better early threat detection and analysis that in turn enables security teams to prioritize and remediate small problems. Fixing small problems before they become big ones lowers the likelihood of a large, costly breach.
This stands in contrast to the approach that is built on an even heavier reliance on protection – a continued increase in cybersecurity spend – coupled with risk transfer that is still more about loss recovery than prevention.