The cyber insurance market has changed drastically since the COVID-19 pandemic began, unsurprisingly leading to growing awareness and concerns about cyber risks. S&P Global Ratings (S&P) has released a new report delving into the “rocky road to a mature cyber insurance market.”
The report found a growing number of (re)insurers hesitating to underwrite larger risks, while more have decreased their risk appetite due to the increased frequency and severity of cyberattacks and greater systematic vulnerabilities. It also found that (re)insurers find it challenging to continually reassess evolving risk exposures, and dynamic contract conditions are likely to prove an enduring characteristic of the market.
S&P's findings reflect the results of Marsh's study that identified the latest cyber risk trends. The study also highlighted the results of Munich Re's 2022 survey of senior executives, which found that 38% of so-called C-level managers are “extremely concerned” by cyber threats, up from 30% in the last survey.
“Cyber insurance premiums topped $9 billion in 2021, according to Munich Re. That figure is likely to increase at an average of 25% per year to about $22.5 billion by 2025, according to S&P Global Ratings,” S&P's report said.
S&P expects strict underwriting to dominate the market, with the road to improved underwriting of cyber insurance signposted by clear and precise policy wording that mitigates evolving risks.
“The big challenge for (re)insurers in developing this wording lies in the need for continual reassessment of shifting risk exposures, which necessitates dynamic contract conditions and coverage concepts – both of which are likely to be enduring characteristics of the cyber insurance industry,” the report said.
It further emphasized the need for clearer terms in contracts due to the recent threat of spill-over from cyberattacks linked to the Russia-Ukraine conflict.
“At the heart of the issue are so-called war exclusions, which were designed to exclude claims arising from physical or kinetic war, but which have proven ill-suited to the context of cyber warfare. Notably, a traditional definition of war implies conflict between two nation states, while cyberattacks are often conducted by non-state actors, or in such a way that proves a state's role can
be difficult,” the report said. “That opens the door to policyholders claiming for damages that are part of a conflict or to insurers seeking to apply war exclusions to cyber claims simply because there is a major conflict underway.”
As the battle against cyberattacks continues, S&P advised insurers to focus on quality rather than quantity in the context of cyber insurance wording.
“Thankfully, the industry has begun to respond to that need for precision. In December 2021, Lloyd's of London announced the introduction of a new framework for cyber war exclusions, which applies different levels of exclusions in an effort to avoid ambiguity, while also maintaining some flexibility. Under the framework, all insurance policies written at Lloyd's must exclude losses due to war, in line with its requirement, but clauses can differ in the degree to which they exclude losses due to state-backed cyber operations,” S&P's report said.