Twelve months ago in a rush of blood to the head, I wrote this article with a selection of cyber insurance themes I thought were pertinent for 2023. In the spirit of transparency, I thought I should mark my own homework, hold up a mirror, and see how my comments have survived the passage of another turbulent year, both within the cyber insurance market, as well as in the wider world.
Below are the themes I highlighted in January 2023, as well as my reflections on how close I was to what actually happened in the last 12 months of a dynamic market:
Rates stabilize and underwriting discipline continues
Accuracy score: 6/10
I was right, to the extent that rates stopped increasing, (following compound triple digit rate rises over the prior 2 years), though I, along with much of the market, underestimated the rapidity of rate drop off. One axiom of experienced insurance underwriters which should be listened to, is that a soft market is always longer than feared, and a hard market is shorter than hoped. The cyber market is still evolving rapidly, with new entrants and a changing threat landscape. As a result, the impacts of rate changes have manifested very differently across different geographies and segments. Rates have not just stabilized but seen (typically) single digit reductions in Q4 2023.
In terms of underwriting standards and controls, overall, the security measures which became a prerequisite to coverage in light of increased ransomware activity, have broadly remained a new baseline for insurers. Multi-factor authentication and effective data back-up strategies are now commonplace requirements of insurers. In the face of increased competition though, there has been some relaxation around the edges, on occasion compensated by technological scanning of risks. One beneficial effect of the insurance industry has been to raise expectations of security to improve the resilience of companies against cyber threats.
Regulators sharpen their focus on systemic risk
Accuracy score: 9/10
Based on wordcount alone, regulators have certainly focused more on this. As ever, the implementation of ideas raised is a slow and patchwork process. Regulators and governments have increased their attention on systemic cyber risk generally, and the role of insurance specifically. There have been several publications, including the US National Cybersecurity Strategy document, published in March 2023, which reference the need to manage the potential downside risk of catastrophic and systemic cyber risk. Part of the report includes a mandate to explore the feasibility of a federal cyber insurance backstop. This effort was furthered by the Federal Insurance Office and the Cybersecurity & Infrastructure Security Agency (CISA), which have engaged with the insurance industry to explore solutions.
In July, EIOPA (European Insurance and Occupational Pensions Authority) published their fourth report on the Methodological Principles of Insurance Stress Testing relating to cyber risk. This provides the parameters for disaster scenarios which should be considered by insurers in terms of their capital implications and the resilience required in a given portfolio to withstand these attacks.
In the UK, a parliamentary report published in December, provides a scathing view of the government’s approach to address the scourge of ransomware (which I wrote about separately here ). One of the solutions proposed is to develop a government reinsurance scheme to support resilience in the event of a major systemic cyber attack.
The trend away from quota share reinsurance will continue
Accuracy score: 6/10
This is harder to measure, but there were several leading indicators when major insurers of cyber risk cancelled their quota share protection altogether. However, it is a mixed picture and there are many more carriers who still protect cyber portfolios as part of a wider blended quota share program. From a reinsurance perspective, cyber risk is still an emerging specialty class. More reinsurers are building dedicated cyber reinsurance underwriting and analytics teams, which is a positive sign, though we are still in the early stages of development.
As insurers become more comfortable with attritional loss ratios, attention will increasingly turn to managing tail risk, whilst retaining more net underwriting income. Accompanying a reduction of quota share over time, is the gathering momentum of newer event and occurrence based reinsurance structures, which can provide more cost effective, targeted protection compared with traditional Aggregate Stop Loss products.
Analytics will become increasingly integrated into all aspects of the cyber insurance value chain
Accuracy score: 7/10
It is fair to say that analytics are an increasing part of the conversation, but I think it would be generous to say modelling is integrated across the value chain. Both RMS and CyberCube provided significant cyber catastrophe model updates in 2023, and these developments have been broadly positively received by users of these models. There is growing consensus about the high level criteria of the realistic disaster scenarios in play, though of course the devil is in the detail. As confidence grows in these models, they have become a more common currency which can be used by counterparties in trades, such as ILS investors (see below).
Among buyers of cyber insurance products, there has been growing understanding and acceptance of the value of outside-in scanning, as well as much-discussed proactive methodologies deployed by insurers and MGAs. There is still more education to demonstrate the value of these tools to policy holders, but there are positive signs emerging.
ILS investors will (finally) meet their match with (re)insurers
Accuracy score: 8/10
2023 started positively with the announcement of the first cyber private catastrophe bond from Beazley, and the Stone Ridge quota share support for Hannover Re. It has gathered momentum throughout the year, and now over $500m of cyber capacity has been drawn from capital markets. Most recently are the recent 144A tradeable cat bonds which have gone live (first out of the gate was Axis), as well as the new Perils / CyberAcuView index which has been used in the Matterhorn Re transaction.
It is still early stages, but the starting gun has been fired, and there are plenty of opportunities for investors to build on the foundation which was established in 2023. Compared to the property catastrophe bond market, the cyber capital market participation is a rounding error, but proof of concept has certainly been established, so expect more to come. The methodology behind the cyber cat modelling underpinning these transactions has become more accepted, and notwithstanding inevitable uncertainty, there is growing confidence in the approach.
On the whole, I would say the above are a reasonably good set of scores. On a macro level, notwithstanding localized headwinds in certain areas, the opportunities for the cyber insurance market remain undimmed. I have a continued optimism that new innovations in the way data, capital and talent come together can provide solutions for clients can help mitigate the ongoing risks inextricably linked with our ever-increasing reliance on technology and networks.
Was this article valuable?
Here are more articles you may enjoy.
US Roof Maintenance Lags: Hanover 
GEICO Tops Progressive With Higher J.D. Power Scores 
US Home Insurance Still Priced Too Low for Climate Risk, Says Swiss Re Chair 
Big ‘I’ Report: Independent Agency Channel Placed 62% of Premiums in 2023 
