Viewpoint: Cyber Insurance Market Themes to Look Out for in 2024

After my (relatively) successful effort in looking at 2023 cyber insurance themes, like a gambler on a streak of beginner’s luck, I wanted to have another roll of the dice in offering my thoughts on cyber insurance themes to look out for in 2024. As a hostage to my future self, the beginning of another new year is a good opportunity to set out what could be the dominant themes of the cyber insurance market as it continues to rapidly evolve and grow.

1. Event reinsurance gains momentum

Despite rapid changes in the nature of the original product and the underlying threat landscape, cyber reinsurance product structures have not kept pace with these evolving perils. Buyers have limited choices of proportional or non-proportional structures. Traditional purchases often include cyber as part of a broader liability proportional program, and some type of catch-all aggregate excess of loss cover. The challenge of these non-proportional programs is that as portfolios have grown, so attachments based on a loss ratio percentage have crept up as well. As a result, these excess of loss programs have rarely been triggered, given the consistent long term profitability (notwithstanding the spike of activity in 2019-21) of the underlying cyber portfolios.

Event based trigger reinsurance products have been available in the market for the past 1-2 years and have been specifically designed to address the inherent potential systemic exposure within cyber risk. In 2023 there were a small number of transactions, and it is my contention that 2024 will see much more widespread adoption. Concerns which have held back the product are being addressed, including hesitation about the clarity of the event definition language, as well as increased capacity. Now more meaningful limits can be purchased alongside aggregate excess of loss programs. Over time, these products offer more efficient ways to protect what is of most concern in cyber portfolios, being a major tail-risk event, whilst attaching lower and allowing insurers to retain more net premium where the risk profile is more predictable.

2. Insurtech consolidation

The insurtech M&A landscape has been relatively quiet in 2023, compared to the dizzy heights of 2021 and 2022. There have been a couple of notable exceptions such as Resilience with a $100m D round of funding and the acquisition of Corvus by Travelers (which closed on January 3rd). Historic valuations of some of cyber MGAs conflated approaches of technology start-ups with insurance organizations, leading to some eye-watering numbers. After a reset and pause for breath, activity is poised to pick up again in 2024 with more potential consolidation in the underwriting, analytics, and related cyber security areas. As the cyber insurance market continues to expand geographically (and consequently there is a dilution of the USA as the relative majority of global premium), opportunities continue to emerge in newer, less developed markets.

Unlike (some might say) the bubble-like qualities of the last rush of investors into Insurtechs, there is a flight-to-quality for current investors, and a path to profitability is more of a prerequisite today compared with a previous pursuit of growth alone. Interestingly for public investors, the InsurTech index has topped 2023 performance of the different US based insurance stock indices. This augurs well for 2024, and there is a good platform where Insurtech companies fulfill the much vaunted potential they bring to improve processes, innovation, and technology to the insurance industry, rather than pushing against the industry by “disrupting” the key pillars.

3. Talent

It has often been said that cyber is a class of (re)insurance which requires specialists. The technical aspects of the peril, and the dynamics of the risk landscape are such that it is hard for generalists to wing it. Consequently, there is still a sharp dislocation in supply and demand of cyber (re)insurance practitioners. There are signs that this is abating in the early career category, but more experienced individuals remain in high demand. During the pandemic there was a relatively high turnover of experienced cyber industry professionals, exacerbated primarily due to forced home working, which made it harder to maintain team cohesion. This has calmed a little, but as new entrants identify cyber as a major long term opportunity, there continues to be an unquenchable demand for individuals who are conversant both in cyber security issues, as well as having a strong understanding of market dynamics.

As the market matures, companies which prioritise development pathways and technical training to upskill team members will be beneficiaries of the talent shortage. There is also growing demand for a more clearly articulated sense of purpose and social value for potential employees. Developing new talent internally will be an increasing trend, to expand the pool of experts to support the expected growth of the market.

4. Risk mitigation goes mainstream

Risk mitigation is a concept nearly as old as insurance itself. Early fire insurance companies provided ways to limit the spread of fire, and fire breaks were developed in agricultural land to reduce to potential harm of wildfires. Cyber insurance has developed a wide range of post-loss services for the wide range of challenges which can arise from a cyber incident. Today a number of insurers (and especially cyber MGAs) have expanded into offering pre-loss services and proactive ways of engaging with policy holders and brokers. 2024 will see these risk mitigation services becoming table stakes for most developed cyber markets. They range from vulnerability alerts to automated methodologies to provide real time risk scores for individual companies.

One challenge remains, and that is demonstrating the value these risk mitigation services bring to policy holders. It is incumbent on the industry to provide the incentives to increase adoption of these services, not simply to reduce coverage for those policy holders who do not embrace them.

5. Emerging threats combining

No list of this nature would be complete without referencing the dramatically increasing applications of artificial intelligence. ChatGPT exploded into public consciousness in 2023 and the business use cases in 2024 will likely increase exponentially. From a cyber risk landscape perspective, the value, both for attack and defence capabilities, is hard to overstate.

Additionally, there is an increasing overlap of operational technology and information technology. Industry segments such as critical national infrastructure and autonomous vehicles are emerging as segments which have potential vulnerabilities. When these issues are combined, new risks will manifest in unanticipated ways, which will challenge both the cyber security and insurance markets.

I’m acutely aware that this list is not comprehensive, is necessarily subjective, and inevitably will have shortcomings. Hopefully it provides some food for thought, and I welcome additional perspectives on what to look out for in 2024.