The hand wringing about cyber insurance rate increases, effectiveness and even future viability have come in a steady stream the last two year. I don’t claim to be an insurance expert, but I have come across some helpful numbers in a Moody’s Investor Services Report from 7 November 2022 (paywall) and a NAIC Memorandum from 18 October 2022.
Insurance companies take in premiums, pay out claims and have non-claim payout expenses to run the line of insurance. Assuming the non-claim payout expenses are under control and relatively constant, the key number is the loss ratio. A simplified loss ratio = the paid out claims divided by the premium payments.
There is a loss ratio that represents break even, paid out claims + operating expenses = premium payments collected. Of course the insurance companies are in business to make money so they have a lower than break even target loss ratio that hits their profit objective. If an insurer is too aggressive in achieving and maintaining a lower than industry average loss ratio they can lose business to others who will charge a lower premium and accept a higher expected loss ratio.
(A higher loss ratio due to lower premiums may also be acceptable if an insurer’s costs are significantly lower than the competition. GEICO leveraged lower customer acquisition and servicing costs for many years to gain market share.)
With that as background, here are some loss ratio numbers for cyber insurance according to Moody’s.
- End of 2019: Loss Ratio = 47%
- End of 2020: Loss Ratio = 73% (increase due to increases in claim payouts)
- End of 2021: Loss Ratio = 65% (decrease due to premium increases)
- Beazley… End of 2021 = 69% … First 6 Months of 2022 = 49%
While the report doesn’t have pre-2019 numbers, the cyber insurance industry had many very good years, even better than 2019, prior to 2019. The size of the market has grown so the pain in 2020/2021 was likely larger than the pleasure in 2015 – 2019.
The loss ratio curve is already bending down as the insurance companies like and require. Premiums are still going up, Moody’s said 48% year over year in Q3 2022, but less than the 133% year over year increase in Q4 2022. Another possible reason for future reduced increases, or even reductions, in premium costs, and claim payouts, is improved underwriting that will limit insurance availability to companies that can attest to certain elements of a cybersecurity program. (This is an interesting area to watch with the degree of loss correlation to certain missing or present security controls. Will we finally get some hard numbers on security control effectiveness?)
The NAIC report also had some helpful numbers for analysis. The size of the US cyber insurance market (total premiums paid) in 2021 was $6.5B, up over 50% from $4.1B in 2020. Given the increase in individual policy premiums, this could be a static, or even decreasing, amount of coverage from 2020 to 2021. The NAIC’s loss ratio numbers:
- 2021: Loss Ratio = 66.4%
- 2020: Loss Ratio = 66.9%
- 2019: Loss Ratio = 44.6%
- 2018: Loss Ratio = 35.3%
- 2017: Loss Ratio = 32.4%
2017 and 2018 were fat years in cyber insurance, as were the years proceeding them. Cyber insurance still was a small enough market that there was not a lot of price competition. And the operating costs were likely lower as underwriting was less rigorous.
Two other interesting items from the NAIC memorandum: 1) the highest ransomware paid by an insurer was $40M and 2) the current cyber-reinsurance market is insufficient – “50% of cyber insurance premiums are ceded to the reinsurance market”.
Insurers had 5+ very good, very profitable years selling cyber insurance. Years with a loss ratio exceeding even their target profits. They then had two bad years in 2020 and 2021, although you will see in the NAIC report that the variance in loss ratios by insurer varies greatly. For example the second largest insurer with a 9% market share, Fairfax Fin Grp, had a 2021 loss ratio of 51.9% and likely a nice profit. While American Intl Grp with a 5% market share had a loss ratio of 130.6%, giving back a lot of those very high profits from earlier years.
The market is increasing premiums with the expectation of increasing claim payouts similar to what occurred in 2020/2021 and being much more selective in underwriting (who can get insurance). If the increase in attacks and claims does not continue, then you will see the insurers get back to above average profits.
Cyber insurance is still a new line of business. Éireann Leverett told me years ago that insurance companies know how to develop new lines of business. They did it with the Barbary Pirates. They know how to deal with the ups and downs. I know most readers were not concerned about the financial viability and future of cyber insurance companies, but if you were, rest easy.