Don't Cry For The Cyber Insurance Industry
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
The hand wringing about cyber insurance rate increases, effectiveness and even future viability have come in a steady stream the last two year. I don't claim to be an insurance expert, but I have come across some helpful numbers in a Moody's Investor Services Report from 7 November 2022 (paywall) and a NAIC Memorandum from 18 October 2022 .
Insurance companies take in premiums, pay out claims and have non-claim payout expenses to run the line of insurance. Assuming the non-claim payout expenses are under control and relatively constant, the key number is the loss ratio. A simplified loss ratio = the paid out claims divided by the premium payments.
There is a loss ratio that represents break even, paid out claims + operating expenses = premium payments collected. Of course the insurance companies are in business to make money so they have a lower than break even target loss ratio that hits their profit objective. If an insurer is too aggressive in achieving and maintaining a lower than industry average loss ratio they can lose business to others who will charge a lower premium and accept a higher expected loss ratio.
(A higher loss ratio due to lower premiums may also be acceptable if an insurer's costs are significantly lower than the competition. GEICO leveraged lower customer acquisition and servicing costs for many years to gain market share.)
With that as background, here are some loss ratio numbers for cyber insurance according to Moody's.
While the report doesn't have pre-2019 numbers, the cyber insurance industry had many very good years, even better than 2019, prior to 2019. The size of the market has grown so the pain in 2020/2021 was likely larger than the pleasure in 2015 - 2019.
The loss ratio curve is already bending down as the insurance companies like and require. Premiums are still going up, Moody's said 48% year over year in Q3 2022, but less than the 133% year over year increase in Q4 2022. Another possible reason for future reduced increases, or even reductions, in premium costs, and claim payouts, is improved underwriting that will limit insurance availability to companies that can attest to certain elements of a cybersecurity program. (This is an interesting area to watch with the degree of loss correlation to certain missing or present security controls. Will we finally get some hard numbers on security control effectiveness?)
领英推荐
The NAIC report also had some helpful numbers for analysis. The size of the US cyber insurance market (total premiums paid) in 2021 was $6.5B, up over 50% from $4.1B in 2020. Given the increase in individual policy premiums, this could be a static, or even decreasing, amount of coverage from 2020 to 2021. The NAIC's loss ratio numbers:
2017 and 2018 were fat years in cyber insurance, as were the years proceeding them. Cyber insurance still was a small enough market that there was not a lot of price competition. And the operating costs were likely lower as underwriting was less rigorous.
Two other interesting items from the NAIC memorandum: 1) the highest ransomware paid by an insurer was $40M and 2) the current cyber-reinsurance market is insufficient - "50% of cyber insurance premiums are ceded to the reinsurance market".
Conclusions
Insurers had 5+ very good, very profitable years selling cyber insurance. Years with a loss ratio exceeding even their target profits. They then had two bad years in 2020 and 2021, although you will see in the NAIC report that the variance in loss ratios by insurer varies greatly. For example the second largest insurer with a 9% market share, Fairfax Fin Grp, had a 2021 loss ratio of 51.9% and likely a nice profit. While American Intl Grp with a 5% market share had a loss ratio of 130.6%, giving back a lot of those very high profits from earlier years.
The market is increasing premiums with the expectation of increasing claim payouts similar to what occurred in 2020/2021 and being much more selective in underwriting (who can get insurance). If the increase in attacks and claims does not continue, then you will see the insurers get back to above average profits.
Cyber insurance is still a new line of business. éireann L. told me years ago that insurance companies know how to develop new lines of business. They did it with the Barbary Pirates. They know how to deal with the ups and downs. I know most readers were not concerned about the financial viability and future of cyber insurance companies, but if you were, rest easy.
Managing Partner at Applied Control Solutions, LLC Emeritus Managing Director ISA99 ICS Cyber Security Pioneer, Keynote Speaker Process Automation Hall of Fame
1 年The insurance industry needs real numbers. Control system cyber incidents are more plentiful and impactful than most observers expect - more than 17 million directly resulting in more than 34,000 deaths. Most of the incidents were engineering-based cyberattacks used to camouflage a deficiency in the design of the product or to cause physical damage. Until the OT network-focused regulators and practitioners are willing to address engineering-based incidents and attacks, critical infrastructures cannot be secured and the insurance companies and credit rating agencies are at high risk. https://www.controlglobal.com/blogs/unfettered/blog/21438102/more-than-17-million-control-system-cyber-incidents-are-hidden-in-plain-sight ? ?
Risk, Technology, Security & Entrepreneurship
1 年Thanks for your continued attention to this topic Dale Peterson! For EIP members, we did a detailed breakdown of the industry, venture capital and why it matters to the energy/industrial sectors: https://hypervisor.vc/insights/cyber-insurance/ Glad discuss with anyone who is interested, but the full extent of our research is only available to members for now. That said, there are two important issues that I'd add to your excellent analysis above: 1. There is big issue hiding in plain sight, between the number of policies-in-force (PIF) and gross written premium (GWP), because the policies skew towards SMBs. Some carriers have identified that they take very little risk writing a cyber insurance policy or rider for mom & pop stores, restaurants, etc. and exclusively target that market. Much of the hubbub in venture capital is focused on this market. 2. The amount of capacity available to large (Fortune 2000) privately owned critical infrastructure, such as investor owned utilities and their suppliers, is relatively small and shrinking. There's always self-insurance, mutual insurance (https://www.aegislink.com/) and insurance linked securities (ILS), but we still don't know if the market is insurable without gov. backing.
CEO Observatory Strategic Management
1 年Dale Peterson this is a much bigger issue than just "Cyber Insurance" . Start with the fact the word "Cyber" means nothing. It is an Anglicization of an amalgam of IT & OT known events. We in the insurance industry are in the definition of peril business, actuarial business and cash flow business. Your assumption of what you call non-claim payouts are under control and relatively constant could not be further from the truth. These are known as unallocated loss expenses and are NEVER known because the are inherently UNKNOWN, therefore the term unallocated. IT and OT infiltration and exfiltration and their concurrent causalities transcend every line of insurance business including: Property, Inland Marine, Professional, Crime, Workers' Compensation, General Liability & even Life Ins. We are in an entwined business through reinsurance contacts, Risk Retention Groups, Captives & more complexities that have not been taken into account by either of your sources of Moody's & the NAIC Moody's has their Heat Map and all the other (paywall) driven reports. They have missed this and they know it. We are talking about unfunded covered losses like Mondelez, Merck & National Ink & Stitch at scale..we told them!
Allround nerd & Cybersecurity enthousiast
1 年Vaisha Bernard
OT Cybersecurity Analyst for Liberty Utilities
1 年In contrast to other insurance industry products there is little data to work with for insurance modeling and prediction. Much today policies are likely based on agrgate probalistic modeling. As more data over time becomes available idiosyncratic modeling will become more viable and individual corporate policies will become more cost adjusted. Until then the market may swing widely and insurance companies will continue to be more conservative to ensure product and service viability. They likely willl also use this period to grow capital, the more wide spread cyber incidents take place.