Cyber Insurance Market Shows Variation in Risk Modeling, with SMEs Dominating Policy Landscape
AM Best’s recent report from its inaugural cyber insurance survey reveals a market still grappling with the complexities of risk assessment and evolving threats. The survey, which collected data from 41 of the 60 largest global cyber insurers, represents approximately $8 billion in premium—about half of the estimated global cyber insurance market.
The report highlighted the nascent state of catastrophe modeling for cyber events. Systemic risk remains a key concern for insurers, with many assessing aggregate exposures through catastrophe modeling. AM Best emphasizes that its focus is on management’s grasp of risk and the level of control insurers have over the assumptions and parameters used in their models, rather than endorsing any specific model.
Of the 41 participating companies, 30 reported utilizing some form of catastrophe modeling. Among these, 10 companies solely employed probabilistic models, while five used deterministic models, and 15 utilized both approaches. This diversity underscores the industry’s ongoing efforts to refine its risk assessment methodologies.
The survey data indicates that the majority of cyber insurance policy limits cater to businesses with less than $10 million in annual revenue. These small and medium-sized enterprises (SMEs) account for more than 80% of all cyber policies. While individual policy exposures might be relatively small, AM Best noted the potential for widespread losses if a significant number of these businesses use the same cloud providers or shared services.
Larger businesses represent a smaller proportion of policies but account for nearly 30% of total cyber premium due to their higher profile as targets and the volume of customer data they manage. Ransomware remains the most common type of claim, driven in part by the potential for quick payouts to threat actors.
The cyber re/insurance industry has faced significant challenges due to escalating cyber threats in recent years, leading to notable loss events. Between 2013 and 2019, the insurance sector experienced the highest share of loss events caused by malicious data breaches, with nearly 40% of incidents attributed to such breaches. In contrast, the healthcare sector saw malicious data breaches account for 18% of loss events during the same period.
The market has responded with rapid premium growth and declining loss ratios. Fitch reported that, in 2021, earned premium growth exceeded the change in incurred losses, and the standalone cyber loss ratio improved to 65% from 72% the previous year.
Survey data also showed that many reported claims were classified under “unknown” coverage types. This reflects a significant shift towards refining claims processes and improving classification procedures by insurers. AM Best expects the proportion of “unknown” classifications to decrease as these processes mature.
Of the claims categorized by coverage type, more than half were related to incident response. This underscores the continued frequency of ransomware events and business email compromise incidents. While some policyholders avoid ransom payments, others face larger financial losses tied to business disruption. AM Best’s findings indicate that business interruption claims are generally more costly per claim than incident response claims. The report noted that effective backups, timely patching, and network segmentation are crucial cyber hygiene measures that can help businesses mitigate the impact of incidents and quickly resume operations.
