Mind the protection gap: 90% of cyber losses uninsured, Swiss Re says

Report proposes 'self-funding' insurance model for export industries

The protection gap for cyber crime risk is significant, with premiums amounting to just a fraction of total losses from cyberattacks and most firms either uninsured or significantly underinsured, a new Swiss Re Institute report says.

Cyber risk “does not meet all the characteristics of insurability,” and this is limiting the potential growth of the insurance market, it says, recommending that insurers increase contract consistency and clarity, use standardised data and better modelling, and identify new sources of capital.

The cyber insurance market remains small, with global premiums estimated at $US10 billion ($15.47 billion) last year, compared with annual global cyber losses of $US945 billion ($1.46 trillion) – indicating roughly 90% of the risk remains uninsured.

Swiss Re Institute forecasts 20% annual premium growth to 2025, with total premiums more than doubling, but says there is “much work to do” to ensure sufficient risk protection is available.

“This effort will require collaboration between businesses, the insurance industry and government”.

A lack of standardised data and modelling constraints make cyber risk hard to quantify, and Swiss Re Group Chief Economist Jerome Haegeli says while demand for cyber insurance is growing, a high degree of uncertainty over expected losses and the fast-evolving nature of the risk means “its insurability is limited”.

“This in turn restrains market capacity, leading to a protection gap of around 90%,” he said.

Currently, future risks are inferred on backward-looking data – an “approach of limited value” in a rapidly changing environment of cyber risk.

“Introducing cybersecurity standards will improve data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modelling,” the report said.

See also  How do I know if I am underinsured?

“The high degree of uncertainty regarding expected losses and the evolving nature of the risk challenges the insurability of peak and accumulation risks.”

The “relative youth” of the cyber insurance market and complexity of the risk are reflected in a lack of standardisation for exclusion clauses and policy terms and conditions, it says, while exposure to systemic risk remains “a barrier for industry capacity”.

“Factors such as attribution of cyber events remain a core problem. By clarifying the scope of coverage, as well as supporting risk analysis and mitigation efforts, contract clarity and consistency can lead to increased cyber capacity,” the report said.

It also says a public-private partnership insurance scheme, where coverage of systemic risks is split between insurers and a government-backed fund, is an option to address part of the protection gap, and recommends alternative capital, such as development of a market for cyber-insurance-linked securities.

Swiss Re Head Cyber Reinsurance John Coletti says systemic losses could overwhelm insurers, with entrenched interconnectedness threatening that a single cyberattack could “potentially affect the entire portfolio of an insurer”.

“The prospect of a state-sponsored or private attack on another country/region with catastrophic fallout is very real,” the report said, adding that this restrains capacity despite growing demand and brings into doubt the sustainability of the market.

“Some of today’s cyber risks do not fully meet the typical characteristics of insurability,” it said. “The aggregation of losses could quickly and significantly impair diversification and/or challenge market capacity.”

Two-thirds of current global cyber-insurance covers are written for US clients, and the top 10 direct cyber insurers account for 57% of the US market. The average premium for standalone policies written in 2021 increased to $US12,161 ($18,823), and around 259,000 standalone policies were reported in force at year-end 2021, and 3.5 million packaged cyber policies.

See also  Does State Farm give you a grace period?

The report says there were $US4.83 billion ($7.48 billion) direct premiums written by insurers for US cyber last year, up 74% from year earlier. Top of the list last year was Chubb at $US473 million ($732.19 million), followed by Fairfax Financial, Axa SA, Tokyo Marine, AIG, Travelers and Beazley.

Swiss Re notes a surge in ransomware attacks drove loss ratios higher in 2020 and insurers responded by increasing prices, improving underwriting discipline, introducing sub-limits and coinsurance, clarifying terms and conditions, and excluding cyber exposures in other property and liability policies.

As a result, loss ratios plateaued last year.

Swiss Re estimates 40-50% of global cyber insurance premiums are ceded – well above the 15% commercial lines average – and says while this provides potential for new entrants to gain a foothold in the market, capacity remains constrained due to the potential for large systemic loss events.

The report lists a number of significant cyber crime case studies, including the attack on JBS last year.

The Brazil-based meat processing leader was forced to halt beef and poultry processing operations at multiple locations in Australia and the US for some days until it paid a ransom of $US11 million ($17.03 million).