During a recent S&P Global Ratings webinar, panellists revealed that while cyber insurance is progressing toward maturity, key challenges persist – while penetration rates among SMEs remain below 10%.
So, what are some of the challenges facing the market – and how are regulatory, technological and changing perspectives on cyber risk impacting take-up rates? These were among the questions put to WTW’s Anand Patel (pictured left) and Zywave’s Jeff Cohen (pictured right) in a recent interview with Insurance Business. From Patel’s perspective, there are two core areas influencing market conditions today, for better and for worse – the evolution of AI and changing regulation.
AI advancements and the growing level of automation that this enables is seeing the weaponisation of cyber in a variety of ways, he said, which, in turn, is reshaping the threat landscape. “It’s providing an area where there are low barriers to entry, and the ability to conduct more sophisticated attacks with faster and adaptive malware, which presents a huge risk to the industry globally.
“The other side of that which we’re seeing is around regulation – the legal landscape is evolving quite quickly as a consequence. I think it’s really refreshing to see that governments are ramping up their regulations. Within Europe, for example, we've seen the introduction of GDPR, and we’ve now got DORA, an act which specifically focuses on financial institutions and the requirements that they’re putting in place means that they’re recognising the potential impact that this risk will have, and helps ensure that those companies are putting appropriate safeguards in place.”
From a loss-data perspective, Cohen said it’s essential to be mindful of the rapid changes that AI is going to bring as the whole technology capability landscape continues to shift. Particularly in the US, question marks are emerging over what’s going to happen with regard to the potential for significant litigation, increasing the cost of risk. These are contributory factors to changes in the cyber landscape, which is further complicated by the fact that cyber is not contained to any one geographical boundary.
Assessing how these conditions are impacting the lay of the cyber insurance market, Cohen noted that new capacity is coming into the cyber marketplace all the time in the form of insurance companies and MGAs. “So, you’ve got this interesting conundrum between having lots of areas to get cyber coverage, while the take-up rate is slow. I am hearing from insurance executives who talk about how the price is softening, but it’s an anomaly.”
Taking a longer-term view of the changing market conditions, Patel highlighted that there has been a “massive hardening” within the cyber insurance market between 2020 and 2022 and that the amount of premium now being transacted through the marketplace has grown substantially over the last five years. A lot of that is down to the changing risk landscape, and the dominance of ransomware as a driving force behind cyber losses. “A lot of that stems from the increased capabilities of threat actors to be able to exploit a whole range of different vulnerabilities across the system.
“Therefore, the market has now recognised that businesses need cyber insurance. I think there's a greater adoption by businesses to accept cyber insurance as part of a range of protection measures and as part of their technology processes. If I look back five-to-ten years ago, there was some reluctance from technology officers to admit that, actually they should be purchasing cyber insurance. It was a matter of pride that their companies didn’t need insurance in place to mitigate cyber consequences. But now, it’s widely adopted at the large enterprise level.”
There has been a tremendous amount of uptake within that larger, corporate space, he said, but the same doesn’t necessarily hold true beyond those tier-one clients. Across the mid-market segment, there’s increasing comprehension of the impact that cyber risks can have on their operations, which is being largely driven by their growing understanding of the risks presented by their supply chains. But if you go a step further into the SME segment, the take-up rate is still very low – and there’s still a lot of room for that market to evolve.
From a geographical perspective, he said, the US has led the way when it comes to cyber insurance, and still makes up the bulk of the premium as well as the bulk of the risk. “I do think the rest of the world has been relatively slow, and they're playing catch-up now in terms of getting that sophistication, the capacity, and the growth in the number of insurers that have appropriate solutions in place.
“It's a tough challenge for the market at the moment, not just from a purely capacity perspective, but from a skills perspective. The lack of availability of that expertise and the required knowledge to support this business area is one that is clearly a challenge across all the different areas of underwriting, claims, and cyber response services, and in understanding how to set up good cybersecurity as part of businesses. There's still a gap in the skills needed to be able to get to a mature level.”
