Cyberinsurance is getting cheaper, with premiums falling around 15% since they peaked in 2022. Commenting on a report from broker Howden, Reuters suggests business has become more adept in curbing losses from cybercrime.
“Added security such as multifactor authentication has helped to protect companies’ data, reducing insurance claims,” writes Reuters on July 1, 2024. It would be good if this were true, but most things are usually more complex than they first appear.
Cyberinsurance premiums increased rapidly in 2021 and 2022. The insurers got their sums wrong through an insufficient understanding of the cybercrime market. They were forced to redefine a cyberwar exclusion clause, increase denials and exclusions, and hike premiums. Now premiums are declining again.
“Fewer companies are willing to invest a considerable amount of money in cyberinsurance after a bad experience when insurance coverage was denied for various reasons and contractual clauses subtly incorporated into the insurance agreement,” comments Ilia Kolochenko, partner & cybersecurity practice lead at Platt Law LLP, and CEO at ImmuniWeb.
Now the cyberinsurance industry is becoming more mature with better actuarial understanding of the risks, he adds. The implication is that improved security from the insureds, better understanding of security from the insurers, and a more discerning marketplace is forcing the insurers to reduce premiums to maintain market share.
This is partly true, but it is important to understand the insurance industry is more accustomed to creating market conditions than it is to responding to them. Its purpose is to cover loss. Neither the insurance industry nor the entire cybersecurity industry can prevent breaches; but breach prevention is less important than loss reduction for the insurer. In the past, this loss reduction was achieved by increasing exclusions. There is little evidence that security is preventing breaches, nor its own resilience is seriously reducing loss.
The change in premium rates is more likely to be the insurers’ correction than the insureds’ improvement in security. “What we are likely seeing with lower premiums is a consequence of several factors: the insurance market’s cyclical nature, now with more capacity in the market, combined with self-insurance retentions covering many of the frequency losses,” suggests Marko Polunic, MD at Fenix24. The missing key to understanding what is happening is that term, ‘the insurance market’s cyclical nature’.
The insurance cycle is described in Wikipedia as “a term describing the tendency of the insurance industry to swing between profitable and unprofitable periods over time…” Such swings are common to all businesses but are particularly relevant to insurance.
Within this insurance cycle, the swing is between a ‘hard market’ and a ‘soft market’. Howden defines it thus: “In simple terms, [a soft market] is when there is a lot of insurance capacity, and rates are low. Conversely, a hard market is when insurance capacity is reduced and premium rates are high.” Noticeably, the state of the insured does not figure.
“Insurance markets (cyber, property, D&O, etc) tend to run through rating cycles,” explains George Mawdsley, head of risk solutions at DeNexus. “What makes cyber unique is that there is material uncertainty around how big the ‘Big Storms’ can get, which means capital allocators will make conservative assumptions on max downside or will not invest. Given the strong growth projections (demand) for the cyber insurance market, we expect this dynamic to drive up prices over the long term.”
“Insurance is and will continue to be cyclical, and we are seeing those cycles play out here,” concludes Polunic.
In other words, do not expect the current lower premiums to continue. Markets are unstable, and the insurance market is exceptionally unstable. This is just a correction. Because of the current state of the insurance cycle, the cost of insurance is lower. The next correction will likely see premiums increase again – and because of the inherent instability of the cyber market, it may be sooner than we expect.
Related: Talking Cyberinsurance With Munich Re
Related: The Wild West of the Nascent Cyberinsurance Industry
Related: Cyber Insights 2023 | Cyberinsurance
Related: The Reality of Cyberinsurance in 2023
Related: UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government
