Cyber reinsurance capacity squeeze to persist
Lack of capacity likely to continue as sector grapples with factors including discipline in excluding non-insurable risks, confidence in controlling and modelling accumulation risk and clear and transparent working in policies
While some reinsurers will try to be innovative, experts do not expect significant new capacity to enter the market
Cyber is a growing market. A recent report from S&P Global Ratings said cyber insurance premiums could increase at a rate of 25% a year from $9bn in 2021 to about $22.5bn by 2025. It added demand for reinsurance and retro capacity is now particularly important in this class as primary insurers cede between 45% and 55% of cyber insurance premiums to reinsurers at present, up from around 35% to 45% a year ago.
“This situation presents a significant opportunity for insurers to expand their revenue and diversify their portfolios, although success in the current cyber market is not guaranteed,” Anthony Cordonnier, global co-head of cyber at Guy Carpenter, said. The rapid growth of the market has created reinsurance constraints that “show no immediate signs of slowing”, Erica Davis, the other global co-head of cyber at the global broker, echoed.
Reinsurance capacity remains available to primary insurers but is not abundant and requires close collaboration between reinsurer and cedent. “As the demand continues to increase in the direct market and there is a continued lack of new entrants into the reinsurance market, the squeeze on reinsurance capacity for cyber insurers will continue to be exacerbated,” Davis said.
Guy Carpenter is not the only organisation in the sector pointing to a lack of new entrants into the market. Simon Ashworth, head of analytics at S&P, said while the reinsurance sector is “keen to embrace the peril”, there needs to be a “broadening out” of the players in the space. “Will that happen in the short term? It will really hinge on terms and conditions, war exclusion and how the sector can define topics that are appropriate for policyholder needs,” Ashworth said.
While the foundations are there for what Ashworth described as a “healthy discussion”, in the short to medium term he said he does not expect serious changes to rates or the terms of coverage available. “You may see some insurers and reinsurers that attempt to be more pioneering in the space but, at least for the moment, it’s somewhat of a status quo,” he said.
Munich Re, one of the major reinsurers leaning into cyber, said it expects a hard market with further limits to capacity to prevail in the year ahead, with rate increases likely, especially for large and mid-market risks. Last year, the firm said its share of the cyber market was around 10% and estimated this would rise to 24% by 2025.
“Various pre-conditions must be fulfilled to ensure sufficient capacity in the market,” a Munich Re spokesperson told Insurance Day. These include, among others, strict discipline in excluding non-insurable risks, confidence in controlling and modelling the accumulation potential – a feature of cyber risk that puts many off – and clear and transparent working in policies. “From Munich Re’s perspective there have not been any notable changes to cyber risk or our understanding of that risk, but we acknowledge continuous investment, monitoring, discipline and consistency are key,” the spokesperson continued. “We aim to keep our position as the leading provider of cyber insurance and maintain a significant global market share.”
“A key differentiator between the risk carriers that will succeed in the cyber market and those that may struggle will be due to the investments in and implementation of predictive analytics”
Something the reinsurance market clearly wants is a better understanding of the risks primary insurers are underwriting. Strict discipline on exclusions, confidence in controlling and modelling cyber’s accumulation potential and clear and transparent wording of contracts are among the conditions needed for sufficient capacity in the market, according to Munich Re.
Cordonnier at Guy Carpenter said better collection and use of data on the part of primary insurers could be one way to achieve a better understanding of the risk. “Predictive analytics already has a clear role in traditional actuarial processes such as loss ratio analysis and forward claims modelling. There are even greater possibilities for predictive analytics to be deployed in risk selection, portfolio management and reinsurance structure design,” he said.
“A key differentiator between the risk carriers that will succeed in the cyber market and those that may struggle will be due to the investments in and implementation of predictive analytics,” he added.
Since the market corrections in the late 2019, primary insurers have been largely choosing their risks based on the perception of how sophisticated sectors are as a whole in managing cyber threats, with knock-on effects on capacity for sectors deemed less secure. As a result, financial institutions, larger retailers, healthcare and hospitality were more likely to find cover than, for example, the public sector or smaller businesses.
“The thing with that, though, is you’re not actually writing clients that are the best, you’re writing certain industries you deem – simply due to the losses you’ve seen – to be the most effective. As consequence, for a number of industries, they just found capacity disappeared almost overnight,” Tom Draper, technology and cyber practice leader at cyber managing general agent Coalition, said.
Better data could help primary insurers find better risks and secure the reinsurance capacity they need. But while the market is doing more to collect data, Draper said, work still needs to be done using it. “We’re not seeing [insurers] engage with [the data], we’re not seeing them implement the data and build it into real models, built into the underwriting," he said. "That is going to be a challenge for the market. And insurers that are able to use the data they have and see where the market is at dislocation will win the business and will charge the right price."
But there might also be push as well as pull factors that lead to a renewed interest in providing cyber reinsurance capacity. Through alternative capital markets, the peril could offer investors an opportunity to divest their exposures from perils such as natural catastrophe, which has recently had a few bad loss years. S&P Global recently published a report arguing insurance-linked securities would be a perfect fit for the cyber market if only the appetite from investors was there. However, at the moment concerns about the substantial accumulation risk and the complexity and heterogeneity of cyber perils have acted as disincentives.
And demand for cyber reinsurance could be set to increase as more insurers look to write cyber as a primary line. As markets like director's and officers' start to soften, Draper predicted some insurers might start turning back to cyber to fill in their premium budget gaps. “I think there is going to be a situation probably for the next 18 months where the insurances are going to have to rethink their philosophy on how they want to write [cyber] business because they may need to,” he said.