Cyber insurance market trends to watch: 2023 and beyond

As cyber attacks continue to rise, cyber awareness increases and cyber security and privacy laws and regulations strengthen globally, demand for cyber insurance has increased even as premiums soar.

Demand means opportunities; but it can also mean greater risk and exposure. As a result, concerns about the sustainability of cyber insurance are growing, even leading Mario Greco, chief executive officer at insurer Zurich, to claim that cyber attacks are set to become "uninsurable".¹

Individual insurers will need to decide how to balance the commercial decision of growing their cyber insurance portfolio with their capacity and risk appetite for absorbing potential large losses.

In 2023 and beyond, the focus of the cyber insurance market will likely continue to be on measures to ensure its sustainability in the face of rapidly evolving cyber risks.

But what does this quest for sustainability mean in the short and long term for the cyber insurance market?

In the short term

1. Tighter underwriting will continue

In the short term, the cyber insurance market will continue to tighten policy language and flush out "silent" cyber exposure.

This will primarily be done through greater clarity on affirmative and non-affirmative cyber cover in policies; greater clarity in relation to exclusions imposed; bespoke exclusion endorsements relevant to any new and emerging threats; more stringent limits or sub-limits, and higher deductibles.

For example, in the last few years, the insurance market has been confronted with the issues of war exclusions and insuring hostile cyber activity. At the end of 2021 the Lloyd's Market Association drafted four model war, cyber war and cyber operations exclusion clauses, which provide Lloyd’s syndicates and their (re)insureds (and brokers) with options:

• for a war exclusion they can include in standalone cyber insurance policies; and
• in respect of the level of cover provided for cyber operations between states that are not excluded by the definition of war, cyber war or cyber operations that have a major detrimental impact on a state.

Subsequently on 16 August 2022, Lloyd's issued a market bulletin titled "State-backed cyber attack exclusions" requiring, from 31 March 2023, that all standalone cyber policies must include, at the inception or on renewal of each policy, a suitable exclusion clause excluding liability for losses arising from any state-backed cyber attack with the following minimum requirements:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (Subject to 3) Exclude losses arising from state-backed cyber attacks that
   
   a. significantly impair the ability of a state to function; or
   b. significantly impair the security capabilities of a state.
   
3. Be clear as to whether cover excludes computer systems that are located outside any state affected in the manner outlined in 2(a) & (b) above, by the state-backed cyber attack.
4. Set out a robust basis by which the parties agree on how any state-backed cyber attack will be attributed to one or more states.
5. Ensure all key terms are clearly defined.

Lloyd's has around 20% of the global cyber market. It is hoped that having such exclusions for potentially catastrophic events with robust wordings can provide the parties with clarity of cover, so that risks can be properly priced and reduce the risk of coverage disputes.

In 2023 and in the short term, insurers globally are expected to continue to tighten policy language and underwriting standards in a bid to ensure the sustainability of the cyber insurance market, whilst they work on either increasing capacity or developing more innovative approaches towards underwriting cyber risks.

2. Third-party claims will rise

In the short term, the cyber insurance market is expected to grapple with an increase in third-party claims.

Standalone cyber insurance policies cover a range of losses related to cyber incidents and are typically classified as first-party or third-party coverage. The bulk of indemnity payments under cyber insurance policies to date has been for first-party losses such as forensic investigation costs, legal costs, public relations costs, costs related to the loss of or damage to data, content-related claims related to data, privacy notification costs or costs associated with cyber extortion reimbursement.

However, with:

• regulators' increased interest in cyber security and an uptick in enforcement activities around cyber security (eg. the ASIC v RI Advice [2022] FCA 496 case);
• the increasing scale of data breaches; and
• growing prioritisation by consumers of their individual rights to privacy and increased expectations around companies' data protection measures following large-scale data breaches in 2022,

insurers can expect an increase in claims made under cyber insurance policies for third-party coverage in the short and medium term. This includes fines and penalties imposed by regulators and compensation to third parties for failure to protect their data.

In the long term

1. Defining and tackling systemic cyber risks

In the longer term, the cyber insurance market will continue to prioritise tackling systemic cyber risks. However, in order to find a sustainable solution to this problem, there first needs to be a common understanding of what the problem entails.

There is no single, widely accepted definition of systemic cyber risk, and most definitions are vague.² In a 2017 report, AIG had defined systemic cyber risk as "capable of impacting many companies at the same time".³

Whatever the definition, the concept of systemic cyber risk boils down to the possibility that a single event or development might trigger widespread failures and catastrophic consequences spanning multiple organisations, sectors or nations, particularly due to various forms of interdependency, whether financial, biological, logistical or digital.⁴

Notably, supply chain attacks and disruptions are a well-known systemic risk with global consequences which the insurance industry has, and will continue, to address to ensure cyber insurance remains sustainable.

In light of the frequency of supply chain attacks on organisations, it is more important than ever for the cyber insurance industry to define what is meant by "digital supply chain" and better understand the potential losses that may arise from a third-party cyber attack. Insurers have begun to do this in a number of ways.

Following the Solar Winds compromise, insurers began reviewing their overall exposure to systemic, aggregated and correlated risks related to the software supply chain.

As a precondition to writing or renewing cover or determining a premium, insurers are increasingly looking at an organisation's third-party arrangements. This requires not just visibility around the supply chain, but also evidence that the organisation has considered the known risks of its supply chain, are actively managing these risks and have persistent monitoring in place. In particular, insurers appear to be looking closely at managing known risks through supply contracts with limits of liability, assurances regarding cyber security posture and rights such as right of audit.

Insureds are also expected to have considered the unknown risks to the supply chain and be able to provide evidence that these risks are being mitigated through strong cyber defences and a risk-aware culture.

Whilst focusing on ways to minimise cyber risk, insurers continue to face difficulties in finding a market-leading but pragmatic approach to quantifying and managing supply chain risk. A report by PwC notes that while 85% of respondents claim to have loss estimation methodology in place, the majority use simplistic exposure and factor-based methods, which have in the past shown to underestimate the risk.

Quantifying and tackling systemic cyber risks like supply chain attacks will likely continue to be a focus for the insurance industry in 2023 and beyond.

2. Innovative insurance solutions

In the long term, insurers will need to devise innovative solutions to address their cyber risk exposure and capacity issues to ensure the cyber insurance market remains sustainable.

This can already be witnessed in the insurer Beazley's unveiling in January 2023 of a US$45 million catastrophe bond (CAT) for major cyber events.⁵ The Beazley bond provides Beazley with indemnity against catastrophic events that exceed US$300 million. CAT is essentially a method used by insurance companies to reduce their risk by transferring the financial risk on investors, who in return receive attractive investment rates. It is said to be the first insurance-linked securities (ILS) instrument established in the cyber insurance market. The CAT offers an alternative for the insurance industry to spread coverage risks and provides insurers with a new source of capital.

There are two other possible avenues that will likely be developed further by insurers in the long term:

Parametric cyber insurance

Parametric insurance provides cover based on a pre-defined trigger. It has commonly been used in situations where it is difficult to quantify the exact loss that would result from a particular event, such as natural catastrophes or agriculture.

In the context of cyber, the trigger could be a physical trigger such as the number of hacked computers or the cost of damage and repair to the computers. Compared to traditional indemnity-based coverage products, which often require time-intensive damage and loss assessments, parametric insurance has the benefit of providing quick payouts following the trigger event.

In the context of cyber risk, in December 2019 reinsurer Chaucer partnered with InsurTech Qomplx to launch the first dedicated cyber parametric multi-peril insurance (WonderCover). The policy provides protection against operational losses arising from data breaches, IT interruption and non-property terrorism damage. In particular, payouts of a pre-determined amount are made if any of the following trigger event occurs:

• A GDPR breach that requires notification;
• An IT outage with services interrupted; or
• Terrorism non-damage business interruption.

Whilst WonderCover has smaller limits of between GBP5,000 and GBP100,000 and primarily targets UK small businesses, parametric insurance may potentially provide a viable alternative for the insurance industry to address certain large-scale cyber events.

Insurance industry playing a leading role in boosting the public-private partnership

Catastrophic cyber events and systemic cyber risks give rise to large aggregate losses, which the private insurance market may not be able to carry on its own. Government-backed solutions would therefore likely come to the fore, with the insurance industry taking the leading role in enhancing the public-private partnership to tackle the issue of large cyber loss aggregations and ensure its sustainability.

A well-designed public-private partnership could increase risk-absorbing capacity, which takes some pressure off the private insurance market, and yet enable and encourage cyber market innovations to extend cover further for catastrophic cyber events and systemic cyber risks.⁶

Ultimately, some form of government backstop or public-private partnership to finance catastrophic cyber events and systemic cyber risks will likely be needed to ensure a sustainable private cyber insurance market and boost economy-wide resilience. This will be a complex task, but we expect the insurance industry will take the lead in driving this collaboration with governments.

This article is part of CyberSight 360 2022/23.

¹ "Cyber attacks set to become uninsurable, says Zurich chief". Financial Times. 26 December 2022.
² Systemic Cyber Risk: A Primer. Carnegie Endowment for International Peace. 7 March 2022.
³ Is Cyber Risk Systemic? AIG. February 2017.
⁴ Systemic Cyber Risk: A Primer (n2).
⁵ Croft, David. World's first cyber catastrophe bond launched by UK insurer. Cybersecurity Connect. 11 January 2023.
⁶ Insuring Hostile Cyber Activity: In search of sustainable solutions. The Geneva Association. January 2022.

Photo by Tom Parkes on Unsplash.