Cyber has been hailed as the re/insurance shooting star with the potential to more than double in size by 2020 – nothing brings more promise to the industry then this emerging market space. Although growth so far has stemmed mostly from the U.S. cyber market, RBC said in a recent report that macroeconomic factors such as increasing global awareness and regulation will soon see other established markets follow suit.
In coming years increased regulation and ensuing re/insurance penetration growth is expected to impact the still nascent markets of Europe, Canada, and Australia as within both the public and private sectors the real cyber risks to business emerges from under the iceberg tip.
Last year, the cyber market was estimated to be at around $3.25bn in premiums, according to a Betterley Report quoted by RBC – this represents a 24% CAGR growth from 2005-16 and 38% in the last three years (2013-16), and this already attractive figure, analysts say, could double in just three years.
At the moment cyber industry growth is led by the U.S., which represents around 90% of total global cyber premiums, however, RBC said “both increasing regulation and increasing cyber insurance penetration will be key factors in the future development of this market.”
While the U.S.’ cyber growth has been spurred on by increased awareness and scrutiny of data breaches across sectors, Europe and other regions are gearing up for major changes along these lines.
In May 2018, the General Data Protection Regulation comes into effect, RBC said this should “see the nascent European market grow rapidly from a low premium base (c€200m 2016) as companies in violation of this new regulation will be subject to fines for breaches.”
Canada and Australia are also set to make data breach reporting mandatory – this could massively upscale demand for cyber re/insurance in these regions as firm’s look for protection against growing costs to business.
Skyrocketing cost of claims within the still new cyber realm have often been a concern for the industry, due to the unpredictable nature of the risk, however, the RBC report shows the sector’s maintained impressive rates of above average profitability despite claims costs increasing.
“According to Aon Benfield, the combined ratio for cyber insurance business written in the US was 77.2% (excluding extreme outliers) in 2016, up from the 72.8% seen in 2015.
“The report also highlights that total costs per breach have been increasing year on year with a 7% increase in the US.
“Despite this reduction in underwriting profitability, combined ratios in the class are still far stronger than the US P&C market which posted a 99.5% combined ratio in 2016, according to the Insurance Information Institute. We expect that there will be high levels of conservatism built into reserves at present, so profitability could be even stronger in this class,” said RBC.
The market share so far has been dominated by U.S.- based insurers, with current key players in cyber insurance described by RBC as AIG, ACE, Axis, Beazley, Chubb and XL.
Within Europe, its Beazley – with its Munich Re partnership – that’s seen by RBC as being well placed to take on more of the cyber market, boasting a 12% cyber share of last year’s total premiums.
Insurer Novae also stands out with a 6% cyber premium base and plans laid for further cyber growth.
However, along with this very promising outlook for re/insurers focusing on cyber risk, comes a word of caution on underwriting policy.
RBC advises re/insurers to carefully examine policy wording, due to the high interconnectivity of cyber risk; “managing the aggregation of risks is key as the interconnectivity of systems and devices could lead to a large industry loss event if one critical provider were hit. For now, there is work being conducted by the industry and other players to look at this risk, so we see clear wording and policy exclusions as being key to minimising this risk.”
The real danger, analysts say, lies in so-called “silent insurance cover”; “Unless cyber incidents are specifically excluded, the insured may have cover via silent exposures which lack explicit exclusions.
“The insured may also have covered through silent cyber exposure in ‘All risks’ policies without explicit exclusions or gaps in the current exclusion wording which means that cyber liability exposure could slip in.
“The key exclusion used to tackle cyber is CL380 (The Institute Cyber Attack Exclusion Clause).
“This clause is long-established and was initially brought in to cover the potential from losses prior to Y2K. In addition, there are a number of other exclusions that also relate to cyber as a peril.”
And as re/insurers become more aware of the need for careful policy wording and rehash policies and products to protect against silent cover risk, RBC says, these exclusions “in other classes of business are expected to lead to a surge in standalone cyber insurance policies.
“We expect that growth in the cyber insurance market will continue at a rapid pace, and estimate market growth range from 20-40% per annum until 2020.”