Ransomware shouldn’t be an existential threat to the cyber insurance sector, thanks to a combination of policyholder education, the provision of services to reduce claim values, and policy rate adjustments, S&P Global Ratings says.
Yet making a steady profit from cyber will remain challenging for insurers, S&P believes, underscored by the worse-than-expected results from insurers’ cyber operations in 2021.
These poor results led to increased hesitancy to underwrite larger risks and to some insurers reducing their risk appetite. That caution, and the resultant shift in underwriting strategies, has been exacerbated by the Russia-Ukraine conflict, and concerns that it could lead to an uptick in cyber-attacks, even if that has not materialised yet.
It has become common for insurers to decline requests for cyber cover if a potential policyholder lacks comprehensive IT system back-ups, endpoint detection technology, a protocol that ensures ongoing patching of IT systems, defined cyber-attack response measures, or multifactor authentication.
S&P says it believes that insurers that understand their clients’ business models, and marry that with an ability to analyse evolving threats, will be better able to help policyholders develop protective measures and resilience.
That is likely to prove a competitive advantage in attracting new business, and in avoiding so-called “silent cyber” risk.
“The road to improved underwriting of cyber insurance will be signposted by clear and precise policy wording that mitigates evolving risks. The big challenge for reinsurers in developing this wording lies in the need for continual reassessment of shifting risk exposures, which necessitates dynamic contract conditions and coverage concepts – both of which are likely to be enduring characteristics of the cyber insurance industry.”