Aggregation risk makes carriers cautious in growing cyber market

The growth of the cyber insurance market will be a hot topic in Monte Carlo again this year, as carriers eye robust opportunities to grow in this fast-emerging business line. But worries about how well the industry can truly measure and price cyber risk remain a reason many also remain cautious about overcommitting.

Topping the list of industry concerns is aggregation risk, a threat that “continues to hang over the market” according to Howden’s 2024 Cyber Report, published in June. The threat of aggregation risk has been driven by concerns around spillovers from state-sponsored malware attacks due to enhanced malware generation capabilities and an over-reliance on a small number of software and payment and administration platforms.

“The risk of and uncertainty around aggregation continues to impede capital inflows and temper risk appetite,” Howden’s report states. This uncertainty is driven by the chance of a large-scale event resulting in cloud outages, disrupted global payment platforms or compromised software that underpins global digital systems, posing a risk to the market and broader economies, said Howden. 

But it added that loss data to date shows that the most pervasive threat comes from targeted (and lower level) attacks carried out by criminal gangs, rather than state actors.

Growing risk diversity

Despite these concerns, the sector continues to grow. The global cyber insurance market reached $14 billion in gross written premiums in 2023, according to Munich Re’s report “Cyber: Risks and Trends 2024” published in April. And it is forecast to continue to grow rapidly, to as much as $29 billion by 2027.

Globally, cyber insurance was underwritten by almost 300 insurer groups on a direct basis as of the end of 2023, said market consultant Insuramore in a cyber report published in July. It estimated that the gross direct premiums written (GDPW) for cyber insurance globally reached just over $15.7 billion in 2023. The market is dominated by US insurers, which account for over half the total, while underwriters operating in Bermuda and at Lloyd’s also write significant lines of business.

“There is a long tail of insurers with small books of cyber insurance activity.”

Insuramore noted that the top 20 groups for that class account for 64.9 percent of premiums worldwide and the top 50, 89.6 percent. These figures are down from a respective 70.3 percent and 92.3 percent in 2022. The market leader in cyber underwriting in 2023 was Beazley with over $1 billion in GDPW, followed in descending order by Chubb, Munich Re, AXA and Fairfax Financial Holdings. 

Despite the major players dominating the market, there is a long tail of insurers with small books of cyber insurance activity. Therefore, the mean GDPW per group sits at $53 million but the median lies at only $3.3 million, reported Insuramore.

The leading growth driver for the market continues to be digital transformation and technological advances, according to Munich Re’s report. However, with such a steep projected expansion comes increased threat levels in the cyber market, marking the importance of cyber insurance as a component of cybersecurity risk management. 

Munich Re stated that cyber attacks are increasing in frequency and sophistication, leading to greater financial repercussions and stricter regulations. 

The rise in attacks

According to Howden’s 2024 cyber report, cyber is considered to be the top global risk in this year’s Allianz Risk Barometer (Figure 1). The areas of most concern in the cyber market are led by data breaches (59 percent), followed by attacks on critical infrastructure and physical assets (53 percent) and the increase in ransomware attacks (53 percent), claimed Howden.

Cyber risks have continued to increase, driven by technological advances such as generative artificial intelligence and cloud technology. Furthermore, the sophistication of cyber criminals and tense geopolitical situations are shaping the cyber threat landscape, according to Munich Re.

However, experts and authorities face challenges in compiling adequate statistics on cybercrime and the data probably represents a small proportion of total cybercrime, claimed Munich Re. For example, the German Federal Criminal Police Office estimated that up to 91.5 percent of criminal cyber incidents go unreported and German data gatherer Statista forecast that the annual global cost of cybercrime will reach $13.8 trillion by 2028, an increase from $8.15 trillion in 2023, according to Munich Re.

Ransomware was reported to be the leading cause of cyber insurance losses, according to Munich Re. Howden reported that in 2023 there was splintering of ransomware groups, increased collaboration between hackers and tacit support from hostile governments. These trends have sustained the heightened threat, with data from NCC Group showing attacks increasing by 85 percent in 2023, relative to 2022, and by 30 percent from Q1 in 2023 to Q1 in 2024.

Ransomware frequency tells only part of the story from a loss perspective, claimed Howden. The severity of an attack primarily comprises downtime costs, ransom payments and other expenses. Those can be more challenging to measure, particularly when factoring in intangible impacts such as reputational damage, reported Howden. 

The increasing prevalence of double and even triple extortion has undermined the assumption that paying a ransom will put a stop to the hack, claimed Howden.

Other costly attack vectors were business email compromise (BEC) and supply chain attacks. Between 2021 and 2023, BEC case numbers doubled and caused $3 billion in losses, affecting 22,000 victims globally, according to Verizon and Symantec. There were twice as many software supply chain attacks in 2023 compared to the previous three years combined. In 2023, software supply chain attacks cost businesses $45.8 billion to address 245,000 supply chain incidents, reported Juniper Research. 

For 2024 and beyond, Munich Re expects an increase in BCC and BEC attacks. These will deceive people within companies into performing harmful actions, such as making unauthorised payments or sharing sensitive data. Munich Re claimed BEC is a top attack vector, as it is easy to carry out and requires minimal technical knowledge while reaping high rewards. BEC and BCC attacks cause high financial losses and lead to an erosion of trust and reputational damage, claimed Munich Re.

More than risk transfer 

For insurers, it is not all about simply absorbing risk and paying claims. In the digitised global economy, insurers contribute significantly when protecting businesses against cyber risks, as the insurance industry has an understanding of the threat landscape and knowledge of the limits of insurability, said Munich Re. 

Thomas Blunck, chief executive officer, reinsurance, Munich Re, said: “There is still too high a proportion of uninsured cyber risks. According to our current global cyber survey, 87 percent of managers surveyed state that their company is not adequately protected against cyber risks. 

“Risk awareness and demand will continue to rise, against the backdrop of a rapidly growing threat from aggressive cyber criminals, new technologies and dependencies, as well as geopolitical crises.”

“Munich Re predicts ransomware to continue to be the dominant risk and loss driver.”

Looking to the future, companies should focus on meeting increasing demand and managing dynamic risk exposures, while ensuring the sustainable insurability of cyber risks and market functionality, reported Munich Re. 

In terms of threats to the industry, Munich Re predicts ransomware to continue to be the dominant risk and loss driver for cyber insurance, driven by advances in applied technological progress and tactics. These advances will likely result in a more complex and damaging ransomware landscape, where more and stronger ransomware groups will shorten their dwell times, reported Munich Re. 

For more news from the Rendez-Vous de Septembre (RVS) click here.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.