The cybersecurity insurance market is experiencing rapid growth, with estimates projecting a rise from $13 billion in 2022 to approximately $84 billion in 2030, representing a compound annual growth rate (CAGR) of 26%. However, insurers are facing challenges in quantifying the potential risks associated with offering this type of insurance.
The traditional actuary models utilized by insurers do not effectively apply to an environment where highly motivated, creative, and intelligent attackers are continuously evolving their tactics to cause insurable events. Accurately estimating losses is crucial for determining customer premiums, but even after two decades, there remains a wide range of loss ratios between insurers, ranging from -0.5% to 130.6%. Inadequate underwriting processes hinder insurers’ ability to accurately assess losses and price reasonable premiums.
The insurance industry’s struggle with quantifying cybersecurity risks stems from the nature of the threat itself. Cyber attackers constantly escalate and adapt their techniques, which undermines historical-based models on which insurance companies rely. Attackers swiftly shift their focus, identifying new victims, causing greater losses, and rapidly moving to exploit new areas of vulnerability.
Previously, denial of service attacks was a popular tactic, but data breaches have gained prominence due to the magnitude of the damage they cause. In recent years, attackers have further expanded their repertoire to include ransomware-style attacks, resulting in even higher insurable losses. Predicting key metrics for actuary modelers, such as Annual Loss Expectancy and Annual Rate of Occurrence, with a high degree of accuracy exceeds insurers’ current capabilities.
While the industry conducts assessments for new clients to understand their cybersecurity posture and determine insurability, these assessment methods are rudimentary and fail to deliver the predictive accuracy needed. The volatile loss ratios experienced by insurance firms create a sense of uncertainty and unease within the industry. Insurers ideally aim for a 70% loss ratio to cover their payouts and expenses, but according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve this desired loss ratio.
In response to the challenges associated with predicting claims, insurers have been forced to raise premiums to cover the risk gap. Premium renewals in Q4 2021 saw an astonishing 34% increase, and this trend continued with an additional 15% rise in Q4 2022. The concern now is that these escalating premiums may price many customers out of the market, leaving them without a means to transfer their cyber risks. Furthermore, insurers risk undermining the potential for market growth by making their products prohibitively expensive. Additionally, upper limits for insurability and various exception clauses are being introduced, further diminishing the overall value proposition for customers.
To address these challenges, the industry needs better tools to predict cyber attacks and estimate losses. The current army of insurance actuaries has not delivered the necessary accuracy, but there is hope. It lies in the cyber risk community, which seeks to manage ambiguous and chaotic risks by avoiding and minimizing losses. By applying best practices from the cybersecurity field, insurers can identify the most relevant aspects of defensive postures (such as technology, behaviors, and processes) and understand the relevant threat actors (including targets, capabilities, and methods) to accurately determine residual risks.
The ultimate goal is to develop a unified standard for qualifying for cyber insurance that can adapt to the rapidly changing cyber landscape. More accurate methodologies will improve assessments and reduce insurers’ ambiguity, enabling them to competitively price their offerings. In the future, calculations for cyber insurance should be continuous, showcasing the benefits companies can derive from effectively managing security in alignment with evolving threats. This approach would ultimately lead to a reduction in overall premium costs.
The next generation of cyber insurance is expected to emerge based on new risk analysis methodologies that offer greater accuracy and sustain the mutual benefits provided by the insurance industry. By leveraging insights from the cybersecurity community, insurers can enhance their underwriting processes and improve their ability to quantify cyber risks, ultimately benefiting both insurers and policyholders.