The cyber insurance market – caught between the doomsayers and the optimists

There is no single market for cyber insurance. Rather, depending on the size of the company, it can be divided into at least two to three segments. The small business (SME) segment can be characterised by portfolio underwriting. It includes a host of insurers, some with only limited experience of cyber risks, all jostling for position. In contrast, the big business segment is home to a more manageable number of leading insurers.

The industrial cyber insurance segment has also seen the biggest market growth, in part due to the fact that customer premium levels have always enabled insurers to cover their underwriting costs. The industrial segment was also the first to see demand for cyber insurance. That aside, the more rapid growth in this market can be attributed to a change in the business models of cyber criminals, who since 2019 have moved away from automated mass attacks, focussing instead on the targeted blackmailing of large companies (e.g. advanced persistent threats APTs and double extortion ransomware). As a result of these activities, insurers are frequently encountering six-to-eight-figure losses (in euros).

This change in cyber-criminal activity presented a steep learning curve for insurers in 2020 and 2021, resulting in dramatic hikes in premiums, the introduction of limits on certain cover, and much more robust underwriting focused on the quality of the risks involved. Even today, we still see these insecurities in headlines such as "Zurich CEO: Cyber attacks are becoming “uninsurable”," even though there is no basis for this. What is true is that certain aspects of cyber security, such as state sponsored hackers or systemic risks, can no longer be insured with blanket, one-size-fits-all policies.

The high loss ratios seen in 2020 and 2021 dropped significantly in 2022. Since the final quarter of 2022, the London market, for example, has become much more appealing to underwriters, in particular for excess liability insurance. The most recent round of policy renewals on 1st January 2023 has also already shown that, with the right preparation and risk information, it is possible to extend cover, or even start new cover, for good-quality risks at acceptable terms.

As new carriers enter the German market, we are anticipating that in 2023 companies with well-established IT/cyber security will need to plan for moderate price increases as necessary. Increasingly important, however, is the fact that risks should be properly prepared and assessed prior to any tender. That’s why Aon in Germany has invested in corresponding technical cyber know-how and has set up is own non-insurance division in order to be able to offer its customers holistic support – from the initial analysis of technical and organisational measures right through to risk transfer.

Thomas Pache

Head of Cyber Solutions | D-A-CH