Cyber liability insurance premiums continued to climb by double digits in 2020, but the industrywide loss ratio grew at a faster pace, forcing underwriters to adjust coverage and hike rates to cover escalating costs from breaches and ransomware attacks.
Direct written premiums for stand-alone cyber policies climbed 28.6% in 2020 to $1.62 billion, according to an S&P Global Market Intelligence analysis. Axa SA and American International Group Inc. were the top writers of stand-alone coverage by some distance, though their approach to premium growth for the year starkly contrasted one another. Axa increased its premium by more than 25%, while AIG's stand-alone cyber direct written premiums remained nearly unchanged compared to 2019.
Chubb Ltd. was the biggest writer of packaged cyber insurance based on direct written premiums, followed by CNA Financial Corp. in a distant second. CNA Financial was the victim of a cyber extortion attack in March that reportedly led the company to pay a hefty ransom.
The industry's loss ratio rose for the third straight year, climbing more than 25 percentage points year over year in 2020 to 72.8%.
Carriers in the market have been undertaking portfolio corrections to adjust for changing and emerging risks, such as the recent trend of more frequent ransomware attacks forcing escalating extortion payments, leading to more disjointing in what had been a more normalized underwriting market, said Michelle Chia, head of professional liability and cyber for Zurich North America.
"The actions being taken by the various players vary quite substantially from one to the other when it comes to coverage and when it comes to appetite," Chia said in an interview.
For all the changes in the sector, one of the consistencies across the market has been the need for higher premium rates, Chia said. Zurich has remained relatively stable in its approach to the marketplace and does not anticipate significant coverage or appetite changes, she said.
Zurich's 2020 loss ratio for stand-alone cyber was 46.7%, significantly lower than the industry average and fourth best among the top writers in the sector. Chia credited the results to the company's work with cybersecurity technology partners.
Cowbell Cyber Inc. witnessed changes in the breach insurance marketplace during its first year in business, CEO Jack Kudale said in an interview. One of the major adjustments has been to either stop writing for public entities like schools and municipal governments, or else raise rates significantly.
Kudale said hackers have targeted public and nonprofit entities because they often have computer networks running on old systems, minimal cybersecurity and understaffed IT departments. Public organizations looking to obtain or renew coverage are facing fewer providers and tougher conditions at a price that in some cases doubled year over year, he added.
"It's either increase the premium, exit the class entirely or reduce the limit," the CEO said. "Where they used to offer $10 million in limit, it's now $5 million."
And yet demand for cyber coverage continues to grow, Kudale said, noting that more than half the customers to whom Cowbell Cyber sold policies in its small and midsized target market were first-time buyers.
In previous years, smaller companies had to purchase coverage for third-party contractual obligations in case hackers used them as gateways to bigger extortion targets. In recent years, even relatively small companies are making cyber insurance central to their strategic risk transfer, Kudale said.
Ransomware has become a threat to ever larger and more important hack targets, such as in the case of the Colonial Pipeline Co. breach that shut gas delivery along the east coast and set off panic buying that depleted and idled pumps, said Jeff Dennis, a partner at Newmeyer & Dillion LLP. As head of privacy and data security practice, Dennis advises clients on cybersecurity, incident response, litigation and cyber insurance.
The Colonial Pipeline attack was one of the few ransomware incidents that affected the everyday lives of ordinary people, and it also brought to light the disruptive potential for attacks on infrastructure, Dennis said. Energy and infrastructure companies will need to examine their cybersecurity profile more carefully, and it will change the nature of cyber insurance, the Newmeyer & Dillion partner said.
"We're going to see premiums rise, deductibles increase, and coinsurance will become more prevalent," Dennis said.
Organizations will need a robust system of cybersecurity to even qualify for insurance, Dennis said, noting that underwriting has become far more rigorous about security controls and governance requirements.
"I would expect to see that continue to accelerate," Dennis said.