Cyber Market

A proper understanding and analysis of the complicated intra- and interconnected cyber risk value chain and the current hurdles and difficulties that challenge all involved industries is only possible if we analyze the economic incentives of its many stakeholders. The following market statistics summarize the most up to date information on cyber and the most important related industries.

Estimating the total economic damage that is caused by cyber is quite a challenge. While there are many reports out there, mostly by cyber security firms, that estimate the global cyber damages, often it is not revealed how the respective authors derived their results. The most comprehensive attempt to provide a scientific answer and, even more importantly, a framework to model cyber damages is . The authors differentiate between direct cyber damages, contained to the firm that is directly affected by a cyber incident, and the systematic cost of cyber risk that is caused to other actors of the economy, e.g. the damage a manufacturer suffers that is unable to produce the optimal output because one of its suppliers is unable to provide sufficient raw materials due to a cyber attack. Besides the academic paper on the topic, they also provide the Cyber Risk Calculator Excel-Tool () that is used as the basis of calculation.

Global Cyber Damage Estimates ()

The estimated global costs of cyber risk returned by the tool are sensitive towards the chosen input parameters. More Information on the basic. Based on a study that analyzed the cyber exposure and perils of the Dutch Economy by (), the estimate for the global total cyber damages in 2019 is about $800 Bn, with the indirect damages caused by cyber being about twice as high as the direct cost.

Besides the estimated averages, also provides the yearly damage functions for 63 countries. The following graph shows the estimated loss curve of the US economy in 2020, based on the same Dutch Economy exposure and peril estimates, which faces an average loss of $440 Bn due to cyber. The worst case loss in the model for the US economy is close to $800 Bn, a little less than twice the average expected losses.

Cyber Damage Distribution of the US in 2020 (, based on )

According to , the global spending on cyber security in 2019 was $121 Bn, of which about 50% were spend on cyber security services and about 25% on the protection of infrastructure and the network. While Covid-19 has taken a toll on the growth of the cyber security industry, Gartner predicts the market to grow by 2.4%, to a total turnover of $123.8 Bn by the end of 2020.

Global Cyber Security Spending (, )

Estimating the global premiums for affirmative cyber insurance is a non-trivial undertaking. The current best estimate for the global gross cyber premiums is, as reported by under the umbrella of the Cyrim Project, that estimates the global gross written premiums (GWP) for 2019 at $6.4 bn. These are estimates based in part on the reported numbers of the US Market, the by far biggest market for cyber insurance.

For the US cyber insurance market, and provide data that is based on the current NAIC supplement requests that carriers have to annually file with their state regulatory agency. However, while insurance policies are naturally better documented than, for example, cyber damages or even the global cyber security spendings, the different approaches to underwriting cyber and the different regulatory regimes around the world prevent an exact answer. While these fillings are still an invaluable source for all stakeholders of the cyber risk value chain, the authors of note, that they only give a partial picture of the market. The incompleteness of the data is caused by three main effects: (1.) The two fundamental types of underwriting cyber by carriers, either as a package (Add-on) to an existing P&C policy or on a standalone basis, where especially the break out of the cyber package portion of the total premium of an overall policy is difficult with 8% of carriers stating that they are “completely unable” to attribute the premium share of cyber, (2.) non-US or alien surplus lines insurers in many cases not being obligated to fill their cyber underwriting with the local state authority (a good summary of the classification of carriers on the US state level can be found here), and (3.) the US cyber risks that are completely underwritten outside the US, for example, at Lloyd’s in London. Even with these restrictions, the analysis of the NAIC filings of in 2019 192 filling US carriers is the best source of current market data for the USA and serves also as one of the best proxies to estimate the global cyber premiums.

US Cyber Gross Written Premiums ()

The premiums reported by the NAIC supplement in 2019 amount to $2.26 bn, with standalone amounting to $1.11 bn and package deals to $0.92 bn.  In addition to the current data, the following table provides an overview of older reports, where projections are marked by an asterisk * and (NAIC) marks sources that are based on NAIC filings, which, as discussed above, only give a partial picture of the total US premiums. The actual total US cyber insurance premiums are likely higher, somewhere around $3 to $4 bn in 2019. For a closer examination of the performance of the US Market, see the box below.

Source2011201220132014201520162017201820192020
(NAIC)1.01.351.82.032.26
(NAIC)1.01.351.82.03
(NAIC)1.01.351.82.03
2.56.1*
0.50.70.91.21.51.95*2.5*3.3*4.3*5.6*

Besides the written premiums, the 192 US insurance carriers that filed the NAIC Cyber Supplement in 2019 additionally provided various KPIs on the overall performance of their cyber line of business. Based on the NAIC filings, AON (The 3 most recent reports are , , and ) tracks the combined ratio, which is the most important indicator for the profitability of the core underwriting business of any insurance carrier or one of its lines of business, for the US cyber market since 2017. The combined ratio is the sum of the loss ratio, which are the costs by handling claims and to defend the insured party against unjustified claims from third parties and the expense ratio, which measures the administrative and other operating expenses, such as fees for brokers, that are incurred during the sales and underwriting process. All three ratios are calculated as a percentage of the gross written premiums written, with lower ratios resulting in a better overall result. A combined ratio of 0.8, for example, means that for every dollar of written premiums 80 cent were incurred in costs to the respective portfolio, resulting in a net profit of 20%.

US Cyber Combined Ratios ()

While the loss ratio is fluctuating between 0.32 and almost 0.44 (see the box below for more detailed analysis of the claims side), the expense ratio from 2017 to 2019 stayed almost constant between 29 to 30%. Still, even in the least profitable reported year 2019 and despite the general trend of escalating loss ratios is of course worrying, cyber was an especially lucrative line of business for US insurers. Even with a combined ratio of 74.5 in 2019, a profit of 25.5% of GWP, cyber was still heavily outperforming the overall property and casualty (P&C) US insurance market, that according to , had an overall combined ratio of 0.99 in 2018, indicating a meager profit of 1% of premiums taken in. Seeing these numbers, it is easy to understand why insurers are so eager to enter the cyber market and why competition is so fierce: It is a highly profitable line of business in a fast growing market.

In terms of market concentration, gives excellent insights into the current US cyber insurance market and we advise any interested party to read it in its entirety. The Top 5 cyber insurers in the US, Chubb, Axa, AIG, Travelers Group, and Beazley had in 2018 a market share of 52%, writing 62% of direct policies and 34% of package cyber policies. The report also reveals the different strategic approaches of the insurance carriers: While the Hartford Insurance Group, for example,  has with 510,000 Policies by far the most cyber policies in force (2nd: Liberty Mutual Insurance Group with 210k), it ranks with directly written premiums of $43.6 Mil only as 13th in terms of premium volume. The low average premium of $85.5 of the Hartfords Insurance Group is due to it underwriting predominantly (91.9%) package deals. AXA and AIG on the other hand, the number two and three in terms of market share after portfolio size, write 99.9% of their reported premiums in standalone policies, which leads to significantly higher average premiums. In total, there are more than 2.9 Mil reported cyber policies in the US in force in the beginning of 2019, a number which has steeply risen in the last two years (2017: 2,08 Mil, 2018: 2,58 Mil). The market penetration of cyber is apparently accelerating and it is likely that with it, the competition between insurance carriers will further increase.

The US cyber market reports of AON (The 3 most recent reports are , , and ) and also analyze the claims statistics of the NAIC fillings. While AON records the expense rate, which is also necessary to calculate the combined ratio, only since 2017, the overall loss ratio of the US carriers that filled the NAIC supplement has been tracked since 2015 and is shown below.

US Cyber Loss Ratios (, )

While the loss ratios of the US carriers reporting varied by as much as 0.15, even in the most costly year in terms of losses,  2016, under the assumption of an expense ratio similar to the one reported from 2017 to 2019 of around 0.3, the US cyber carriers still made a handy profit with an overall combined ratio of 0.78. So, while there is variation and fears of a cyber catastrophe event, especially on the reinsurance side, that would likely lead to a sharp increase in claims, the reported losses by cyber insurance in the US were so far always manageable and, one might argue, better than what was expected.

18,125 cyber claims were reported in the 2019 NAIC fillings and analyzed by . The claims for first party losses outweighed third party claims almost two to one (12,2k to 6,5k). A very noteworthy detail is the claims rate per 1,000 policies, which for standalone cyber policies was  61.5, but only 2.4 for package policies. The authors think that this might be partially explained by the broad definition of “package policy”, which might be a small add-on to an existing business owner policies of a small firm up to the sizeable cyber part of a blended cyber and errors and omissions policy.

provides the individual loss ratios for standalone cyber insurance of the top 20 US carriers for 2016 to 2018. In 2018, the loss ratios ranged from 0.83 (Berkshire Hathaway) down to 0.016 (Axis). If we assume an expense ratio of 0.3, out of the Top 20 cyber insurers, only Berkshire Hathaway had a net underwriting loss in its standalone cyber portfolio in 2018. It will be interesting to see how the disparity in underwriting results will influence the appetite of carriers.

A great hurdle and growing concern for insurance carriers is silent cyber or non-affirmative cyber. In contrast to all affirmative cyber policies, that explicitly provide protection against cyber incidents and their related causes, silent cyber describes the exposure of insurers to cyber damages in traditional property and casualty lines of business. A property example of a silent cyber claim is a fire that was started after a hacker manipulated the temperatures of a blast furnace in a steel mill or the loss of a week’s production of a food manufacturer because a ransomware attack has disrupted the cold chain by disabling the refrigerators. While these claims are essentially based and a direct consequence of a cyber incident, and would likely be covered by many affirmative cyber policies, they might be also be covered within an existing fire or loss of production insurance. This means that every P&C carrier is already incurring cyber related losses, even though it might not even be offering affirmative cyber coverage.

The best available information on silent cyber is , an annual survey since 2017 in which in 2019 600 industry practitioners and experts gave their assessment of the exposure of  insurance lines of business and industry sectors to silent cyber. While it is hard to come up with an estimate for the total damages that are caused by silent cyber, the claims paid out in the wake of the ransomware attack by NotPetya in 2017 shows the severity of problem: While the insurance industry paid out in total $3.15 Trillion to affected companies, 90% of this sum came from traditional, non-cyber policies, as reported by . As the global P&C premiums are between $3 and $4 Trillion, even an average additional loss of 0.2% of GWP  due to in the premium calculation unaccounted silent cyber risks, is enough to match the current global affirmative cyber premiums. It is, therefore, likely that the current silent cyber damages are ecplising the losses incurred by affirmative cyber.

Header text

Header text

References

AIR. 2019. “Silent Cyber Can Impact 8 Insurance Policy Families.” AIRWorldwide. https://www.air-worldwide.com/blog/posts/2019/12/silent-cyber-can-impact-8-insurance-policy-families/ (July 24, 2020).
AM Best. 2019. Best’s Market Segment Report: Cyber Insurers Are Profitable Today , but Wary of Tomorrow ’ s Risks. https://reaction.ambest.com/reaction/emsdocuments/Special%20Reports/2019/2019.06_Cyber_Insurance_Report.pdf.
AON. 2018. US Cyber Market Update - 2017 US Cyber Insurance Profits and Performance. http://thoughtleadership.aonbenfield.com/Documents/201807-us-cyber-market-update.pdf.
AON. 2019. US Cyber Market Update - 2018 US Cyber Insurance Profits and Performance. http://thoughtleadership.aon.com/Documents/201906-us-cyber-market-update.pdf.
Cambridge Centre for Risk Studies, Lloyd’s of London, and Nanyang Technological University. 2019. Bashe Attack: Global Infection by Contagious Malware. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/bashe-attack.
Deloitte. 2016. “Cyber Value at Risk in the Netherlands.” https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-cyber-value-at-risk.pdf (February 7, 2020).
Dreyer, Paul. 2018. Estimating the Global Cost of Cyber Risk Calculator. RAND Corporation. https://www.rand.org/pubs/tools/TL281.html (February 2, 2020).
Dreyer, Paul et al. 2018. Estimating the Global Cost of Cyber Risk: Methodology and Examples. RAND Corporation. https://www.rand.org/pubs/research_reports/RR2299.html (December 17, 2019).
Fitch Ratings. 2021. “Sharply Rising Cyber Insurance Claims Signal Further Risk Challenges.” https://www.fitchratings.com/research/insurance/sharply-rising-cyber-insurance-claims-signal-further-risk-challenges-15-04-2021 (April 16, 2021).
Gartner. 2020. “Gartner Forecasts Worldwide Security and Risk Management Spending Growth to Slow but Remain Positive in 2020.” Gartner. https://www.gartner.com/en/newsroom/press-releases/2020-06-17-gartner-forecasts-worldwide-security-and-risk-managem (June 24, 2020).
Statista - The Statistics Portal. 2020. “Combined Ratio of P&C Insurance Industry U.S. 2014-2019.” Statista. https://www.statista.com/statistics/1054332/combined-ratio-property-and-casualty-usa/ (July 23, 2020).
Willis Towers Watson. 2019. “Quarterly InsurTech Briefing Q4 2018.” Willis Towers Watson. https://www.willistowerswatson.com/en-SE/Insights/2019/02/quarterly-insurtech-briefing-q4-2018 (July 7, 2020).