An increase in cyber-insurance claims in 2023, driven by a more active threat landscape, will likely mean that last year's price plateau in cyber-insurance premium costs will be short-lived, according to industry experts.
While premium costs fell by 6% in the third quarter of 2023 compared with the same quarter in 2022, ransomware- and privacy-related claims had already skyrocketed from the previous year, according to risk management consultancy Marsh. While it's unclear which direction insurance premiums will take in the next year, companies should expect cyber-insurance costs to rise in the next 12 to 24 months, says Roman Itskovich, chief risk officer and co-founder of At-Bay, a cyber-insurance and security startup.
"We've seen declines and average price to stabilize over the last couple of quarters," he says. "So at the very least, I think that pricing is going to stay stable. I think that over the next two years prices are going to increase. I just don't know when. I don't think anyone knows that."
The cost of cyber-insurance premiums typically lags changes in the threat landscape. In 2020 and 2021, for example, ransomware and other disruptive attacks surged, leading to significant costs for the insurance industry. On average, the industry saw its direct loss plus defense-and-cost containment (DCC) ratio — a measure of the costs of a portfolio of policies compared to its revenue — surge to 73% in 2020 and 68% in 2021, before dropping last year to 43%, according to data from FitchRatings.
When attacks surged, soon so did premium fees, more than doubling year-over-year by the fourth quarter of 2021, according to data from Marsh. Throughout 2022 and 2023, however, rate increases slowed and actually declined in second and third quarters of 2023, according to the latest quarterly Global Insurance Market Index report.
"Improvements in cybersecurity controls have led to a higher proportion of insureds not paying ransoms, [even though] they may still incur breach response expenses and business income losses to which cyber policies respond," Marsh stated in the report.
Pandemic, Ransomware Chaos Subsiding
In many ways, the chaotic cyber-insurance market originated with the coronavirus pandemic. Following an increase in cyberattacks during the pandemic, cyber-insurance claims surged, leading to a dramatic increase in pricing. While insurance companies are always on the lookout for systemic risks that could derail their markets, they failed to predict the pandemic and companies' shift to remote work and the cloud. That led, in turn, to an attractive opportunity for cyberattackers, says Alla Valente, a senior analyst with Forrester Research.
Those changes "broke" the cyber-insurance market, she says.
"Cyber-insurance policies used to be pretty easy to get, and they weren't that expensive, and ... everyone got a policy — they were like gift cards," she says. The pandemic changes "sort of broke supply and demand — many of these policies didn't make financial sense anymore."
The trend led to higher costs per $1 million in coverage, resulting in many companies opting for less coverage during a time of greater risk. In 2022, however, a variety of factors led to fewer ransomware claims and insurance costs leveled out, leading companies to pick up more coverage in 2023. Two-thirds of companies (65%) saw a decrease in cyber-insurance costs in the second half of 2023, according to a survey by independent insurance broker and consulting firm Woodruff Sawyer.
Yet, rather than a trend, 2022 was likely more of a temporary respite, says At-Bay's Itskovich.
"It's not that the number of attacks increased in 2023 versus 2022, but that '22 was abnormally low, and now we're back to the long-term trend," he says. "So if you compare '23 to '22, this is a year where [premium] prices were likely down, but attacker activity was significantly up, so it's been a more difficult year for insurers."
Cyber-Insurance Continues to Grow
Despite its growing pains, the cyber-insurance industry is only getting bigger, with the value of direct written premiums (DWPs) growing to $5.1 billion in 2023, an increase of 62% year-over-year, according to FitchRatings. While all insurers have tightened up their policies — clarifying the hostile/warlike act exclusions, for example — competition to satisfy businesses' risk needs has only grown, resulting in a softening of prices for coverage, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.
"What you're seeing right now — as the pricing has declined — I'd call a stabilization of cyber in 2024," he says. "We'll continue to see pricing moderate, I think it'll stabilize, and I think it'll reach levels where buyers will be far more willing to purchase than ever before."
For large enterprises, cyber insurance is widely seen as the cost of doing business. Cyber-insurance underwriting for smaller companies continues to be an area of potential growth, however. In 2022, the total dollar value of cyber-insurance premiums — including both standalone and packaged policies — surged by half to $7.2 billion, according to risk-rating agency A. M. Best, which noted that the number of direct premiums for cyber-insurance had tripled in three years.
With cyber incidents again on the rise, the industry expects the growth to continue, despite higher rates.