The Betterley Report:The annual volume of cyber risk premiums is around $3.25 billion, up about 18% from last year

09/10/2016 19:16

Annual premium volume information about the U.S. cyber-risk market is hard to come by, but in reviewing the market, we have concluded that the annual gross written premium may be as much as $3.25 billion (up from $2.75 billion in last year’s report). 

 

The industry is divided by size (gross written premium) as follows: 

■ A limited number of very large writers, with premiums in excess of $100 million 

■ Several insurers in the $50–$100 million range 

■ Several more in the $25–$50 million range 

■ Numerous insurers and managing general underwriters writing $10–$25 million

■ Several writing in the $5–$10 million and $1–$5 million ranges 

 

This year we had very good reporting by insurers, with 18 providing sufficient detail to allow us to provide good insight into market trends. The insureds are clearly divided into those organizations troubled by lots of breaches (larger organizations as well as retail, healthcare, and educational institutions) and the rest, who so far have not experienced frequent breaches. 

We expect the public sector to join the “troubled” group shortly if it has not already. As has been the case for years, financial in-stitutions constitute a separate group that is underwritten separately. 

 

As for growth in premium writings reported (compared to last year’s report): 

■ No insurers reported negative growth; in this market, if they had, it would have been shocking; 

■ 2 carriers reported growth in the 1–10 percent range; 

■ 5 between 11–25 percent;

■ 4 between 26–50 percent;

■ 3 from 51–100 percent; and

■ 2 (both new entrants) more than 101 percent. 

 

Large rates of growth seemed to be found in all sizes of insurers (by size, we are referring to the amount of cyber-premium that insurer is writing). This is really impressive, considering that many insurers report surprisingly vigorous rate competition. 

 

The above information is from confidential sources and is intentionally generalized. 

We think that this market has nowhere to go but up— as long as insurers can still write at a profit. The proliferation of data breaches and the increasing sensitivity of the public to protection of their private data surely means increasing levels of claims. 

 

Perhaps offsetting this increase in claims will be the opportunity to respond to breaches more cost effectively, as insurers negotiate lower response costs, and law firms get more competitive in their pricing. Higher retentions will definitely help, and in some cases, so will reduced breach response limits, as we see both increasingly being forced on retail and healthcare insureds. 

 

Insurers are responding to the staggeringly large number of breaches by using more precise underwriting tools, offering improved risk management services and, in a few cases, apparently laying off more risk to the reinsurance market. Several of our responding carriers have indicated more interest by reinsurers in supporting cyber-insurance products, a welcoming trend. 

 

An exception to the ready availability of the various cyber-coverages is the portion of the policy that covers Payment Card Industry (PCI) fines and penalties. For insureds that are not compliant with PCI standards, coverage is becoming increasingly hard to find. Even when insureds have a project underway to become compliant, insurers are reluctant to offer coverage pending completion. 

 

In the past, insurers would allow an insured a window of time during which they could implement their compliance effort. Now, it is much more likely that the carrier will refuse to provide coverage until that effort is complete and tested. 

 

Privacy coverage is clearly driving the market; cyber-risk seminars and conferences are packed with prospective customers, insurers, brokers, and attorneys interested in privacy risk, coverage, and services. Interest is translating into purchases, which we (and many others) have been predicting. Management may still be thinking “it can’t happen here,” but as more events occur that would be covered, more cyber-risk insurance is being bought. 

 

Data breaches continue at a disturbingly frequent rate. We are unsure if this is a result of increased reporting (breaches happened before but were not disclosed) or increased activity by, and effectiveness of, hackers, but it is having an impact on the insurance market. 

 

Download the Report

 

Back