Cyber Market

A proper understanding and analysis of the complicated intra- and interconnected cyber risk value chain and the current hurdles and difficulties that challenge all involved industries is only possible if we analyze the economic incentives of its many stakeholders. The following market statistics summarize the most up to date information on cyber and the most important related industries.

Estimating the total economic damage that is caused by cyber is quite a challenge. While there are many reports out there, mostly by cyber security firms, that estimate the global cyber damages, often it is not revealed how the respective authors derived their results. The most comprehensive attempt to provide a scientific answer and, even more importantly, a framework to model cyber damages is . The authors differentiate between direct cyber damages, contained to the firm that is directly affected by a cyber incident, and the systematic cost of cyber risk that is caused to other actors of the economy, e.g. the damage a manufacturer suffers that is unable to produce the optimal output because one of its suppliers is unable to provide sufficient raw materials due to a cyber attack. Besides the academic paper on the topic, they also provide the Cyber Risk Calculator Excel-Tool () that is used as the basis of calculation.

Global Cyber Damage Estimates ()

The estimated global costs of cyber risk returned by the tool are sensitive to the chosen input parameters. More Information on the basics. Based on a study that analyzed the cyber exposure and perils of the Dutch Economy by (), the estimate for the global total cyber damages in 2019 is about $800 bn, with the indirect damages caused by cyber being about twice as high as the direct cost.

Besides the estimated averages, also provides the yearly damage functions for 63 countries. The following graph shows the estimated loss curve of the US economy in 2020, based on the same Dutch Economy exposure and peril estimates, which faces an average loss of $440 bn due to cyber. The worst-case loss in the model for the US economy is close to $800 bn, a little less than twice the average expected loss.

Cyber Damage Distribution of the US in 2020 (, based on )

According to , the global spending on cyber security in 2019 was $121 bn, of which about 50% was spent on cyber security services and about 25% on the protection of infrastructure and the network. While Covid-19 has taken a toll on the growth of the cyber security industry, Gartner predicts the market to grow by 2.4%, to reach total turnover of $123.8 bn by the end of 2020.

Global Cyber Security Spending (, )

Estimating the global premiums for affirmative cyber insurance is a non-trivial undertaking. The under the umbrella of the Cyrim Project, that estimates the global gross written premiums (GWP) for 2019 at $6.4 bn. These are estimates based partly on the US Market’s reported numbers, the largest of cyber insurance.

For the US cyber insurance market, and provide data based on the current NAIC supplement requests that carriers have to file with their state regulatory agency. However, while insurance policies are naturally better documented, for example, cyber damages or even the global cyber security spendings, the different approaches to underwriting cyber and the different regulatory regimes around the world prevent an exact answer. While these fillings are still an invaluable source for all stakeholders of the cyber risk value chain, the authors of note, that they only give a partial picture of the market. The incompleteness of the data is caused by three main effects: (1.) The two fundamental types of underwriting cyber by carriers, either as a package (Add-on) to an existing P&C policy or on a standalone basis, where especially the break out of the cyber package portion of the total premium of an overall policy is difficult to ascertain, with 8% of carriers stating that they are “completely unable” to attribute the premium share of cyber. (2.) Non-US or alien surplus lines insurers in many cases are not being obligated to fill their cyber underwriting with the local state authority (a good summary of the classification of carriers on the US state level can be found here), and (3.) The US cyber risks completely underwritten outside the US, for example, at Lloyd’s in London. Even with these restrictions, the analysis of the NAIC filings of in 2019 192 filling US carriers is the best source of current market data for the USA and serves also as one of the best proxies to estimate the global cyber premiums.

US Cyber Gross Written Premiums ()

The premiums reported by the NAIC supplement in 2019 amount to $2.26 bn, with standalone amounting to $1.11 bn and package deals amounting to $0.92 bn.  In addition to the current data, the following table provides an overview of older reports, where projections are marked by an asterisk * and (NAIC) marks sources that are based on NAIC filings, which, as discussed above, only give a partial picture of the total US premiums. The actual total US cyber insurance premiums are likely higher, somewhere around $3 to $4 bn in 2019. For a closer examination of the performance of the US Market, see the box below.

[table id=2 /]

Besides the written premiums, the 192 US insurance carriers that filed the NAIC Cyber Supplement in 2019 additionally provided various KPIs on the overall performance of their cyber line of business. Based on the NAIC filings, AON (The three most recent reports are , , and ) tracks the combined ratio, which is the most important indicator for the profitability of the core underwriting business of any insurance carrier or one of its lines of business, for the US cyber market since 2017. The combined ratio is the sum of the loss ratio, which are the costs by handling claims and defending the insured party against unjustified claims from third parties and the expense ratio, which measures the administrative and other operating expenses, such as fees for brokers, incurred during the sales and underwriting process. All three ratios are calculated as a percentage of the gross written premiums written, with lower ratios resulting in a better overall result. A combined ratio of 0.8, for example, means that for every dollar of written premiums 80 cent were incurred in costs to the respective portfolio, resulting in a net profit of 20%.

US Cyber Combined Ratios ()

While the loss ratio fluctuated between 0.32 and almost 0.44 (see the box below for more detailed analysis of the claims side), the expense ratio from 2017 to 2019 stayed almost constant between 29 to 30%. The least profitable in the reported year 2019 despite the general trend of escalating loss ratios are of course worrying, because cyber was an especially lucrative line of business for US insurers. Even with a combined ratio of 74.5 in 2019, a profit of 25.5% of GWP, cyber was still heavily outperforming the overall property and casualty (P&C) US insurance market, According to , had an overall combined ratio of 0.99 in 2018, indicating a meager profit of 1% of premiums taken in. Seeing these numbers, it is easy to understand why insurers are so eager to enter the cyber market and why competition is so fierce: It is a highly profitable line of business in a fast-growing market.

In terms of market concentration, gives excellent insights into the current US cyber insurance market and we advise any interested party to read it in its entirety. The Top 5 cyber insurers in the US, Chubb, Axa, AIG, Travelers Group, and Beazley had in 2018 a market share of 52%, writing 62% of direct policies and 34% of package cyber policies. The report also reveals the different strategic approaches of the insurance carriers. While the Hartford Insurance Group, for example,  has with 510,000 Policies which is by far the most cyber policies in force (2nd: Liberty Mutual Insurance Group with 210k), it ranks with direct written premiums of $43.6 Mil only as 13th in terms of premium volume. The low average premium of $85.5 of the Hartford Insurance Group is due to it underwriting predominantly (91.9%) package deals. AXA and AIG on the other hand, the number two and three in terms of market share after portfolio size, write 99.9% of their reported premiums in standalone policies, which leads to significantly higher average premiums. In total, there were more than 2.9 Mil reported cyber policies in the US in force at beginning of 2019, a number which has steeply risen in the last two years (2017: 2,08 Mil, 2018: 2,58 Mil). The market penetration of cyber is apparently accelerating and it is likely that the competition between insurance carriers will further increase along with it.

The US cyber market reports of AON (The three most recent reports are , , and ) also analyze the claims statistics of the NAIC fillings. While AON records the expense rate, which is also necessary to calculate the combined ratio, only since 2017, the overall loss ratio of the US carriers that filled the NAIC supplement has been tracked since 2015 and is shown below.

US Cyber Loss Ratios (, )

While the loss ratios of the US carriers reporting varied by as much as 0.15, even in the most costly year 2016 in terms of losses, under the assumption of an expense ratio similar to the one reported from 2017 to 2019 of around 0.3, the US cyber carriers still made a handy profit with an overall combined ratio of 0.78. So, while there is variation and fears of a cyber catastrophe event, especially on the reinsurance side, that would likely lead to a sharp increase in claims, the reported losses by cyber insurance in the US were so far always manageable and, one might argue, better than what was expected.
18,125 cyber claims were reported in the 2019 NAIC fillings and analyzed as follows,  .

  • The claims for first party losses outweighed third party claims almost two to one (12,2k to 6,5k). A very noteworthy detail is the claims rate per 1,000 policies, which for standalone cyber policies was  61.5, but only 2.4 for package policies. The authors think that this might be partially explained by the broad definition of “package policy”, which might be a small add-on to an existing business owner policies of a small firm up to the sizeable cyber part of a blended cyber and errors and omissions policy.
  • This provides the individual loss ratios for standalone cyber insurance of the top 20 US carriers for 2016 to 2018. In 2018, the loss ratios ranged from 0.83 (Berkshire Hathaway) down to 0.016 (Axis). If we assume an expense ratio of 0.3, out of the Top 20 cyber insurers, only Berkshire Hathaway had a net underwriting loss in its standalone cyber portfolio in 2018. It will be interesting to see how the disparity in underwriting results will influence the appetite of carriers.

A great hurdle and growing concern for insurance carriers are silent cyber or non-affirmative cyber. In contrast to all affirmative cyber policies, that explicitly provide protection against cyber incidents and their related causes, silent cyber describes the exposure of insurers to cyber damages in traditional property and casualty lines of business. A property example of a silent cyber claim is a fire that was started after a hacker manipulated the temperatures of a blast furnace in a steel mill or the loss of a week production of a food manufacturer because a ransomware attack has disrupted the cold chain by disabling the refrigerators. While these claims are essentially based and a direct consequence of a cyber incident, and would likely be covered by many affirmative cyber policies, they might be also be covered within an existing fire or loss of production insurance. This means that every P&C carrier is already incurring cyber-related losses, even though it might not even be offering affirmative cyber coverage.

The best available information on silent cyber is , an annual survey since 2017 in which in 2019 600 industry practitioners and experts gave their assessment of the exposure of insurance lines of business and industry sectors to silent cyber. While it is hard to come up with an estimate for the total damages that are caused by silent cyber, the claims paid out in the wake of the ransomware attack by NotPetya in 2017 shows the severity of the problem. While the insurance industry paid out in total $3.15 Trillion to affected companies, 90% of this sum came from traditional, non-cyber policies, as reported by . As the global P&C premiums are between $3 and $4 Trillion, even an average additional loss of 0.2% of GWP  due to in the premium calculation unaccounted for, shows that silent cyber risks are enough to match the current global affirmative cyber premiums. It is, therefore, likely that the current silent cyber damages are eclipsing the losses incurred by affirmative cyber.

Header text

Header text

References