Cyber market growth isn’t over, but SME adoption is critical to expansion. This was the crux of the message recently delivered in an analysis by Swiss Re which outlined why, despite a cooling in the era of rapid, double-digital cyber insurance market expansion, it is not the end of the cyber growth story.
Digging into where cyber insurance pricing stands today in a recent interview with Re-Insurance Business, Fabian Willi (pictured), head cyber key accounts at Swiss Re outlined that it’s still a “very competitive environment”. Essentially, he said, there is much more cyber insurance supply than demand which is creating a lot of competition in the market – which, in turn, is putting pressure on rates which have been decreasing over the past couple of years.
“There are mainly two elements to that competition,” he said. “On the one hand, after the big correction in the cyber insurance market in 2020 to 2022, an entire series of new entrants came to the cyber insurance market, expecting its profitability outlook to be much better than it was in the past.
“New appetites emerged and new entrants came to offer their capacity, in particular, MGAs – some of those coming from the US to explore the European market and whether they could replicate their business model here as successfully as they did in the US. The other element was that the incumbent markets increased their appetite again.”
Those carriers who had re-underwritten their portfolios, increased their rates and raised the bar for cybersecurity controls became more comfortable with the idea of deploying more capacity again, he said, and in increasing their line sizes once more. That introduced an additional layer of competition, particularly on excess business.
“I often hear people say that ‘we can give back rate because we increased it so dramatically during that period of unprecedented rate increases’,” he said. “And yes, you might be able to do that to a certain degree but, in my view, cyber as a product was clearly underpriced in the past for the inherent exposure.
“Nobody really anticipated and priced the surge in ransomware claims of 2019 and 2020 in the pricing level of cyber insurance, so that correction was absolutely needed to rebalance out that premium versus threat landscape. I think it’s super important that the rebalance stays, and does not go back to the levels before the big correction. That is my call to the insurance industry – let’s be prudent here because, otherwise, we might go back in the cycle, and see the same profitability issues as we witnessed in the past.”
Identifying some of the factors behind the cooling of the market’s rapid expansion, Willi noted that it’s being driven by a combination of both rate development and organic exposure growth. The latter element is a very important part of the equation when it comes to the overall growth of the cyber market, he said, and it’s cooling off as a function of cyber insurance’s penetration of the segment where it’s bought most – large corporates, among them many Fortune 500 and Fortune 1000 companies.
“We reckon on a penetration rate of around 80% for large companies with a turnover of above $10 billion,” he said. “So, those players have either bought cyber insurance or decided not to, and those who have decided not to buy will likely not do so in the future either. Growth from those players can only come if they extend their towers and buy more capacity than they did in the past.”
There is some growth potential inherent in that, he said, but, from his perspective, the big protection gap remains in the middle market and SME segment. That’s where the cyber insurance industry needs to find solutions that will enable it to access and protect that segment, which requires different products, different pricing and more efficient distribution models.
Even the way this segment’s risk is underwritten needs to be different, he said, as it inevitably needs to be more automated and commoditized in order to be efficient. That’s a journey in and of itself, and the market isn’t where it needs to be yet. The nature of organic cyber growth has to change if the market is going to continue to grow, and Willi posits that SME adoption will be critical to harnessing that future growth potential.
Greater education about cyber risk, security and the value of insurance is at the core of this SME adoption, he said, and this needs to be an area of focus beyond just the insurance ecosystem. He touched on the World Economic Forum’s report on the cyber skills gap, which estimates a global shortage of four million experts when it comes to cyber expertise across all functions.
That reflects the cyber awareness level when it comes to the buyer side of the insurance equation, he said, and he has the impression that this awareness has increased over time. However, it’s the acceptance of the nature and scale of the risk that’s not where it needs to be yet. “Many smaller companies have learned that cyber risk is something that’s here but they don’t yet see how that risk can also affect them.”
“I think we need more awareness creation to help SMEs realize that everyone is actually vulnerable. Too often we hear, ‘I’m too small to be of interest’ or ‘why should anyone compromise me, I don’t have sensitive data?’ But with the interconnectedness of the world, you don’t even need to be the initial target of the attack to suffer from its outcome. You are part of a supply chain and you are very dependent on your suppliers, as your customers are very dependent on you.”
The digital supply chain implications of a cyberattack are a valuable point of consideration for companies on the smaller end of the market, he said, particularly because they often don’t have the funds to sustain a long business outage or disruption. They need to be aware of those risks and able to define their risk tolerance – and cyber insurance and cyber risk management are essential tools in that toolkit.
“So, first and foremost, they should invest into cyber security and into understanding their exposures,” he advised SMEs. “Otherwise, we can’t get to that next level of resilience we all aspire to. Education is key. And, for us, we also look to ourselves as reinsurers and at the important role we have to play, not only in providing capacity to the cyber insurers, but also knowledge and thought leadership around cyber risk and how that affects societies and economies overall. I think it is very important that we jointly keep on educating the ecosystem.”