During CyberCube’s recent ‘Cyber Predictions’ webinar, leaders from across the insurance ecosystem came together to discuss some of the standout themes anticipated this year – among them, what it will take to move the dial on cyber insurance solutions in 2025.
Touching on what’s happening in terms of pricing, Scott Stransky, MD and head of the Marsh McLennan Cyber Risk Intelligence Center, looked to recent renewals for Marsh clients and noted that, “it’s good news for the buyers”. Year-on-year, rates are still decreasing a little, he said, on average recording a single-digit rate decrease. “We also see that companies are able to get higher limits.
“Nearly a quarter of our clients in recent renewals increased their limits, which is great for resilience, because, in many cases, limits aren't sufficient for the risk that's out there today… I do think we’re in a buyer’s market today and that should help increase the take-up rates. Everybody's saying the take-up rates are low but now that rates are coming down, hopefully more companies will see the value in purchasing cyber insurance.”
Cyber insurance consultant Stephen Ridley highlighted that while the sector is still seeing soft market conditions, he doesn’t believe it will take much to move the dial. “I think we’re very much approaching the bottom in terms of the rate we’ve seen eroded over the last 18 months or so. It was this time last year when people were predicting that there would be a slight uptick in the market towards the back end of last year. But actually, we just saw that continue to drag down.
“I think that when we do hit that inversion point, it's going to be quite an acute one. I don't think we're going to suddenly hit a bottom and plateau and have a period of consistency. When there is a turn in the market, it will be a large jump in rate and change in terms, probably not to the extremes that we saw in 21/22, but I think it will be a significant increase or change.”
The question for many in the market is what it will take to move that dial and, from Ridley’s perspective, it’s unlikely that a large event on its own will be the driver. Including, but certainly not limited to, the CrowdStrike outage, and the CDK Global and Change Healthcare attacks, the market has seen some large and high-profile events, as well as a number of smaller but still significant events.
However, he believes it is when the market starts to see attritional loss trends change as well that the dial will start to move. “We are seeing not just rate be impacted by the soft market conditions, but we are seeing the underwriting terms and policy language broaden as well. With all of that combined, once the exposure change earns through, we may well see a deterioration in the underlying performance, which may then, if there are one or two larger events – which I would predict we may well see again next year - that's when we'll then see that flip.”
Offering his insights, Stransky emphasised that it’s important to differentiate between “big events” and “big events for the insurance industry”. While some high-profile cyber events were significant from a media coverage perspective, he said, from an insurance industry perspective, they didn’t represent sizeable losses.
“So, I think what it will take is an event that hits the insurance industry. I’m not exactly sure what that's going to look like, whether it's a physical damage event or a more traditional, so to speak, cyber type of event in the digital world. But I think an event that causes a lot of insured loss will have a different impact than an event that is a media-noteworthy type of event.
Going back to the basic ingredients that make up a hard market, Dan Palardy, chief actuary at Cowbell, highlighted how it’s often driven by major event loss activity, or a reduction in market capacity due either to carriers pulling out post-event or the market growing beyond the capacity of the current providers. He said he doesn’t expect to see a huge cyber event in the near term as highly likely, though he reiterated the need to differentiate between cyber events in terms of their economic or headline impacts, and how they proliferate into the cyber industry.
“One point that I would make though about the rating environment is you have to consider how much the exposure of the underlying risk is in flux as well,” he said. “There is a silver lining here, and I'm not trying to pretend that I'm overly optimistic or pessimistic about the cyber risk. I just want to make the point that organisations are strengthening their cyber security posture, and the educational efforts around the industry are much more widespread.
“So, these are net positive trends even within a softer rating environment. The exact quantification of that depends on who you talk to, but there's some element of offset to a softer rating environment there, just based on that fact in itself.”
