Cyberinsurance Market. PHOTO: Cybercrime Magazine.

Cyberinsurance Market To Reach $34 Billion By 2031

Emerging space rising from $8.5 billion in 2021 to $14.8 billion in 2025, based on CAGR of 15 percent over 11 years Sponsored by SecurityScorecard

David Braue

Melbourne, Australia – Nov. 23, 2021


Cyberinsurance has evolved rapidly in recent years, driven by the growing threat of cybersecurity compromise and awareness of corporate responsibility around breach prevention. Yet as the market’s natural growth continues to be distorted by its untenable exposure to large ransomware payouts, changes to its operation and risk parameters will drive fundamental change through every aspect of the market.

Uptake of cyberinsurance has been robust in recent years, with the U.S. Government Accountability Office (GAO) noting in a recent analysis of the evolving market that the proportion of insurance clients adding cyber coverage increased from 26 percent in 2016 to 47 percent in 2020.

This trend, in turn, has driven steady growth in the number of cyberinsurers — which reached 577 in one recent National Association of Insurance Commissioners (NAIC) count, generating a premium pool estimated at $3.15 billion in 2019.

The increasing rate of adoption is likely to continue in coming years, as the growing profile of large-scale cyberattacks — and the accompanying financial risk they impose — prompts company directors and executives to move to limit their company’s exposure to cybersecurity compromise.

Cybercrime Radio: The State of Cyberinsurance

A market moving at its own pace

Yet while the general concept of cyberinsurance is gaining widespread recognition — and top-level working groups are seeing organizations like the Cybersecurity & Infrastructure Security Agency (CISA) driving industry collaboration — the sector still suffers from a lack of standard definitions, a recent trend towards denying coverage or claims, and a paucity of historical claims from which to draw actuarial certainty.

This means buyers of cyberinsurance must adopt a caveat-emptor approach, with cybersecurity teams working closely alongside legal and risk-management experts to evaluate potential insurers in the context of their inclusions and exclusions.

Cyberinsurance policies typically cover both the immediate response to a cyber breach — engaging managed detection and response firms to contain an attack, for example, as well as conducting forensics, data recovery, and so on — as well as follow-on costs such as notifying customers about a data breach, credit monitoring and restoring the personal identities of affected customers, repairing damaged systems, and so on.

Some providers bundle everything cyber-related into a single policy, while others are increasingly packaging specific capabilities into add-ons that can be chosen to provide much more targeted cover.

Single-policy cyberinsurance comprises around 60 percent of market premiums, the NAIC said, which are favored since it allows the terms of the insurance to be more clearly defined and leaves less ambiguity in the event of a claim.

Still pushing for simplicity

Study your inclusions carefully and, if you’re working with a cyberinsurance broker, make sure they understand where you are most likely to require cover.

Increasing normalization of cyberinsurance is driving convergence around definitions and inclusions, pushing the market to a much higher level of maturity than it had just a few years ago.

“The real aim is for businesses to think of it as similar to normal insurance they might have,” Dr. Jason Nurse, an associate professor in cybersecurity at the University of Kent, explained during a recent webinar.

“It’s a one-stop shop where if something happens they can call up the insurer, and the insurer can connect the business to the right parties to get the incident resolved, and the company back up on its feet as quickly as possible.”

Anyone who has ever been involved in managing a real-world cybersecurity breach knows, of course, that recovering from it can be far more complex than simply fixing and repainting a dented fender on a damaged car.

Cybersecurity incident response can take days, weeks, or months to complete fully — so it’s important to clarify just how much of the remediation effort an insurer will stick around for.

It’s also important to not get caught with the wrong type of policy, with buyers warned to remain well aware of the difference between standalone, often more full-featured policies and cyberinsurance add-ons that are bolted onto existing business policies and tend to be more carefully prescribed.

Breaking the ransomware cycle

For all its benefits in supporting a business response to conventional data breaches, the cyberinsurance industry is still far from resolving its increasingly enmeshed relationship with ransomware — and the future of the market will be shaped by the changes insurers make to cope with it in coming years.

The issue, of course, revolves around the payment of ransoms — a contentious topic that may, depending on where your business operates, range from perfectly acceptable, to inadvisable, to illegal.

Back when ransoms were still in the four and five-figure range, insurers were broadly happy to cover their payment — seeing the payments as a cost of building up the sector’s premiums base.

With ransomware artists now routinely demanding six and seven-figure sums — and victims of major attacks like JBS and Colonial Pipeline normalizing their payment as ransomware groups like REvil push claimed revenues past $100 million — cyberinsurers have been rapidly tweaking their exposure to ransomware extortion.

Since insurers aren’t generally in the business of going bankrupt, increasing ransomware payments have driven a rapid surge in cyberinsurance premiums, with the Council of Insurance Agents & Brokers reporting that 2 percent quarterly premium rises in mid-2019 accelerated over the last 18 months — with premiums rising by 12 percent by the end of 2020, when more than half of respondents in one survey saw prices increase by 10 percent to 30 percent.

Many companies are likely to follow the lead of AXA — one of the world’s largest insurers and the biggest by premiums in the U.S. — which in May responded to an explosion in French ransomware claims by saying that it would no longer cover ransom claims in that country, which by some accounts had ballooned to over $5.5 billion.

Winding back the industry’s exposure

Rapid and sustained growth in ransom claims has dramatically changed the risk profile for cyber insurers, whose Direct Loss Ratio and Defense and Cost Containment (DCC) Ratio exploded from 42 percent in 2019 to 73 percent in 2020, with average paid losses more than doubling from $145,000 in 2019 to $359,000 in 2020.

If those trends continue, exploding ransomware losses will render a once-buoyant sector unviable.

Given the role that increased home working has played in expanding companies’ cybersecurity exposure, the NAIC warned that insurers may seek to limit their exposure by drawing coverage distinctions between company-owned computers and those owned by employees at their home offices — where it is harder to vouch for the security protections in place.

Broader efforts to reduce their exposure — especially in the face of an insufficient and fast-draining premium pool — are likely to drive many insurers to shift to a more proactive model in which they will put the onus on insured companies to substantiate their efforts to avoid ransomware compromise.

Some companies will be happy to lower premiums, Nurse explained, if they’re allowed to put a “black box” on customer networks to see what’s going on, and to get a better idea of their insureds’ risk exposure.

“Companies are not keen, based on what we’ve seen, because of the insight that gives the insurers into their internal systems,” he explained, noting that the market consolidation will see “what was a very large cyberinsurance market, with a lot of providers, actually shrink towards a hard market where there are less insurers — and they can be a bit more demanding about what they request from individuals,” such as demonstrated compliance with ISO 27000 or other security standards and best practices.

As more and more companies drop out of cyberinsurance due to runaway ransomware payments, Nurse said, “we’re seeing a harder market where there are insurers that have really invested in understanding cyber risk and writing strong, robust policies.”

“Insurers now, more than they ever have been before, are in a better position to nudge companies towards saying ‘yes, if you want to buy this insurance policy, you have to have controls X, Y, and Z in place.’ They are being much more cautious about the policies they underwrite.”

Demand and market opportunity for cyberinsurance

Demand for cyberinsurance is surging, according to Moody’s Investors Service. While that may seem to be a contrarian view in light of Nurse’s commentary, it is more so the reality of a burgeoning market.

Maya Bundt, head of cyber & digital solutions at Swiss Re, says cyberinsurance rates have increased by 30 to 40 percent in 2021, and MarshMcLennan expects rates to rise 50 percent.

Munich Re’s cyber premium volume alone is set to soar past the $1 billion mark in 2021. The insurance giant maintains that writing cyber policies is key to survival for major players in its space.

There is even speculation that cyberinsurance will become mandatory, much like worker’s compensation and homeowners insurance.

The cyberinsurance market opportunity is not lost on venture capital firms. Specialty cyberinsurer Coalition recently raised $205 million in a Series E funding round, bringing its total raised to $505 million at a $3.5 billion post-money valuation. Boston-based Corvus Insurance, also a cyber-focused insurer, closed a $100 million Series C at a $750 million valuation earlier this year.

Emerging cyberinsurers have been pushing into an ever-crowding market. At-Bay closed a $34 million Series C in Dec. 2020, Cowbell Cyber raised a $20 million Series A round in Mar. 2021, and just this month (Nov. 2021) Resilience raised an $80 million Series C round.

“Cybersecurity Ventures predicts the cyberinsurance market will grow from approximately $8.5 billion in 2021 to $14.8 billion in 2025, and exceed $34 billion by 2031, based on a CAGR (compound annual growth rate) of 15 percent over an 11-year period (2020 to 2031) calculated,” says Steve Morgan, founder of Cybersecurity Ventures.

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by SecurityScorecard

SecurityScorecard is the global leader in cybersecurity ratings and the only service with over two million companies continuously rated. Our mission is to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees, and vendors.