Will the first hard cyber insurance
market slow the shift to stand-alone coverage?
A decade ago, stand-alone cyber insurance accounted for less than half of all cyber premium.
By 2022, it had become the coverage of choice for larger accounts, accounting for nearly triple the premium volume of packaged cyber coverage … .
By Joseph S. Harrington, CPCU
Cyber insurance premium grew a lot back in 2021 and 2022, so it’s not surprising that it would dip a little in 2023. Chances are good that the 2023 results will prove to be a pause in an otherwise inexorable rise, but they may also signal a shift in demand.
According to the National Association of Insurance Commissioners (NAIC), direct written premium for cyber coverage soared 68.6% and 47.6% in 2021 and 2022, respectively, reaching a total of $7.2 billion from U.S.-domiciled carriers (admitted and non-admitted).
The soaring market cooled its jets in 2023, with Fitch Ratings and S&P Global each reporting that cyber premium declined slightly but unexpectedly in 2023, the first such decrease since before the NAIC instituted cyber premium reporting in 2015.
Why the decrease? S&P analysts cite falling rates in the latter half of 2023 after large rate hikes implemented earlier to respond to paralyzing ransomware attacks. Fitch adds that, as rates soften, cyber carriers are emphasizing cyber security and cyber hygiene standards, “tightening” policy language, and adding sub-limits and exclusions.
Stand-alone or packaged coverage
More significant, perhaps, than a temporary dip in overall premium is where that dip occurred.
The 2023 decline in cyber premium is entirely attributable to so-called “stand-alone” cyber coverage; separate policies that cover only cyber losses (both first- and third-party) and are usually an account’s only source of cyber coverage.
While premium for stand-alone cyber policies decreased by about 3% in 2023, premium actually rose by slightly more than 5% for “packaged” cyber coverage included in policies covering other types of losses. Lorenzo Spoerry, owner-editor of CyberInsurer.com, writes that “this divergence suggests a shift in how businesses approach their cyber risk management strategies, possibly seeking more integrated solutions.”
A decade ago, stand-alone cyber insurance accounted for less than half of all cyber premium, according to A.M. Best. By 2022, it had become the coverage of choice for larger accounts, accounting for nearly triple the premium volume of packaged cyber coverage, even though the latter accounts for a far greater number of policies providing some cyber coverage.
The shift (in premium) to stand-alone coverage has reflected a desire among leading insurance providers, including Lloyd’s of London, to establish a strong distinction between cyber risk and other commercial risks, and to cover cyber risks almost exclusively under policies designed specifically to address them.
The goal has been to eliminate potential for “silent” cyber coverage in policies written for other purposes and, in effect, to have cyber risks, like auto risks, covered as distinct exposures ancillary to the principal operations of an enterprise.
A.M. Best reasons that “the ongoing shift to stand-alone [cyber coverage] could minimize disputes and litigation costs, because affirmative coverage and clear exclusions lead to less ambiguity about what situations cyber insurance covers.”
Limits to a distinction
When carriers talk about reducing ambiguity, agents and brokers wonder if they’re seeking to reduce coverage. There is only so far that a policy can eliminate coverage for “cyber” losses without potentially restricting coverage for an insured operation.
If we compare cyber exposure with auto exposure, we know that an enterprise can usually choose whether to use its own vehicles and drivers or hire a motor carrier. In contrast, information technology is integrally incorporated into an enterprise’s operations. It’s impossible to draw a line that completely divides an insured’s operation from the technology used to implement it.
This is not to say that losses from identified cyber perils, such as ransomware attacks, cannot be excluded from basic commercial property and liability coverage and addressed in a separate cyber coverage part, endorsement or policy. Nor does it follow that the presence of some cyber coverage in a package policy makes it comprehensive or adequate in addressing an account’s cyber exposures.
What we can say is that the slowdown in stand-alone cyber premium in 2023, and the uninterrupted growth in package cyber premium, suggests that providing cyber coverage in non-cyber policies will continue to be a practical and economical option for commercial accounts.
“Silent,” or at least muted, cyber coverage will be with us indefinitely.
The author
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.
