A flood or fire might have devastated a business in the mid-1990s when offices were filled with filing cabinets and paper records. Today, most of those assets are in the cloud, and business insurance must cover them in modern form.
Cyber insurance should be a priority in this business landscape, yet too often it is an outlier. There is no other insurance product where so few have coverage but so many need it.
According to Fortune Business Insights, the global cyber-insurance market was $13.33 billion in 2022 and is forecast to grow to $84.62 billion by 2030. Many companies aren’t sure how much cyber insurance they need, and, more critically, insurers aren’t sure what the risk landscape looks like for an individual company that seeks coverage.
This risk miscalculation has spurred huge losses and changed the landscape of the cyber-insurance market. In its latest report, the National Association of Insurance Commissioners (NAIC) shows the top 20 groups reporting on cyber supplements had direct loss ratios of up to 130.6%.
Insurance coverage isn’t necessarily hard to obtain — a company with a mature security posture can likely get multiple quotes without a problem. However, specific sectors with historically poor security postures, like education, or highly targeted sectors, like software developers, may have a more challenging time.
Let’s look at how the market has changed and where it’s heading.
How the Market Hardened
The cyber-insurance market has rapidly transitioned from a soft cycle, characterized by lower premiums and higher limits, to a hard cycle. This shift resulted in insurance premiums skyrocketing.
Some businesses have been surprised when their policies increased dramatically despite nothing changing on their end. But most insurance companies saw more demand than supply, and risk increased as more claims were filed. According to Verizon’s “2023 Data Breach Investigations Report,” ransomware accounted for roughly 5% of breaches in 2020 and soared to 24% in 2022 and 2023. Insurers raised rates accordingly.
Those rates finally dipped by 10% in June, partly because insurance companies mandated their customers implement better protections. Insurance companies must excel in risk management to offer competitive rates. This enables the insurer to accept risk and ensure prices don’t have to jump to a point that makes the company noncompetitive.
Where SMBs Fit In
When the market began less than a decade ago, only big businesses were looking for coverage. Underwriters want balanced books, with a few large risks and many smaller ones, but the market demanded half of that. Industrial-sized companies sought coverage, while small and midsized businesses (SMBs) were on the sidelines.
Large tech companies had risk-management processes at the board level requiring them to seek cyber insurance. SMBs didn’t know their threats, and their risks weren’t considered imminent. The dynamic shifted when the threat landscape changed, and cyber insurance became more commercialized with offerings that made sense to SMBs. According to NetDiligence’s 2022 Cyber Claims Study, large companies represented only 2% of cyber claims from 2017-2021, but those claims accounted for 51% of total incident costs.
These days, large businesses require their smaller partners to carry cyber insurance, and brokers can be sued for negligence if they don’t offer it to their clients. Some brokers have clients sign a waiver if they don’t buy the policy, saying they at least offered it.
With these forces pushing the market, we’re seeing more and more small businesses turning to cyber insurance.
Where Things Are Going
When insurance companies have limited capacity, they choose customers with lower risk. Low-risk companies take measures to minimize their exposure. Traditionally, it’s been hard to prove where those exposures are, let alone if they’ve been mitigated.
Technology is changing this. Companies now have better ways to understand where to harden their security posture, and insurance companies have new methods to determine how risky their potential client is.
This data empowers underwriters to mitigate risk that would impact policies and offers mitigation strategies for companies seeking coverage. These efforts promote a hardened security posture, which means lower risk for insurance companies so that they can offer competitively priced premiums. This eventually translates into lower loss ratios and higher profitability for the whole industry. That in turn enables more affordable rates for businesses.
In less than a decade, cyber insurance has grown from a niche product to a multibillion-dollar industry. By using data to drive policy underwriting, cyber-insurance companies can offer the coverage so many want without a price tag that will drive them away.