Insurers deny cyber premiums are rising

Insurers and brokers reject complaints from large banks that premiums for cyber risk coverage are still on the rise—after they rocketed a couple of years ago—and reckon the current market is instead “soft” and favorable for clients.

The majority of global systemically important banks (G-Sibs) believe the cost of insuring against cyber losses continues to climb, with some claiming they are paying higher premiums for the same levels of coverage.

Sydonie Williams, cyber risks focus group leader, rest of world, at insurer Beazley, says while premiums across the industry may have doubled or even tripled in 2020 and 2021, by late 2023 and into 2024 the market calmed down: “In 2024, it started to show some stability in the first half of the year, and we are seeing some reductions” in premiums for equivalent risks.

It is a downward trend now in terms of the premium reductions we’re seeing

Kelly Butler, Marsh

Philippa Berry, cyber product leader at underwriter CFC says that—like any line of insurance—premiums are dictated by the supply of capital and demand for the product. The “hard market” for cyber insurance in 2020 and 2021 was defined by less supply and more demand for the product, and was triggered by the rising severity and frequency of ransomware losses in 2020, which had caught out some insurers that had underpriced the risk. In response to rising premiums, insurance buyers matured their cyber security practices and provided more evidence for their key controls. This made it easier for insurers to assess their risks and lower premiums, leading to the current “period of stability”.

“What we’ve seen now is a couple of years of stable pricing, so as a buyer coming to market, they should expect a consistent approach to underwriting and more stability in premiums,” says Berry. “For buyers, now is a good time, and they should have more confidence in the market.”

Global insurer WTW said in May it is seeing flat primary and excess cyber renewals, and in some instances even decreases, since capacity continues to be readily available. Any increases are typically faced by organizations unable to demonstrate strong ransomware controls.

The view from individual insurers on the trend in premiums is backed up by aggregated data on the cyber insurance market. To June 2024, insurance distributor CRC’s Redy Index shows monthly cyber insurance renewal pricing changes flat or slowly declining—in sharp contrast with 2022, when the same measure revealed average year-on-year cyber cover renewal rates jumping 70%. And insurance broker Marsh, in its Q1 2024 Cyber Trends Report, says the UK cyber insurance market has seen rate decreases and become increasingly “buyer-friendly” due to a surplus of capacity and competition among insurers.

Kelly Butler, UK cyber leader at Marsh, describes a market that has “stabilized” and is showing decreases in premiums. “The average decrease across our whole portfolio is now sitting at around 7%,” says Butler. “So it is a downward trend now in terms of the premium reductions we’re seeing.”

There is also evidence that demand for cyber insurance is now leveling off. According to Fitch Ratings, US direct cyber written premiums fell 1% in 2023, following a 160% increase in volume from 2020–2022. Analytics firm S&P Global Market Intelligence says premiums in the US cyber insurance market dipped slightly in 2023, ending a prolonged period of rapid growth in cyber premium volume. According to its data, direct written premiums for standalone and package cyber business combined fell 0.7% to $7.1 billion in 2023, from $7.2 billion in 2022.

Russian threat in retreat

Tom Draper, UK head of insurance at research firm Coalition, says he is surprised big banks are complaining about a higher trend in premiums: “The market conditions right now have been very favorable for large clients, especially what we are seeing with major risks—[policyholders with] revenues above $10 billion.”

Draper says there is a lot of price competition among insurers, especially on excess layers for example. Excess policies cover losses that exceed the limits of a primary policy. Coalition’s 2024 cyber claims report also found that overall claims frequency in 2023 was below the historic high of 2021. A natural lag exists between a reduction in claims and the feed-through into premiums being repriced.

Premiums at renewal increased as much as 300% for individual clients in 2022. Following Russia’s invasion of Ukraine, there were also fears that banks faced an escalation of state-sponsored cyber attacks. However, by mid-2022, US banks were reporting that the number of ransomware attacks had in fact fallen since the war began.

Beazley’s Williams explains that the entire market actually saw a decrease in cyber attacks after the Russia-Ukraine invasion. The reason she posits is that threat groups made up of Russians and Ukrainians previously happy to work together became “splintered”. Also, threat groups within Russian territories might have had their activities “guided elsewhere as part of the war effort—rather than ransoming commercial entities they might have been helping with nation-state aims outside of that”.

Moreover, prolific Russian-based hacking group LockBit was severely disrupted by Western intelligence agencies early in 2024, with its administrator Dmitry Khoroshev identified and sanctioned by the US and UK Treasury departments.

Why the long face?

Insurers and brokers suggest several possible reasons for the disparity between their view of the market and the perception of insured banks over the cost of cyber cover.

“It could just be the fact that most of them have yet to renew—if they renewed less than a year ago, it means they might not have seen all the benefits,” says Draper.

Beazley’s Williams adds that cyber insurance is sometimes bought in towers: insured companies can buy one policy with a $5 million limit, but some buy multiple policies to reach coverage of $100 million or even $500 million. Premium reductions may vary depending on where an insurer sits in a client’s overall program.

“Multiple insurers will be pricing their layers differently,” says Beazley.

It may also be the case that clients are choosing to take advantage of favorable rates to purchase more cover overall. According to WTW, when there’s a chance for premium savings on renewals, many policyholders instead elect either to purchase additional limits or to lower the amount of retained risk.

However, industry insiders warn the coming months may see slightly harder market conditions. Ted Cowell, a director in the cyber security practice of consultancy S-RM, says he has had many recent discussions with underwriters and brokers about a possible “plateauing” of the current soft market for cyber insurance.

Coverage terms could also be tightened. Banks have already complained about the growing number of policies that exclude cyber attacks by suspected state-sponsored actors in conflict situations. Another possibility would be for insurers to exclude from policies the liability to pay ransoms.

“It’s uncommon for cyber insurance policies not to cover ransom payments,” says Cowell. “Excluding that from coverage would render those policies very unattractive and will probably make them difficult to sell in the market, but you do hear of carriers attempting to do that.”