Since the start of the pandemic, the cyber insurance industry has been facing its biggest challenge to date. A ransomware crime spree is demonstrating the speed and scale of cyber risk and how this type of risk is unlike any other insurable risk. The number of ransomware attacks increased by 150%. Total ransoms paid are up 311%. The dramatic rise in frequency and severity resulted in a record high loss ratio of 67% for insurance carriers.
After years of little or no rate increases and unconstrained growth, the cyber insurance industry is undergoing a “hardening” phase. Driven by supply and demand changes, the hardening and softening of insurance markets is a cycle that many insurers have come to accept, prepare, and respond to. But given that cyber risk is unlike any other insurance risk, should insurers anticipate and manage this cycle in the same manner as other lines of business?
We don’t think so.
The overcorrection problem
How did the cyber insurance market respond to the ransomware crime spree? The only way it knows how to – with a dramatic overcorrection that is slowing growth and confusing customers. Reuters recently reported that Lloyd’s of London, which underwrites 20% of the cyber insurance market, recently discouraged its members from writing cyber risk in 2022. If true, that is the kind of overreaction that can mean life or death for the cyber insurance product. For the carriers that continue to offer cyber insurance coverage, they are becoming more scrutinous and requiring insureds to spend more time and effort during the underwriting process.
The ransomware overcorrection is the result of a traditional approach to insurance that simply doesn’t work with the nature of cyber risk. Traditionally, insurers go to market with a static view of the risk that is the result of a lengthy evaluation of what is known at a single point in time. Cyber risk does not allow for this approach because the pace of change is significantly faster than the frequency of pricing and coverage strategy re-evaluations.
Given this conflict between cyber risk and traditional insurance approaches, the resulting overcorrection had insurers behaving in ways that hurt their business and their customers. We saw insurers who:
- Had a narrow perspective because they were just focusing on what they saw in their book
- Made abrupt decisions like exiting markets, chopping coverages or substantially increasing rates. Rates went up an average of 50% and there were seven times more brokers who were having a hard time finding capacity
- Frustrated customers with their inability to meet the needs of the moment. Although most customers still find value in their cyber insurance policy, with comments like “Completely dislocated” and “Massive subjectivities to bind coverage”, can we expect the overall positive sentiment to last among insurance buyers?
Can the cyber insurance market afford another overcorrection like the one driven by this ransomware epidemic? Or will customers choose to stop buying cyber insurance because they don’t want to deal with a risk transfer strategy that doesn’t offer the same amount of value as it did in the past?
We know that with the speed and scale of cyber risk, another wave of cyber incidents that catches the industry off guard is coming. Insurance will always have hard and soft cycles but that doesn’t mean that the industry shouldn’t strive to smoothen out the impacts to avoid the negative impacts of a massive overcorrection.
Adapting to win
There can be a way to succeed as insurers given the challenges of cyber risk but it will require a shift from the traditional approaches that rely on infrequent risk evaluations to a new approach that leverages continuous monitoring. It’s only by embracing change that insurers can run their business with agility and win in a rapidly changing cyber insurance market.
Security ratings are enabling leading insurers to transform the way they do business and implement innovative approaches like continuous underwriting. With a real-time view of cyber risk, brokers, underwriters, and portfolio managers are gaining cyber risk insights, streamlining workflows, and identifying risk mitigation strategies to resolve their overcorrection problem.

