Marsh urges restraint from cyber market with price hikes set for 2022

Marsh’s head of cyber risk in Europe is urging cyber insurers not to “push too far”, following an almost doubling of cyber rates during the past two years. But he told Commercial Risk Europe that although cyber capacity constraints should ease as insurers return to growth and profitability, price rises are expected to continue next year.

Jean Bayon de La Tour, head of cyber for Marsh in continental Europe, added that while the cyber market is set to remain tough for buyers, price rises are expected to moderate in 2022.

The cyber insurance market has transitioned rapidly during the past 18 months, spurred by a sharp uptick in ransomware attacks, rising data breach exposures and concerns over systemic risks, according to Bayon de La Tour. Some 95% of cyber insurance losses in Europe are from ransomware attacks, he told CRE.

Cyber insurers have reacted to the increased frequency and severity of ransomware losses with price increases, reduced limits, higher deductibles and by cutting available capacity per risk, explained Bayon de la Tour. Capacity per risk has fallen to just $5m from about $25m two years ago, he said.

Rates in Europe increased 64% in the third quarter of 2021, compared with 73% in the UK and 112% in the US. For the whole of this year, cyber insurance rates will have risen by 50% to 60%, on top of similar increases in 2020, Bayon De La Tour explained. This means cyber insurance is now almost twice as expensive as it was two years ago.

And Bayon De La Tour has warned insurers not to push their clients too far.

“I urge insurers to think longer term and to not allow the market to transition too far. We have seen stabilisation in claims activity and profits come back in the third quarter, so please do not allow the market to harden too far. Many clients already question if it is worth buying cyber insurance, given the price and coverage restrictions. We do see some clients deciding not to renew, although these are one-offs at present and not a trend. But it is concerning,” he told CRE.

“Five years ago, insurers were knocking on the door of clients and urging them to buy cyber insurance. Now that clients want to buy, there is no one at the front door… Clients have been shocked by the market turnaround, which continues to deteriorate by the day,” said Bayon De La Tour.

Cyber rates are set to increase further in the fourth quarter of 2021 and into 2022, but price increases should begin to moderate, he continued. “The market will calm down in 2022 and I would estimate rate increases will be between 35% and 45% next year,” he said.

Renewals in the fourth quarter of 2021 will be particularly challenging because many cyber insurers have already reached their underwriting targets for the year, said Bayon De La Tour.

Total theoretical cyber insurance capacity in Europe shrunk this year to €450m, from €700m in 2020, as many insurers reassessed their appetite, according to Marsh. Insurers have sought to move higher up within programmes to above “burning layers” that are most exposed to losses. Meanwhile, some carriers have shied away from certain sectors or larger companies in favour of small to mid-sized firms where exposures are lower.

Although European cyber market capacity declined, the number of players was stable and a small number of new entrants have emerged, according to Bayon De La Tour. As a short-tail line of business, cyber underwriters have been able to respond to increased losses quickly and many have already seen a return to profitability in the second and third quarters, he said.

“Market capacity has shrunk overall but the number of players in the cyber market has remained stable. I would expect capacity to expand in 2022 as new capacity comes in from new carriers and managing general agents (MGAs) expanding into Europe. Insurers may not have been keen to take on new business in 2021, but for next year I would expect insurers to return to cautious or aggressive growth,” Bayon De La Tour said.

A number of specialist MGAs and insurtechs, which typically combine insurance with cybersecurity advice and tools, have expanded rapidly in the US, attracting new investments and reinsurance backing. Several of these new entrants are looking to expand internationally, and could have a big impact in Europe, according to Bayon De La Tour.

Although cyber insurers have tightened underwriting policies in response to increased losses, they have not yet moved to exclude ransomware attacks, according to Bayon De La Tour. Some insurers have introduced sub-limits and co-insurance requirements for ransomware claims, and most are asking more questions around cybersecurity and business continuity arrangements. In particular, many insurers now require insureds to meet certain underwriting criteria, such as demonstrating multi-factor authentication, regular patching, training and incident response planning.

“Ransomware costs are an important cover and clients need to have it. Insurers are still open to providing it, and now we know what they require in order to do so. It is important that insurers encourage insureds to be better, rather than make cyber insurance unobtainable,” said Bayon De La Tour.

In response to the transitioning cyber insurance market, larger buyers have restructured their programmes, he explained. Many are buying less limit and are increasing deductibles, while some have turned to their captive insurers. Buyers are also having to tap additional markets as cyber insurers have reduced available capacity per risk, said Bayon De La Tour.

Marsh is also advising corporates to start their cyber insurance renewal six to nine months early and prepare for insurers’ underwriting criteria. “We know exactly what insurers expect insureds to do in advance and can assess clients’ cybersecurity, as well as advise them on how they will be perceived by underwriters and how they can improve,” said Bayon De La Tour.

Back to top button