Cy­ber in­sur­ance: strong de­mand – but what about the risks

Erscheinung:18.03.2024 | Topic VersicherungenCyber insurance: strong demand - but what about the risks?

Threats in cyberspace are on the increase. Cyber insurance policies are therefore gaining in importance. BaFin has now conducted its second survey among insurers on the cyber insurance business. The results show that the market for cyber policies is growing rapidly. But business is not always profitable. BaFin therefore recommends insurers to take a prudent approach in their rate making and ensure appropriate reinsurance.

According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik), the situation regarding cyber security in Germany remains tense. This is true also for many undertakings. The digital association Bitkom estimates the losses to the German economy from data theft, espionage and sabotage at over EUR 200 billion per year. No surprise therefore that the market for cyber insurance is continuing to grow - at a rapid pace. This is revealed in the latest survey conducted by BaFin in 2023¹.Germany's financial supervisor asked 200 insurance undertakings that might be offering cyber insurance policies to take part in the survey (details on the survey can be found in the info box "At a glance"). The objective was to obtain a meaningful overview of the situation on the market as a whole. The high accumulation risks that are characteristic of the market make the survey of particular relevance to BaFin. In concrete terms - a single cyber event can trigger a significant number of individual losses worldwide. An example is hackers using errors in a standard software for cyber attacks.

Business more than doubled

Stand-alone cyber policies (i.e. pure cyber policies) in primary insurers' direct business more than doubled from 2020 to 2022 across all regions and customer groups. In terms of gross premiums written (GPW), it amounted to approximately EUR 700 million (see Figure 1) in 2022, an increase by 144 percent compared with 2020. In terms of premium income, cyber insurance has thus overtaken the smaller insurance classes subject to reporting requirements².

The situation regarding inward stand-alone reinsurance business is similar, having also more than doubled from 2020 to 2022 across all regions and customer groups. In 2022, gross premiums written totalled approximately EUR 1.57 billion (see Figure 2), an increase by 138 percent compared with 2020. In terms of premium income, cyber insurance overtook the smaller insurance classes subject to reporting requirements in this business segment as well.

Growth in premium income of the surveyed undertakings was disproportionately stronger for the most part than growth in the numbers of contracts. This indicates premium adjustments, particularly between 2021 and 2022.

BaFin expects business with cyber insurance to show further growth. Gross premiums written in direct business are soon expected to exceed the threshold of EUR 1 billion and inward reinsurance business the EUR 2 billion mark.

The survey also shows that insurers paid a ransom for cases in which customers were targeted by ransomware attacks in only a very few cases. In the period 2020 to 2022, insurers in Germany paid out amounts in the lower double digit millions region.

Slight decline in market concentration

Compared with the 2021 survey, market concentration has fallen slightly. The top 10 suppliers in the stand-alone direct business in Germany accounted for a market share in gross premiums written of 75 percent in 2022 compared with 86 percent in 2020. The gross claims ratio (i.e. the ratio of insurance services to earned premiums) for the top 10 lay in a range of between 20.1 percent and 112.8 percent in 2022.

Large corporates continue to account for highest market share

The main customers in the cyber insurance business are large corporates, which regularly account for over 80 percent of the market share in terms of premium income across all observation clusters. Small and medium-sized enterprises (SMEs) account for between 15 and 20 percent of customers, private customers usually for only one percent. Depending on the geographic region and business written, the values differ somewhat (for a detailed breakdown, see below).

High growth rates worldwide

Figure 1: Development of gross premiums written by region (direct stand-alone business)

Source: BaFin

In the direct stand-alone business, the GPW growth rate across all geographic regions amounted in 2021 and 2022 to over 50 percent in each case. The rate is particularly strong in the non-European business at approximately 118 percent in 2021 and approximately 68 percent in 2022.

Across all geographical regions, the customer segment of the large corporates accounts for the biggest market share of approximately 81 percent. The SME segment accounts for a market share of approximately 18 percent and that of private customers of just under one percent. Compared with the 2021 survey, the market shares have thus remained relatively stable.

Both in Europe (excluding Germany) and worldwide, the market share of the large corporates segment is even more significant. The SME customer segment in Germany, on the other hand, accounts for a somewhat higher market share in the stand-alone business.

The direct endorsement business has remained constant since the 2021 survey. The results of the latest survey show that substantial premiums are currently only achieved in this business segment in Germany³.Gross premiums written amounted in this segment to approximately EUR 61 million. Compared with the stand-alone business, private customers accounted for a significantly higher share of approximately 10 percent.

Figure 2: Development of gross premiums written by region (inward stand-alone reinsurance business)

Source: BaFin

The GPW growth rates across all geographical regions for the inward stand-alone reinsurance business amounted to approximately 39 percent in 2021 and reached approximately 72 percent in 2022. As with the direct stand-alone business, the large corporates segment accounts for the biggest market share across all geographical regions of approximately 84 percent. SME customers account for a market share of approximately 15 percent, private customers of just under one percent. The market shares have remained relatively stable since the 2021 survey. The somewhat greater significance of the SME segment noted by BaFin in the direct business in Germany was not evident in the inward reinsurance business.

The inward endorsement reinsurance business doubled compared with 2020, amounting across all geographical regions to approximately EUR 262 million. Depending on the region, the breakdown by customer group differs somewhat from the values in the direct business.

Cyber insurance business not always profitable

Figure 3: Development of combined ratio and retention in Germany (direct stand-alone business)

Source: BaFin

The increase in the number of cyber attacks resulted in high loss expenditures in Germany in 2021. These are clearly reflected in the gross combined ratio of more than 100 percent (see Figure 3). This value indicates that loss expenditures plus operating costs are higher than premium income. In 2022, the gross combined ratio declined somewhat. At the same time, however, the net combined ratio, which also takes reinsurance into account, climbed noticeably. The retention of primary insurers fell further in the reporting period and amounted to 26.5 percent in 2022.

Figure 4: Development of combined ratio and retention worldwide (direct stand-alone and endorsement business)

Source: BaFin

As a result of the better loss experience in the non-Germany direct business, the gross combined ratio declined continuously in the observation period (see Figure 4). In contrast, there was a slight decline in retention here compared with the Germany business.

Figure 5: Development of combined ratio and retention worldwide (inward stand-alone and endorsement reinsurance business)

Source: BaFin

The combined ratios of the inward reinsurance business exceed 100 percent in almost all cases (see Figure 5). Retention increased slightly in the observation period.

BaFin recommends prudent rate making and appropriate reinsurance

In the area of cyber insurance, insurers have been unable as yet to fully draw on meaningful loss data. What is more, the potential loss scenarios can be very dynamic, for example due to high accumulation risks. BaFin expects insurers to adopt a prudent approach in their underwriting policies, gear their rate making to take account of the high uncertainty and ensure appropriate reinsurance. As regards appropriate rate making for products, Germany's financial supervisor considers a classification according to the coverage components first-party losses, third-party losses and cost/service to be essential.

BaFin considers collecting uniform data on the rapidly growing market for cyber insurance to be indispensable for effective supervision. It is therefore planning to establish cyber insurance as an independent insurance class in the Regulation on the Reporting by Insurance Undertakings ("insurance class 26 cyber insurance"). This class would encompass the direct business and the inward reinsurance business of primary and reinsurance undertakings for national reporting. At the European level⁴, a cyber template (QRTS.14.03) is being introduced in parallel that can be used for the annual reporting on the 2023 financial year. The template should be available for use for the first time in April 2024.

Did you find this article helpful?