As you might expect from one of the most dynamic areas of insurance today, the cyber insurance market experienced a further year of change and challenges and we can expect more of the same in 2024 for brokers and risk managers working with large corporates.

Pricing environment

The market has seen pricing fluctuations over the past few years, driven by a dynamic threat environment.

After a period of price hikes across the market in response to both the growing frequency and severity of ransomware claims, many risks saw pricing reductions in the latter half of 2023.

While this was undoubtedly welcomed by many businesses, there is also a desire for pricing stability from clients. Underwriters will be increasingly concerned that rate adequacy cannot be sustained if the negative rating environment builds momentum in 2024.

The large corporate team here at CFC believe that despite relatively abundant capacity available in the market, the claims environment should be sufficient to stop the significant downward pressure on pricing that we saw towards the end of last year, and so we expect the rating environment to reach a more stable equilibrium in 2024.

Capacity

Sufficient reinsurance and ILS capacity has allowed the cyber market to continue to grow. While we don’t see any signs of this dissipating, further comfort around systemic risk modelling will be required to unlock the necessary capacity from reinsurers and capital markets to support long-term growth in the cyber market.

While there is a lot of focus on the need to drive penetration rates at the SME end of the market, even in the large corporate space penetration rates – especially outside the US – are such that the market should have a health natural growth rate which will need to be met with sufficient capital supply.

Current capacity levels ensure that the vast majority of large corporates can source the limits they desire, helped by a handful of markets being able to deploy large lines. CFC, for example has been able to offer a sizeable traditional line of £25m in the large corporate space for some years now.

Claims

We expect ransomware and extortion to continue to be the biggest source of claims in the large corporate space. The economic incentives for threat actors are such that we do not see this activity diminishing.

In light of this, brokers and risk managers should expect to see the market continue to enforce minimum security standards with a greater focus on supply chain due diligence given the preponderance of attacks against software suppliers.

However, this will also result in the continued evolution of the cyber insurance proposition in 2024.

In response to the ransomware epidemic, more markets focused not only on building out their in-house claims infrastructure but also in developing proactive risk management services. At CFC, for instance, our proactive threat intelligence alerts have been particularly welcomed by our large corporate clients – especially amongst those for which the service has previously prevented an attack. We will continue to invest further in these capabilities and expect to see other pioneering markets do the same. As a result, large corporate clients are likely to experience even greater benefits from their policies as the market looks to bolster similar prevention efforts.

In the US, longer tail privacy claims continue to be a concern. We don’t see a let up in these types of incidents this year given that individual states continue to introduce ever more rigorous privacy regimes. Claims emanating from biometric and website tracking technology are currently front of mind, but we also expect to see a continuation of plaintiff lawyers creatively using statutes, sometimes decades old, to bring privacy related class action law suits.

Outside the US, regulatory scrutiny related to data privacy has also increased with many countries having introduced or looking to introduce more onerous privacy regulation, often based on the GDPR. Perhaps more significant for the market will be whether these new frameworks have the ingredients, such as the private right of action, that will lead to more third-party liability claims stemming from privacy incidents.

Systemic risk

Systemic risk remains a pressing concern for all cyber insurers. It has the potential to restrict adequate capacity into the market, which could harm longer term growth rates.

2023 saw a number of initiatives introduced by the market. These included the war exclusion announced by Lloyd’s, the launch of the market’s first cyber catastrophe bond and our sponsorship of the creation of the newly launched independent Cyber Monitoring Centre designed to define and categorise systemic events with a view to bringing more clarity to the market’s approach to systemic risk.

Being able to delineate between attritional claims and systemic risks will be a significant area of focus for the market and its capacity providers in 2024. We will undoubtedly see continued innovation in the market in how insurers manage systemic risk, which should deliver positive long-term benefits for the market and its clients as a whole.

---