Future Financial Viability of Selling Cyber Insurance: Assumptions; Questions; No Answers

I believe that the future financial viability of selling cyber insurance will be bleak at best and, more than likely, unprofitable.

That is my driving assumption about future sales of cyber insurance. When is that “future” going to arrive?

Thank you, July 2024 CrowdStrike cyber incident (not a cyber-attack, I know) for giving the world just a taste, a small taste, of the physical and financial havoc that a systemic cyber attack could cost.

Is this cyber incident only a one-off? Not a chance – cyber predators will consider the CrowdStrike incident motivation to create a real cyber-attack with higher physical and larger financial havoc. I have a hunch the “future” has already arrived.

But … back to this blog post: my intention is to discuss assumptions and questions about the future financial viability of selling cyber insurance. I have no answers. Hopefully, I provoke insurance professionals involved with cyber – and cyber risk professionals in every industry – to think of many more assumptions and questions.

I wonder if sub-limits would be an instrument to ‘come to the rescue’. But even the sub-limit components of an insurance policy should generate combined ratios under 100%, shouldn’t they?

But, let’s get back to my hypothesis: selling cyber insurance in the future will generate combined ratios over 100%.

Why?

I believe that cyber risks have been, and will continue to evolve into more complex forms, including systemic cyber risks. No company, regardless of size, is an island onto itself. Every company has some number of suppliers and/or an ecosystem that it participates in. Plus the fact that companies, regardless of size, have employees and dependents of employees (plus suppliers and/or one or more ecosystems that it participates in).

Assumptions

My driving interdependent assumptions are that cyber risks will evolve from the “simpler” cyber risks of 20+ years ago into “more complex” forms of cyber risks which exist currently and that they will continue to evolve to still more complex forms in the months and years to come.

I’m also assuming that:

• The evolution of cyber risks can be captured by an exponential curve. One axis of the curve will represent the combined ratio of the cyber insurance policy (policies) the insurer sells; the other axis will represent the complexity of the cyber insurance policy the insurer sells. (I realize there are other axes – categories of types of coverage, sales channels involved with selling coverage, types of markets targeted purchasing coverage, amounts of losses by total coverage category and by different types of coverage, … – but I wanted to create an simple(r) visual to capture my initial thoughts.)
• There will be a cross-over point on the exponential curve where the combined ratio of selling cyber insurance will move from under 100% to 100% to over 100% (to a point where the combined ratio is “well over 100%” (or perhaps to truly frightening levels well over 100%).
• Although insurers have been selling cyber insurance for 20+ years, the cyber insurance market currently continues to live under the part of the exponential curve where the combined ratio isn’t anywhere near 100%. Writing cyber insurance remains a profitable exercise for most (all?) the primary insurers involved. It’s a fun time for everyone selling cyber insurance – life is good, all is well.
• Insurance professionals are being blinded by the cyber insurance financial metrics of the past 20+ years and erroneously believe that past returns are an indication of future results. Or to put it another way, too many insurance professionals mistakenly believe that there is no exponential curve of cyber risk evolution – they believe that a straight line projection of the evolution of cyber risks is closer to the truth.
• The exponential curve of cyber risk evolution shown in the first visual could very well be too “mild”. The “real curve” of cyber risk evolution (and I have no idea how to find the real curve which would show both actual past and future cyber risk evolution) is probably a much steeper curve. If that is true, that would move the cross-over level of combined ratios over 100% ‘lower’ on the visual (and in the real financial results of insurers selling cyber insurance).

Questions

People who know me know that when I ask questions I’m asking them not only for my target audience – in this case primary insurers who sell cyber insurance or who are planning to sell cyber insurance – but also for myself. Sort of a “scratch board” to put down some thoughts in the form of questions.

All of my questions (in this blog post) are based on the “marked up” visual below.

In no particular order:

1. Do you believe that cyber risks are evolving? That is, that cyber risks are evolving from being “simpler” to becoming “more complex”?
2. Do you agree that an exponential curve is “best” used to capture the evolution of cyber risks?
3. Do you believe that the curve shown below is “about right”, “too mild”, or should be “more aggressive and slope upwards much quicker”?
4. Do you believe that no matter how complex the cyber risks, and associated cyber attacks, become that you can sell coverage and generate combined ratios under 100% from the sales?
5. Do you believe that your insurance carrier has the financial capacity to write cyber insurance that would generate combined ratios over 100%? In other words, where is your company’s combined ratio (cyber CR loss) comfort level currently? Has that comfort level changed to accept more complex cyber risks? Or has that comfort level changed to avoid more complex cyber risks?
6. How has your insurance carrier’s cyber CR loss comfort level changed through the years that your carrier has been selling cyber insurance?
7. Are you still selling coverage for “simpler” cyber risks? That is, is your carrier living under the ‘safer’ part of the exponential curve?
8. Is your carrier selling cyber insurance for cyber risks with higher combined ratios such as exist on Line (B), on Line (C), or at higher levels cyber risk complexity with concomitant CRs over 100%?
9. How has your carrier’s appetite changed regarding underwriting (and accepting) more complex cyber risks since your carrier began writing cyber insurance?
10. Do you believe that your models accurately estimate the data from the future parts of the exponential curve which have not yet become reality? Why – those evolving cyber risks and associated cyber-attacks haven’t emerged into reality yet?
11. ??? What questions do you ask yourselves regarding the future financial viability of selling cyber insurance ???

Where Are You Going?

“Alice: Would you tell me, please, which way I ought to go from here?
The Cheshire Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where.
The Cheshire Cat: Then it doesn’t much matter which way you go.
Alice: …So long as I get somewhere.
The Cheshire Cat: Oh, you’re sure to do that, if only you walk long enough.”

― Lewis Carroll, Alice in Wonderland

Is your insurance carrier all-in to sell cyber insurance regardless of the manner in which cyber risks evolve?

I sincerely hope that is not the situation.

Perhaps your carrier will tighten terms, conditions, and restrictions as cyber risks evolve into more complex forms.

Perhaps your carrier will leave markets (e.g., hospitals, educational facilities, utilities).

Perhaps your carrier will continually increase premiums.

Perhaps your carrier will participate in the cyber insurance space only with sub-limits.

One truth remain, though: just because a risk exists, does not mean that insurers should sell coverage for that risk.

Otherwise, and specifically considering evolving cyber risks and their concomitant cyber-attacks, insurers can very much look forward to being on the wrong side and at the wrong point of the exponential curve.

Where does your carrier want to go in the cyber insurance market? (Hopefully, disappearing as easily as the Cheshire Cat’s grin.)