U.S. cyber market loss ratios returned to 2019 levels in 2022, dropping from 67% in 2021 to 45% across standalone and package policies, according to Aon’s recently released cyber market update.
Cyber insurance premiums reported to the National Association of Insurance Commissioners (NAIC) rose 50% to $7.22 billion, the report revealed.
However, Aon also noted there is “significant difference” in individual company loss ratios, reflecting different approaches to underwriting. Additionally, 2022 numbers do not reflect more recent increases in ransomware events, the broker warned.
“Despite the improvement in 2022, insurers will need to navigate headwinds in 2023 to maintain or improve on the gains in 2022, such as increases in ransomware incidents, increased competition driving rate decreases, and increased scrutiny on wrongful collection claims. In particular, the CL0P/MOVEit attack is an emerging threat. Monitoring of risk will continue to be mission-critical,” noted Aon in its report.
Insurers reported a 45% increase in earned premium per policy on standalone policies and a 49% increase for package policies, upticks that exceed changes in loss trend, according to the report. Claim frequency for both types of policies dropped last year, with standalone down 12% and package down 7%.
Competition also increased in 2020, with the standalone cyber market becoming less concentrated. While 71% of the market was written by the top 10 standalone writers in 2021, that figure dropped to 62% in 2022. Some of the change can be attributed to tightening or flat capacity for some standalone markets last year – each of the top five writers reported flat or reduced policy counts for 2022.
In the package market, the top 10 writers dominate, writing 72% of all package premium. For the purposes of the report, package policies can be cyber endorsements for small commercial or businessowners policies or cyber/technology errors and omissions blended policies.
Claim trends
Standalone claim frequency has been decreasing for the past three years, but 2022 marked the first drop for package policies since NAIC began tracking cyber market data in 2015. Aon noted the data reflects insured claims only, not all cyber incidents, and policy terms can affect claim trends.
“In particular, rising attachments may also be contributing to the observed decline in frequency. At least a few companies have been compressing limits, helping to moderate the rises in severity,” Aon observed.
While claim frequency dropped, severity showed an increase of 7% for standalone policies, up to an average claim of $119,142, and 13% for package, up to an average claim of $83,732. Increases in claim severity moderated significantly from the previous two years, however, down from 2020 and 2021 upticks of 66% and 25% for standalone and 33% and 29% for package.
“Caution is needed in applying these trends both historically and prospectively,” Aon noted.
Analyzing the data, Aon found 74% of cyber claims are first-party claims, with a total of 26,913 claims reported in 2022. Standalone policies also result in a higher claim rate, 52.5 claims per 1,000 policies compared to a rate of 3.1 per 1,000 package policies.
The smallest cyber insureds (micro firms) have historically produced lower loss ratios, and this continued in 2022, although there was a slight increase in loss ratio for this market segment last year. Large organizations also traditionally have a higher incidence of loss, but in 2022, both large firms and small to midsize enterprises showed decreases, with large organizations dropping sharply enough to fall below SMEs on loss ratio.
Aon attributed the improvement for large insureds to rate increases, noting, “Although writers of insureds of all sizes experienced an increase in premium per policy, the biggest increases were for large insureds.”