Is the new tag of the Property, Casualty & Cyber market – rather than the P&C market – now justified?
With Anthony Cordonnier and Erica Davis, Global Co-Head of Cyber, Guy Carpenter
Cyber insurance, which perhaps only a decade ago may have been regarded by some in the market as a somewhat esoteric product and one that was perhaps difficult to comprehend, has become very much mainstream in recent years. In no small part, this has been driven by both the increasing frequency and severity of cyber-attacks which have made the headlines, with many of these over the past couple of years a result of sophisticated ransomware demands from highly motivated and calculating cyber criminals, many of whom operate on a scale akin to that of a modern business. Almost certainly, at least in part, as a result of the increasing awareness of the cyber threat and the danger posed to organisations of all shapes and sizes, both in the private sector and public sphere, cyber insurance and reinsurance premium have grown considerably in recent years. Indeed, global cyber premiums are projected by Munich Re to reach up to $22 billion by 2025 from $9.2 billion at the beginning of 2022 as demand for coverage expands in tandem with the increasing recognition of threats. Given such a growth trajectory, some commentators have even gone so far as to suggest that we should no longer be talking about the property casualty market (P&C), but instead should be talking about the property, casualty and cyber market (PC&C). In this week’s Big Question, we take a deep dive into this hugely important topic with two of the cyber sector’s most highly regarded and knowledgeable experts.
Kishore Krishnan, Head of AdvantageGo
According to Erica Davis, the growth opportunity for cyber is massive. “There was a debate for many years as to whether the risk would be absorbed as part of the traditional P&C market, or whether the product would survive and thrive on a stand-alone basis,” she says. “Given the actions we have seen from Lloyd’s and others to eradicate silent cyber from non-cyber lines of business, we do anticipate the stand-alone to be viable and a contained solution in the industry going forward.”
Her colleague Anthony Cordonnier thinks that the product has really shown its value in the last eighteen months: “With ransomware trends, every business both big and small can relate to what the impact of a cyber-attack looks like, and from that standpoint, the product has proven itself and has a track record.” However, he adds, “the reason we don’t use that terminology is that cyber insurance really fits in both property and casualty and is both a short-tail, first party coverage line and a long-tail, third-party liability line and it does both. In our view, it is incorrect to put it into one or the other because it sits across both, and that is the uniqueness of the product. Is it its own pillar of insurance? Maybe, but it really is a product that is multi-faceted.”
As Davis points out, cyber is also about the risk itself, which she stresses sits across all different exposure classes. “But I agree that we have seen the product become much more relevant,” she says. “Look at Anthony’s point around ransomware: it really helped organisations to understand how they might be impacted, but from an industry perspective, we also saw losses paid, so both the relevance and value of the product were shown.”
“Some feel that the cyber product is a bit nebulous and it is an intangible product for intangible assets, and that it is sometimes difficult to figure out, but we did see the product respond to ransomware losses, and we saw the losses paid, and because of that we have a much more resilient cyber market for the future.”
It is also important, says Cordonnier, to think not only of cyber as a product, but also as a peril: “The peril is everywhere and it touches everything. There has been a lot of work done in building the cyber product and removing that exposure from other lines, but really the cyber peril is everywhere and will remain everywhere. What I mean is that a cyber-attack leading to property damage, by and large, that’s going to be covered by the property markets still… but the non-damage part, that’s going to be in the cyber market. If you take the argument to its extreme, a discussion I’ve had many times with a person that talks about PC&C is that if you exclude cyber from everything under whatever form, you’re not going to have any insurance left… everything will be cyber!”
Another topic addressed by the duo was whether ransomware is still a significant threat for companies and the cyber market? Davis takes this head on, suggesting that it is still a significant threat, “but we have seen activity subside a bit in 2022.”
“All different shapes, sizes, and classes of business are at risk of ransomware attack, but we’ve seen the scale and scope begin to taper off a bit, and it remains to be seen as to whether that is a long-stand trend, but that has been our observation and our clients’ observations.”
According to Cordonnier, another significant threat in this space that perhaps hasn’t received as much attention recently but that is, nonetheless, sill relevant is that of regulation, with privacy regulation still evolving and becoming more sophisticated, both Stateside and in Europe with GDPR, which he says has been on the statute books for a couple of years now, “but the implementation of it is still evolving and the full impact of it is still being determined, so that is still very much a risk.”
Davis also says to look out for the cyber risk associated with vendor partners, “and really look at cyber risk beyond the four walls of your organisation…I would say that cyber risk has really heightened in recent years and businesses are doing a much better job at mitigating the risk and training employees on the exposure, as well as preparing different contingency and disaster exposure plans. But extending that thought process to your critical vendor partners, upstream and downstream, has become increasingly critical to the operation and something that is still a challenge for many across the value chain.”