Cyber Never Had it So Good
Asking underwriters about rate adequacy is a fool’s errand. It’s like asking an employee if they would like a pay rise.
Ask an underwriter if rates are adequate and their eyes will glint like those of an in-form football striker suddenly presented with an open goal.
They take a deep breath and tell you that rates may already be rising, but that this is barely keeping up with rampant loss trends.
Then they add that the only way the class can be viable in the long term is if a further increase of X% is compounded on last year’s price rises at the next renewal.
In other words, you lay it on a plate for them and the net inevitably bulges from the resulting tap-in. Luckily for us journalists, talk never moved the market.
If that were true, reinsurance pricing would increase by 10% a year, starting immediately after the annual Monte Carlo Rendez-Vous.
But sometimes the talk is real and the need for rate rises is palpable. Early fans of the Voice of Insurance will remember an encounter with cyber pioneer, Dan Trueman of Axis in February 2020.
In it he claimed that cyber insurance would never be as cheap as it was then. At the time I rolled my eyes and thought to myself: “Well, he would say that, wouldn’t he?”
But almost that very day the starting gun was fired on a global re-rating for the nascent cyber insurance class.
All emerging classes undergo a similar growth trajectory. In the early stages exponential growth and the need for market presence trump technical pricing – and anyway, who knows what the real price should be?
But then claims activity starts to catch up, loss ratios start to rise and then the maturity and reality phase comes along.
That’s where we currently find ourselves. The degree of re-rating that needs to be achieved is only just coming into view and it is challenging to say the least.
We all used to worry about cyber’s potential to deliver a systemic catastrophic shock to the market. We still do, and rightly so, because it will never go away.
The exploitation of a ubiquitous software flaw that causes a simultaneous global event that blows out of the top of every insurance and reinsurance programme will probably happen one day.
Because of this we may have viewed the class as a pure cat line, its higher layers running nil loss ratios year after year, hoping they were saving enough for The Big One.
But this class has a bit of something for everyone. Of course, attritional losses have been happening with ever greater frequency at the low end.
That was only to be expected with increased purchasing by smaller, less sophisticated insureds, combined with the looser terms and conditions that came during the hyper-competitive early growth phase.
At the same time criminals were catching on and realising that not only did they have a new revenue stream – they had a new insurance-backed revenue stream!
But the real kicker has come with the realisation that catastrophe risk can come in all sorts of shapes and sizes.
Cast your mind back to the first time you saw a Cat XL slip. Below the Ultimate Net Loss Clause was a little three-word gem: “Two-Risk Warranty”.
This defined the difference between a catastrophe and a single-risk loss. A Cat claim could only be made if an event hit more than one risk in a portfolio at the same time. One was for the risk XL, two meant it was a Cat event.
That worked just fine for property, but it is becoming clear that this doesn’t work in the same way for cyber.
While we were busy worrying about The Big One it seems we had taken our eyes off the ability for cyber risk to produce a very high frequency of Small-to-Medium-sized Ones.
These commonly involve small-medium sized outsourced IT service providers, spreading outages across their client bases and subsequently over insurers’ portfolios. Just four or five risks per event is enough to wipe out major chunks of premium.
Imagine properties being hit by thousands of localised hurricanes year after year and you get the picture.
So cyber faces a triple whammy
The low-end attrition can be fixed by today’s harder market: much bigger deductibles, tighter conditions and improved risk management.
Meanwhile at the other end of the scale, The Big One hasn’t happened quite yet.
But that leaves the catastrophically squeezed middle, burning painful amounts of premium at an unsustainable rate.
The question for cyber is whether it can charge enough to pay for these high-frequency medium-severity events? It is an existential question, for if not, the class does not have a viable future.
Will clients pay?
Only time will tell, but Dan was right. The buyers of early 2020 had never had it so good and the levels of pricing witnessed at that time will never be seen again.