On October 20, 1897, a man named Gilbert Loomis bought an insurance policy for $7.50 from Travelers Insurance Company. The policy covered Loomis for property damage and bodily injury liability resulting from an accident in his self-made automobile. 

Loomis’ auto insurance policy was the first ever written. Since then, auto insurance evolved significantly in scope of coverage, coverage consistency between different insurers and in premium determination methodology. Applying this analogy relatively, and to the current state of cyber insurance, it could be said that we aren’t too far past the day Mr. Loomis’ primitive policy was written.

On April 16, my colleague Aaron Hillebrandt and I presented a Pinnacle APEX Webinar discussing what’s in store for captives with respect to cyber insurance. As we mentioned in April, a discussion of what to expect in the future must start by looking at where we are now but also where we’ve been.  

Much like with auto insurers in the early 20th Century, it’s only been recently that the insurance industry has realized how significant—in both size and importance—cyber exposures are. Further, this significance will likely continue to increase for the foreseeable future, as businesses continue to become more technology-driven and hostile actors continue to find new ways to commit cybercrimes that steal from and disrupt businesses.  

As a result of the coverage and exposure’s relative immaturity, insurer databases lack the historical loss and exposure data typically used by actuaries to determine reasonable premium amounts. In addition, the coverage itself tends to vary quite widely from insurer to insurer. It is likely that each company created new products independently with differing expertise, business goals and comfort levels with the amount and nature of exposure they were willing to write. Many, more familiar coverages have fairly standardized coverage forms, allowing for simple comparisons of coverage and premiums between insurers. Looking at two different insurers’ cyber policies might reveal a significant number of differences in covered and excluded loss exposures and disparate indicated premiums.

Even examining cyber loss databases from non-insurance industry sources reveals a bit of a data dilemma. It is important to note that definitions of what a loss actually is varies greatly between sources. During our April APEX, Aaron and I reviewed cyber loss data from two separate non-insurance studies that were similar in name, but very different in results. 

The differences stood out particularly in how non-insurance sources quantified losses which, of course, is imperative to insurance companies. Over time, however, we would expect that data collection, coverage forms and premium pricing methodology all converge toward standardization as those in the industry increase their expertise and understanding of cyber risk.

Cyber premiums themselves, generally speaking, have often been determined with a competitive mindset. As the line of business emerged, a number of larger insurers seemed to have focused on rapidly growing their book of cyber business. In other words, premiums may have been priced more aggressively than an actuary might expect, based on the relative lack of data. However, they were able to do this safely in a number of ways.  

First, as many of the major players in the cyber space are large commercial insurers writing a number of other lines, they simply have surplus to take risk. Even if writing as many cyber policies as they want, exposure would still be relatively small so they could afford to price premiums aggressively. 

It’s important to note that this is probably not the case for a captive insurer writing cyber coverage. It is quite possible that cyber exposure might be the biggest exposure written by a captive, so captive actuaries could be pricing cyber premiums much more conservatively than the commercial market.

Another factor keeping commercial premiums lower, and which often differs from captive cyber coverage, is that many commercial policies being written simply aren’t fully covering the risk. There are often large parts of the exposure explicitly excluded or covered in a reduced capacity with sub-limits or large retentions. While some captive policies may follow an existing narrow commercial policy, they are often written to be broader than the average commercial policy. Most commercial cyber policies are in reality just cyber coverage sections within a package policy, rather than an actual, standalone cyber policy.  

These packaged cyber policies tend to be less comprehensive than standalone policies. This is demonstrated by 96% of cyber policy counts being package policies versus only 43% of cyber premiums being from package policies. It’s also likely that insureds such as small businesses, or industries with minimal technology related exposure, tend to buy packaged policies rather than standalone, which contributes to the difference. The high proportion of package policies on a policy count basis might also be influenced by the competitive aspect of insurers including limited cyber endorsements in their package policies. Many insureds know that they should have some coverage for cyber, and including such an endorsement might lead them to feel that they have taken care of that task and that their insurer is more holistically protecting them. However, these endorsements can be narrow, and captive policies can often be more comprehensive to more fully cover the exposure of the captive owner. 

In the future, we might expect to see a balance shift toward standalone policies, as insurers continue to offer broader coverage and insureds’ priority of insuring that exposure continues to rise. At the same time, we might expect that premiums will gradually catch up to the risk being written. A more comprehensive span of exposures will be covered, increasing the actuarially indicated premium, and the competitive nature that has dominated cyber underwriting may evolve toward a more analytical approach.

Also, importantly, many studies of cybercrime show increasing trends in frequency and severity of cyberattacks. These studies also project those trends will continue. If this holds true and as insurers build their database of claims, trends in cybercrime itself would contribute further to the increasing premium indications expected from cyber coverage evolution.

For a business or captive owner, cyber insurance is not something to be complacent about. Most businesses have some—and many significant—cyber exposure. Similarly, cyber insurance is not something to be complacent about for actuaries, underwriters or any party involved in the issuing of cyber policies. 

This is especially true for captives. For captives, it will be important to stay educated with the best data and premium pricing methodologies to ensure that cyber premiums are reasonable given the risk being written. It’s hard to say what exactly the cyber insurance market will look like in 10 years, but it is a certainty that it will continue to evolve.