Aon report: Reflecting on the market for cyber in 2018

In 2018, U.S. cyber premiums grew approximately 10% year-over-year to $2.03 billion.

In total, 184 insurers reported writing some cyber premiums in 2018. This was an increase of 14 insurers over 2017, including 21 new insurers writing premiums that were partially offset by mergers and acquisitions. (Credit: Shutterstock)

Cyber insurance is virtually a must-have for nearly all businesses in today’s marketplace. Events like the WannaCry and Petya attacks, along with various breaches in a number of industries, have highlighted the destructive potential of a cyberattack. Even a small scale phishing attack can cripple businesses through reputational damage and business interruption.

Perhaps this is why cyber insurance has been embraced as strongly as it has. But according to a report from Aon, U.S. insurers in 2018 did not grow at the pace which they did in 2016 and 2017 when they say annual growth rates in excess of 30%.

Despite this, the market for cyber insurance has a number of positive signs. The fourth edition of Aon’s U.S. Cyber Market Update provides a big picture analysis of the market in 2018. Here are a few of the key takeaways.

Related: How to sell the value of cyber liability insurance

Small commercial shines

One relative bright spot in 2018 growth was in small commercial cyber space. Small and medium enterprise (SME) businesses have been slower to purchase cyber coverage than large corporates, but the segment is now growing.

“There is a myth that small businesses do not need to worry about cyberattacks, and it’s just that — a myth,” says Jonathan Laux, head of cyber analytics for Aon’s Reinsurance Solutions. “But our research has shown that cyber risk increases with company size — meaning that SME companies have lower frequency and severity of claims relative to larger companies. Even at the lower premiums collected on such policies, insurers of SME companies have been able to operate very profitably.”

Based on estimates of the SME cyber market, Aon concluded that small commercial cyber premiums grew by nearly 19% in 2018 and 42% in 2017. The industry overall grew 10% and 27%, respectively. Loss ratios in the SME cohort also performed better than the industry overall, averaging 24.2% in 2018.

Related: How to protect small businesses from cybercrime

(Photo: Aon’s U.S. Cyber Market Update)

Greater market concentration

In 2018, U.S. cyber premiums grew approximately 10% year-over-year to $2.03 billion. Premiums from package business grew modestly, rising 6% year-over-year. Standalone cyber premiums grew 14%. Aon notes that the relative growth rates of package and standalone may be somewhat misleading, however, as several large insurers shifted their reported premiums between the categories in 2018.

In total, 184 insurers reported writing some cyber premiums in 2018. This was an increase of 14 insurers over 2017, including 21 new insurers writing premiums that were partially offset by mergers and acquisitions.

Overall, the market got more concentrated in 2018, not less. The top five cyber insurers accounted for 53% of direct written premiums, up from 51% last year, and the top 10 accounted for 70% versus 69% last year. This was a notable change from 2017, where smaller participants grew more rapidly than the market overall.

Related: Insurer that spent $17 billion on acquisitions says more to come

Greater frequency, reduced severity

The direct incurred industry ratio loss was 35.4% across all policies, with standalone and package business reporting 34.4% and 36.8%, respectively. Loss ratios across both the package and total segments deteriorated from 2017 but remained lower than 2015-2016 levels. Notably, the industry standalone loss ratio actually improved by 1.0 basis points.

Aon found that the 2018 loss ratio increase was primarily due to an increase in claim frequency. The average 2018 claim frequency across all companies was 4.2 claims per 1,000 policies, up from 3.5 in 2017.

This jump in frequency more than offset a reduction in the claim severity. This shift toward higher frequency and lower severity reflects many of the claims stories of 2018, including increased activity in ransomware, cryptojacking and formjacking claims.

In 2018, claims against first-party coverage outnumbered third-party claims, accounting for 68% of all claims. For standalone policies, first-party claims made up 61% of the total, while for package policies, first-party was 74% of the total. Claims rates were higher for standalone business. Cyber claims occur at a rate of 46.9 per 1,000 standalone policies, versus a rate of 2.4 per 1,000 package policies.

Laux says that large-scale breach attacks have given way to widespread ransomware activity, but says “ransom demands have been rising as threat actors gain confidence and shift their tactics to take greater control of victims’ networks,” adding that “the risk of protracted business interruption claims is rising as well.”

“So I don’t think that severity has gone away — it’s just changing shape,” says Laux.

Aon’s U.S. Cyber Market Update can be found in full here.

Related: The future of cyber claims

Recommended Stories