Cyber insurance: golden pot or how to lose money?

Cyber insurance was one of the fastest-growing insurance segments and is often regarded as one of the top trends in insurtech.

Now the winds are changing. What happened?

Demand for cyber insurance grew very fast and insurers started to hand out policies to capture the market. Things went well until last year with a loss ratio of around 43%, then spiked up to 72% last year. Basically, insurers are now losing money on cyber insurance and things are getting even worse with rising crime. For instance, ransomware payments surged to $590M in the first six months of 2021, more than the $416M in all 2020. And now the Log4Shell vulnerability is breaking the internet.

Insurers have rushed to repair. Price has already increased 32% as of July and is expected to keep going up, even doubling by 2023. Policies have become more stringent and in many cases, coverage is being denied. Even Lloyd’s of London, which has around a fifth of the global cyber market, has discouraged its members from taking on cyber business next year.

On the other hand, a new breed of cyber insurance startups believes their insurance model is sustainable. They have raised $1.4B this year, a 600% increase from last year and three of them reached unicorn status (AtBay, Coalition and BitSight).

VC funding for cyber insurance startups
VC funding for cyber insurance startups globally

Subscribe to Dealroom’s Fintech newsletter, for weekly insights on finance-focused startups and investment:

Challenges for cyber insurance

Cybersecurity is a new field for insurance compared with the traditional insurance sectors such as catastrophe insurance, where risk data goes back centuries. Cybercrime has also evolved massively, especially with the growth of enterprise ransomware attacks in the latest years.

Ransomware attacks encrypt the business’ data so that they cannot access files, databases or applications. The attackers then ask for a ransom from the company to provide access. Ransomware is a growing threat both for business and governmental organizations, for instance, the attack of Colonial Pipeline in July caused disruption to trucks and airlines and resulted in a $5M ransom in bitcoin (then partially recovered). The US government even launched a dedicated task force.

From an insurance point of view, ransomware is also challenging due to a negative loop: businesses with cyber insurance are more likely to be able to pay for a ransom, therefore attackers target them preferentially targeting the insurance payout. Quick payout, high profit.
To break from this loop, insurance companies are reducing coverage to reduce their losses and hoping this will reduce incentives for ransomware operators. However, this is far from obvious,  and on the other hand, these businesses without insurance will be in an even harder situation, having to deal with disaster planning to be able to cover the expenses connected with an attack.

ransomware negative loop for cyber insurance

Basically, cyber insurance has partially become a bubble, where policies were handled out too easily. Now that losses are piling up and the music is changing. But are there some winning strategies in cyber insurance?

How/strategies to win in cyber insurance

In our The state of European Insurtech 2021 in partnership with Mundi Ventures we discussed how cyber insurance brings massive challenges in underwriting and risk management and how insurers and cyber security startups are tackling this.
cyber insurance partnerships

The massive underwriting challengers require insurers and insurtech to partner with cybersecurity specialists and offer integrated packages to the customers. And with more than $30B raised by cyber security startups this year, there is definitely room for this.

Many initiatives have been mostly focused on the corporate side more than SMEs, like in the case of the partnership among Google, Allianz and Munich Re.

But some things are moving in the right direction. For instance, Generali has just joined forces with Accenture and Vodafone Business to create a package of cyber insurance services for corporate and small and medium-sized enterprise (SME) clients, which should launch in Europe next year.

However, actions also at the entire industry level are needed due to the systemic nature of the cyber insurance risk. Systemic risk refers to the possibility that an event at the company level could trigger severe instability or collapse an entire industry (or economy). The fear in cyber security is that a vulnerability in a company could propagate to its entire supply chain or 3-rd party ecosystem. This is an intrinsic risk of complex digital ecosystems.

An interesting initiative in this sense is CyberAcuView. Leading cyber insurers AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance and Travelers have formed the company in June to pool together their data and expertise and take joint action to improve risk mitigation across the entire industry. Actions undertaken include: industry data collection and analysis; definition of data information standards; engagement with regulators, governments, law enforcement and security agencies; development of systemic risk solutions and much more.

How are startups playing in the field?

As we mentioned before, a new breed of cyber insurance startups believes their insurance model is sustainable. They have raised $1.4B this year, a 600% increase from last year and three of them reached unicorn status (AtBay, Coalition and BitSight). Investors have been showing confidence in their high tech and data-driven underwriting capabilities in the SMEs sector.

Let’s have a closer look at some of the main players.

US-based Coalition, the world’s largest commercial insurtech provider, seems to be thriving. It has just announced it is launching a captive to accelerate its growth in cyber insurance. Some impressive numbers: $400M premium, 800% growth YoY, 70% less cyber claims than other carriers in the market, long-term capacity agreements from multiple A+ rated carriers. Also cyber insurtech MGA Cowbell Cyber is showing strong growth and planning to become a full-stack insurer.

The main player in Europe is UK-based Envelop Risk, which combines AI, security analytics, intelligence gathering, economic, financial, behavioural analysis; and modelling and simulation to underwrite cyber insurance and offer customized reinsurance. The startup has recently raised $130M led by Softbank to accelerate its growth.

How can we expect the startup scene to evolve?

Consolidation is likely to happen in the near future, with startups in the field being acquired by the leading cyber insurtech accelerating their growth and incumbents looking for a way to enter the field or enhance their technological capabilities. But there will probably be room for a handful of players going public due to the fast-growing space.

60+ cyber insurance startupsDiscover 60+ cyber insurance startups

Subscribe to Dealroom’s Fintech newsletter, for weekly insights on finance-focused startups and investment: