Cyberinsurers market 101

16 August 2024

The market

The cyber insurance market has grown rapidly in recent years, driven by increasing awareness of cyber risks, the growing frequency of cyberattacks, and regulatory pressures.

2023 size of the market

In 2023, the global cyber insurance market was estimated at around $12 billion. The market has been experiencing double-digit growth due to the increasing frequency of cyberattacks and heightened regulatory pressures.

2024 projections (?)

By 2024, the market is expected to grow to approximately $15 billion, representing a compound annual growth rate (CAGR) of over 20%. This growth is driven by heightened awareness of cyber risks, particularly in sectors like finance, healthcare, and critical infrastructure.

Breakdown of the market shares

North America

In 2023, North America remained the largest market for cyber insurance, accounting for around 45% of the global market share. The dominance is largely due to the region’s strict data protection regulations, including the California Consumer Privacy Act (CCPA) and New York Department of Financial Services (NYDFS) Cybersecurity Regulation.

Europe

Europe accounted for roughly 30% of the market in 2023, driven by the GDPR and increasing cyberattacks on critical infrastructure. The European market is expected to grow significantly as companies strengthen their cybersecurity postures to meet evolving regulatory requirements.

Asia-Pacific

The Asia-Pacific region, though still developing, saw a market share of approximately 15% in 2023, driven by rapid digitalization and increasing cyberattacks in countries like Japan, South Korea, and India. Growth in this region is expected to outpace that of North America and Europe over the next few years, potentially reaching a market share of 20% by 2025.

Primary factors driving the market

1. Cybersecurity threats: With the rise of digitalization, companies of all sizes face greater cybersecurity risks. The increasing sophistication of ransomware and phishing schemes, as well as the growing Internet of Things (IoT) ecosystem, has led companies to seek insurance coverage to mitigate financial risks.
2. Regulatory pressures: Laws like the European Union’s General Data Protection Regulation (GDPR) and similar privacy regulations worldwide have led companies to seek coverage for potential fines, litigation, and breach-related costs.
3. Digital transformation: The pandemic accelerated the shift to digital environments, remote work, and cloud-based services, which increased companies’ vulnerabilities to cyber threats.

Types of coverage

First-Party Coverage

This type of coverage typically includes the cost of responding to a cyberattack, such as business interruption losses, data restoration, legal fees, notification costs, and extortion payments in the event of ransomware.

Third-Party Coverage

This includes liabilities arising from claims against the insured due to a data breach or other cyber incidents affecting third parties, such as clients or partners. These claims can include regulatory fines, legal defense costs, and settlement payouts.

Key players

Several major players dominate the cyber insurance market, offering both standalone cyber insurance policies and add-ons to traditional insurance packages:

American International Group

AIG remains one of the largest providers of cyber insurance globally. In 2023, the company had approximately 15% of the global market share, driven by strong demand from large corporations and its extensive cyber risk management services.

Chubb

With a market share of about 12%, Chubb is another key player in the cyber insurance space. The company has seen growth in the small to mid-sized business sector, particularly in North America and Europe.

AXA

A major European player, AXA holds around 10% of the market, with a strong presence in Europe and Asia. The company has been expanding its cyber insurance offerings to cover new risks like cloud security and supply chain vulnerabilities.

Zurich Insurance Group

ZIG is another global leader, has around 8% of the market share, focusing on industries with high exposure to cyber risks, such as manufacturing and critical infrastructure.

Lloyd’s of London

Known for underwriting large and complex cyber risks, Lloyd’s syndicates hold around 5% of the market, offering bespoke coverage for multinational corporations.

InsurTechs

InsurTech firms like Coalition, Corvus Insurance, and At-Bay are rapidly gaining market share, particularly in the small and mid-sized business segment. Collectively, InsurTechs represented about 7-8% of the market in 2023, and their share is expected to grow in 2024 due to their data-driven risk assessments and faster, more flexible coverage options.

Specific obstacles

Pricing

Cyber insurance pricing is highly variable and has been increasing due to the rising frequency and severity of cyberattacks. The rise of ransomware-as-a-service (RaaS) and supply chain attacks has forced insurers to reevaluate their risk models and coverage options. The increasing complexity of these attacks has driven demand for more specialized cyber insurance policies that cover not just data breaches but also the downstream impact of attacks on suppliers and partners.

Capacity limits

Some insurers have pulled back on the limits they offer due to increasing losses, leading to reduced coverage availability in high-risk sectors, such as healthcare, finance, and education. For example, insurers in 2023 began capping limits for ransomware coverage or introducing co-insurance clauses, where companies must bear part of the cost of a claim. This trend is expected to continue into 2024, with more insurers tightening their underwriting criteria.

Reduce claims frequency

Many insurers are increasingly partnering with cybersecurity firms to improve risk assessments and offer enhanced protection services to their policyholders. In 2023, companies like Coalition and At-Bay led the way by offering active risk monitoring and prevention tools as part of their policies. This trend is expected to expand in 2024, as insurers seek to proactively mitigating risks.

Technological evolvution

The dynamic nature of cyber threats means insurers must constantly update their understanding of risk and the associated financial coverages. Emerging threats like deepfakes, supply chain attacks, and quantum computing pose new challenges for the industry.

Compliance

Cyber insurance policies are being influenced by evolving laws and standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the European Union GDPR. The EU and the US have very different approaches to cyber insurance regulation due to their divergent legal frameworks.

European Union

The europeans focus on data protection through GDPR and other centralized regulations creates a highly standardized market where compliance is a significant factor for insurers. Under the GDPR, non-compliance can lead to severe penalties, reaching up to €20 million or 4% of a company’s global revenue, whichever is higher. This makes cyber insurance in the EU crucial, as it helps companies manage the financial risks associated with data breaches and regulatory fines. Insurers evaluate companies based on their GDPR compliance, and policies often cover fines related to data security failures.

The United States

America operates in a more fragmented regulatory environment, with industry-specific and state-level laws forcing the need for tailored insurance products. Penalties vary widely depending on state laws and industry regulations. For example, the CCPA can impose fines of up to $7,500 per violation, while HIPAA fines in the healthcare sector can range from $100 to $50,000 per violation, with a cap of $1.5 million per year. Cyber insurance in the US typically covers data breach costs and fines related to non-compliance with sector-specific laws, such as those governing healthcare and finance.

Final thoughts

The cyber insurance market is set to grow as companies increasingly prioritize managing cyber risks. I believe that the situation is moving rapidly because of the complex and ever-changing threat landscape and worldwide compliance mosaic.

• Stricter regulations: I am expecting stricter regulations in Europe. For example, the Digital Operational Resilience Act (DORA) for financial entities is one of the recent initiatives to continue tightening its regulatory framework. Cyber insurance coverage will need to evolve to keep up with these regulatory developments.
• Greater focus on risk mitigation: insurers will work more closely with companies to help them manage their cybersecurity risk. I am thinking about something like offering services like threat monitoring, employee training, and security audits.
• Partnerships: to follow-up to my previous point, insurers should increase their partnering with cybersecurity firms to better understand and mitigate risks. These partnerships help insurers improve their underwriting models and overall pricing strategies.
• A unified Federal data privacy law?: It seems that there is growing momentum in the US for a unified federal data privacy law. In my opinion, it will help to stop the ever-increasing complex demands and make the process of underwriting cyber insurance simpler.