Evidence suggests that the average cost of cyber insurance is coming down, a major provider has said, with year-on-year changes in premium pricing persistently declining since the start of 2023. According to a new report from insurance intermediary Howden, this market correction – which has historically seen premiums remain high amid a global ransomware epidemic – is attributable to more robust cybersecurity across the private sector.
“Favourable dynamics have persisted into 2024,” said Sarah Neild, Howden’s UK head of cyber retail, despite persistently high numbers of ransomware incidents, global geopolitical instability and growing fears about how cybercriminals might harness generative AI. “At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls. The foundations for a mature cyber market, with innovation and exposure-led growth at its core, are now in place.”
Cyber insurance market showing signs of maturity
Cyber has proven to be a difficult market for insurance firms in recent years, as providers struggle to help businesses hedge against the threat of being hacked without shouldering significant costs themselves. That challenge has usually been solved in one of two ways: either by raising the price of the premiums or by imposing strict cybersecurity regimes on clients to reduce the risk of a breach occurring in the first place.
Increasingly, it seems the private sector has taken it upon itself to do the latter without encouragement from insurance providers. While the frequency of ransomware incidents has increased by 18% compared to 2023, said Howden, fewer firms are paying ransoms to cybercriminals, “due in large part to more effective risk controls.” CISOs are also increasingly using generative AI to hunt new threats to their companies, with 22% reporting to Howden that they have started doing so this year.
Premium prices are also being pulled down thanks to a general expansion of the market outward from large corporates to SMEs. That trend has also been replicated geographically, with Howden predicting that half of the growth in premiums by the end of this decade will come from territories outside the US. “In the major European economies of Germany, France, Italy and Spain alone,” said the firm, “the premium uplift potential in just replicating penetration levels achieved in more mature markets is in the region of €700m.”
Systemic cyber risks still loom large
Even so, concerns about systemic cyber risk persist in several markets. A growing chorus of financial institutions, for example, have raised the alarm about how breaches at popular third-party software providers could lead to catastrophic consequences for the banking sector. However, according to Howden, recent data shows that the indirect costs involved in cleaning up after such breaches are still much smaller than those shouldered by firms directly impacted by such attacks.
This is not to say that the risk of such incidents, particularly so-called “cornerstone attacks” on popular operating systems like Linux and Windows, should be dismissed by cyber insurance providers or the clients thereof, said Howden. “As well as state actors, some criminal groups are known to be investing large amounts of cash into developing a wide-ranging compromise of this nature,” said the provider. “Although the likelihood of such an event remains low, requiring a cascade of unfortunate events to occur, the impact could be catastrophic.”