© VideoFlow/stock.adobe.com
Erscheinung:08.02.2022 A closer look at cyber policies
The threat of cyber crime is increasing and cyber insurance business seems to be booming. BaFin has carried out a survey of this insurance segment, and found that data preparation is still a weak point. The survey also showed that gross premium income has risen sharply in the past five years, although the segment’s share of overall business is currently still modest.
The greater the threat of cyber crime, the higher the demand for insurance cover for losses from perils such as hacker attacks. That much we know. However, BaFin wanted to find out exactly how cyber insurance business is developing and therefore carried out a survey among providers of such policies . The evaluation of this survey has now been completed. The following is an overview of the main findings:
At a glance:55 insurers surveyed
BaFin included 55 insurers and reinsurers domiciled in Germany and five German branches of EU insurers in its survey. The supervisory authority asked the insurance undertakings to provide key figures from the profit and loss account for their cyber insurance business in the period from 2016 to 2020. The providers were asked to distinguish between business with private customers, small and medium-sized enterprises (SMEs) and large corporates and between stand-alone and endorsement policies.
Stand-alone policies are pure cyber policies. Endorsement policies are traditional policies where the coverage also extends to cyber risks. The survey covered data on premiums and claims expenditures. The insurers had to distinguish between customer groups – private customers, small and medium-sized enterprises, large corporates – and the three components first-party damage, liability (third-party damage) and service (e.g. crisis communication). From BaFin’s point of view, the recording of claims expenditures broken down into the individual components is necessary in order for insurers to gradually be able to price them on the basis of their own claims data.
In addition to the quantitative questions, the supervisory authority also asked qualitative questions about the products, pricing and risk management. Although the survey focused on policies written in Germany, BaFin also asked for data and information on insurance business written throughout the EU and worldwide.
Data gaps
The survey showed that not all insurers were in a position to provide the requested data in the required granularity. The largest gaps were in the claims expenditure for the individual components of first-party, liability and service (see info box). Only a few insurers were able to provide these data in full. Others could provide data for the first-party component, but not for the other two. But even if the data were not complete and insurers only provided estimates, BaFin has nevertheless gained valuable insights into the cyber insurance segment, which has not been subject to separate reporting so far. It must also be acknowledged that there has already been an improvement in data quality in comparison with previous years. The main findings are briefly summarised in the info box “Findings 1”.
Findings 1:Data quality
- Overall, there is significant heterogeneity in the data provided. In some cases, the insurers had not retained sufficient data to be able to show the figures in the profit and loss account in the required granularity. This is especially true for the years 2016 and 2017.
- The data required to break down the expenditures, the information on coverage amounts and the cause of loss statistics into the three components first-party, third-party (liability) and service were also sometimes insufficient because the insurers’ data systems were not able to represent this.
- The insurers thus provided only rough estimates in some cases.
- There is a noticeable improvement in the quality of the data for the years 2018 to 2020.
Growth in the cyber insurance segment
Especially in the past two years, the cyber insurance segment has grown rapidly. Table 1 shows the trends in policies written in Germany for direct insurance business, i.e. insurance business concluded by primary insurers with their policyholders.
| Stand-alone and endorsement policies (private customers, SMEs, large corporates) in million euros (DIB)* | 2020 | 2019 | 2018 | 2017 | 2016 |
|---|---|---|---|---|---|
| *Stand-alone policies are pure cyber policies; endorsement policies are traditional policies where the coverage also extends to cyber risks. “SMEs” stands for small and medium-sized enterprises and “DIB” for direct insurance business. Source: BaFin survey | |||||
| Gross premiums written | 240.0 | 175.1 | 123.8 | 59.9 | 48.8 |
| Premiums earned, net of reinsurance | 98.2 | 90.1 | 63.3 | 38.3 | 30.7 |
| Retention | 40.9% | 51.5% | 51.1% | 63.9% | 62.9% |
| Gross loss ratio | 42.1% | 47.0% | 25.1% | 11.0% | 9.3% |
| Net loss ratio | 43.3% | 36.1% | 20.1% | 15.4% | 13.6% |
The above figures show that the gross premium income written has increased significantly, to around 240 million euros in 2020. In view of the increasing threat from cyber crime, this dynamic development was to be expected. However, this segment still appears small when compared with other insurance classes. Somewhat surprising are the relatively modest gross loss ratios (with the latest figure being 42.1%). However, there is a very broad spread in the data of the individual insurers. In 2020, for example, the insurers reported loss ratios between 0% and around 275%. Large corporate insurance business also routinely performed worse than business with small and medium-sized enterprises and private customers. For example, the gross loss ratio for large corporate business in Germany in 2020 was 53.0% – higher than the 42.1% across all customer groups.
The data show that the segment is still developing and the claims experiences are not yet stable. As a result, the retention is also rather low at 40.9%, which means that reinsurers are correspondingly more involved in cyber claims.
The survey on business written throughout the EU and worldwide provides a similar picture, as is shown in Table 2.
| Stand-alone and endorsement policies (private customers, SMEs, large corporates) in million euros (DIB)* | 2020 | 2019 | 2018 | 2017 | 2016 |
|---|---|---|---|---|---|
| *”DIB” stands for direct insurance business. Source: BaFin survey | |||||
| Gross premiums written | 362.6 | 244.4 | 148.9 | 61.0 | 49.0 |
| Premiums earned, net of reinsurance | 152.9 | 119.1 | 67.0 | 39.1 | 30.9 |
| Retention | 42.2% | 48.7% | 45.0% | 64.1% | 63.1% |
| Gross loss ratio | 67.5% | 68.3% | 31.1% | 11.9% | 9.3% |
| Net loss ratio | 29.4% | 81.3% | 28.8%% | 16.7% | 13.6% |
This table also shows a clear trend in premiums: between 2018 to 2020 the gross premiums written increased to 362.6 million euros. At 67.5%, the gross loss ratio in 2020 is less favourable than the ratio in Germany. There are also strong fluctuations in the net result; however, it should be considered that these are average values. There is wide variation in the values for the individual insurance undertakings. The retention does not differ significantly from that of German insurance business taken alone.
Key findings on the trends and the general market situation in Germany are listed in the info box “Findings 2”.
Findings 2:Trends and market situation in Germany
- The strong growth in gross premium income in the years 2016 to 2020 is primarily due to stand-alone business and in particular to policies with large corporates and small and medium-sized enterprises.
- Large corporate business plays a dominant role, accounting for almost two-thirds of the premium income (2020: 61.1% of the gross premium income written in Germany).
- Private customer business is of very minor importance (amounting to 6.3 million euros in Germany in 2020, i.e. 2.6% of the gross premium income written).
- There is a relatively high market concentration: the ten largest providers in the primary insurance market account for around 86% of the premium income.
- Smaller providers are often involved by way of co-insurance.
Table 3 shows the development of inward cyber reinsurance business, i.e. reinsurance accepted, in Germany, Europe and worldwide.
| Stand-alone and endorsement policies (private customers, SMEs, large corporates) in million euros (ICRB*)* | 2020 | 2019 | 2018 |
|---|---|---|---|
| *“ICRB” stands for inward cyber reinsurance business. Source: BaFin survey | |||
| Gross premiums written | 343.5 | 242.9 | 16.5 |
| Premiums earned, net of reinsurance | 293.0 | 197.9 | 2.3 |
| Retention | 85.3% | 81.5% | 14.1% |
| Gross loss ratio | 87.4% | 68.4% | 17.2% |
| Net loss ratio | 66.4% | 64.8% | -24.5% |
Here, too, the figures show a strong growth in premiums and an increasing claims ratio, both gross and net, over the last three years.
Products are difficult to compare
In addition to collecting pure quantitative data, BaFin also asked qualitative questions in its survey, i.e. questions about the undertakings’ products, pricing and risk management. For example, it asked the insurers to what extent they used the non-binding model terms and conditions of the German Insurance Association (GDV) for cyber insurance policies when designing their products. These are intended to help insurers develop their own offers and also serve as a benchmark for large corporates and, above all, small and medium-sized enterprises and brokers to evaluate insurance offers. The results are shown in Table 4.
| Wording based on the GDV’s non-binding model terms and conditions? | Private costumers | SMEs | Large corporates |
|---|---|---|---|
| Source: BaFin survey | |||
| Yes | 5 | 18 | 7 |
| No | 23 | 15 | 18 |
| Total | 28 | 33 | 25 |
This shows that the policies differ greatly. There is a degree of variation in the wordings used, which makes it somewhat difficult for customers to compare them. A similar picture emerges with regard to the use of the questionnaires developed by the GDV for risk evaluation. Practically all insurers use such questionnaires for small and medium-sized enterprises and for large corporates. However, insurers often deviate from the specifications of the GDV questionnaire. In most cases, they use a shortened version.
The problem of lacking claims experience data becomes particularly significant where pricing is concerned. Cyber insurance is still a young business. Many insurance undertakings state that they use a more or less extensive mix of data to determine their rates: data from external providers (consulting companies, reinsurers, cyber data pools within the group) and from their own exposure measurements, including information such as company size, industry, location and IT level (classification from the risk questionnaire). Expert estimates also play an important role. Pricing is reportedly often based on assumptions.
In view of the lack of claims data and the high volatilities described above, it is not surprising that insurers rely on assumptions. Nevertheless, some providers are now able to make greater use of the claims experience of their own portfolios when setting their rates. The undertakings must continue to follow this path. However, appropriate and valid pricing remains a major challenge for the time being. It is not just that the claims experience data are lacking; there is also the fact that the loss scenarios are constantly evolving. It will therefore continue to be necessary for the undertakings to exercise caution in pricing, to underwrite only small portions if necessary and to ensure adequate reinsurance cover.
Outlook
The question of whether and how to implement regular reporting on the development of cyber insurance is currently being addressed by EIOPA, the European Insurance and Occupational Pensions Authority. BaFin is involved in the discussions and work. Since the cyber segment is still quite small, proportionality should be maintained. In the medium term, however, it would seem reasonable to establish cyber insurance in the reporting regulation as an independent insurance class. Currently, however, no changes are planned as yet.
Author
Ramon Platt
Division VA 37 Basic Issues relating to Property/Casualty Insurance Supervision
