However, as the market delivers on the future projections and becomes even more significant in the insurance world, the consistent and predictable profitability of a mature line will be expected of the cyber line of business.

Ransomware represented a first party frequency trend that should be one of the quickest to identify and react to. A trend which – in hindsight - many insurers have managed well through a combination of: 

• Risk Selection: despite a stark new issue many insurers were able to determine the security controls (such as MFA) required to reduce the likelihood of a company being impacted.
• Rate Changes: in a changed risk environment policies required adjusted premiums in order to carry this increased risk.
• Data Collection: the ability to recognise the trend and identify the underwriting actions needed to mitigate it demonstrated the power of initiatives collecting rich datasets
• Incentivisation: insureds were incentivized to increase security controls both from insurers and also from the potential threat to their business.

The consequence of these actions can be seen in the positive outlooks for underwriting years 2022 and 2023, as documented in the NAIC report. However, caution is needed, as it is unclear how much of the improvement stems from ongoing actions by insurers and how much is a consequence of threat environment and overall attacks reducing in the same period.

While the industry seems to have successfully grappled with the recent ransomware wave, several threats potentially pose a concern for the sustainability of the cyber insurance line. These include: 

• Background threat environment: improvements in loss ratios also came at a time when overall incidents were down, possibly due to geo-political factors. However, with repeated reporting of ransomware incidents on the rise again, we must be prepared for the environment to become riskier.
• Time Lag: insurers saw a delay between news of increased ransomware incidents and the first signs appearing in claims departments. While improved risk selection may have partially decoupled insured loss frequency from general ransomware trends, we should not be complacent in case the currently reported increase in incidents translates into increasing claims down the line.
• Late Loss Development: unlike property, it is not always clear in cyber insurance that a large loss has occurred or what the cost will be. Several 1st and 3rd party losses have been observed to increase four or more years after the incident. Therefore, the profit in older underwriting years may not be taken as a given, any historic deterioration will be factored in a reassessment of the future and may reduce expected margins.
• Wrongful Collection: privacy-related claims, such as infringements of Biometric Information Privacy Act (BIPA) regulation, have yet to be fully realised in insurers’ books and are a moving target as the regulation evolves.
• Risk of Change: the rise in ransomware incidents and evolving regulation demands illustrates the risk of change and unknowns the industry faces. 

For these reasons, Munich Re focuses on ensuring there is sufficient buffer and processes to guard against the next possible shocks.

Another driver that should not be lost sight of is catastrophe risk. Despite the tail and development issues discussed above, cyber does not behave like a pure casualty line. Over the long term, its dynamics, capital demands and driving concerns are likely to turn on the scale of the catastrophes seen, more akin to property insurance. 

When considering the normalised cost of accumulation losses, we must rely on models due to the lack of historic data. However, over the past 24 months, the industry has seen an increasing number of events which so far have fallen short of "the big one", such as, Crowdstrike, MoveIT, Kaseya, or Change Healthcare. 

If these events are to be treated as part of the normalised accumulation loss, it should be possible to calculate how much of the normalised accumulation loss load remains to fund the more extreme tail events. 

If instead it is decided that these events are frequent enough to be part of the attritional losses that are expected most years, Munich Re must ensure it remains sustainably profitable despite these events and not succumb to the temptation to consider profitability on an “as-if” they didn’t happen basis.

Cyber is neither property nor casualty but carries the challenges of both – accumulation as well as the long-tail risks. The fact that the cyber threat landscape is the most dynamic of all insurance lines makes these challenges even more complex. However, as the line grows, the tolerance for failures and missteps decreases. The good but still young years, 2022 and 2023, should not let us forget or lose respect for the profitability challenges. Minimising uncertainty and refining cat load requirements therefore remain priorities for Munich Re, to ensure the viability and sustainability of its cyber business in the long term.