Ariel Re’s Daniel Carr provides an overview of dynamics in the cyber market.
After the marked increase in claims arising from ransomware in 2018-21, the cyber market saw significant year-on-year rate increases.
Early signs in late 2022 and early 2023 suggested a tempering of rates following a reduced period of ransomware activity because of improved security controls at insureds, geopolitical disruptions from the Ukraine war and more stringent underwriting standards.
However, ransomware activity levels have seen a resurgence in early 2023, meaning the market could benefit from taking stock before pushing ahead with any further rate reductions.
The nature of cyber events is also changing: moving away from targeted events at individual companies and towards incidents that impact multiple companies through the compromise of widely used technologies or suppliers as part of a broader attack.
For example, the recent attack against MOVEit – a commonly used file-transfer application – has driven a significant amount of recent ransomware activity. This event follows a string of similar and adjacent events over the past few years, including attacks against SolarWinds and Microsoft Exchange.
Given the increased use and centralisation of common technologies, the frequency of cyber attacks and levels of risk against common platforms is certain to rise, notably given the continued growth of cloud-based services.
The risks posed by attacking supply chains and common technologies is a significant concern throughout the insurance industry and society, and it represents a material threat to the stability of both cyber portfolios as well as the broader technological ecosystem economies increasingly rely upon.
As a result of the above, aggregation, accumulation and systemic concerns have been at the centre of many cyber market and product initiatives over the past 18 months. These have attempted to proactively address how cyber (re)insurers can best tackle these growing concerns amid a dynamic market and risk environment, and also how the market can manage and overcome the risks posed by advanced, resourced and capable threat actors (including nation states) with the potential to cause systemic and widespread economic loss.
The changing nature of losses has also resulted in changes to reinsurance purchasing – with many insurers now seeking specific cyber reinsurance products focused on aiding their ability to withstand systemic shock events within their portfolio. This trend accelerated at the beginning of 2023 and continues to increase, with such products increasingly likely to form a more material component of 2024 reinsurance programs for many carriers.
In addition, the growth and use of AI in wider society is bringing new exposures to the cyber market. Increasingly, organisations are rapidly adopting new AI technologies – including services such as ChatGPT – within their business. However, in the race to adopt AI applications, it is likely that all the data flows to and from such services are not fully understood, potentially leading to a wide range of new and evolving cyber threats.
That said, AI also presents new and emerging opportunities to detect, monitor and prevent malicious cyber activity. As with all technological innovations, it brings both threat and opportunity but often at different paces of development.
The wider risks and threats posed by using AI technologies (including AI for voice, video and imagery) across various applications – malicious or not – all have the potential to materially reshape the cyber liability and product risk landscape over the coming years, as well as bringing new threats to existing and widely used cybersecurity techniques, such as voice verification in banking.
There is growing pressure on technology companies to have a moratorium on bringing new AI services to the market until they have been rigorously tested to try to mitigate against potentially dangerous consequences such as the AI hallucinating – that is, simply making up information.
The cyber insurance market remains extremely fluid, and a major challenge for the industry is how to best respond to these dynamics with risk mitigation products that are fit for purpose, as well as the appropriate capital and market structures to ensure their sustainable and enduring availability.
Daniel Carr is head of cyber at Ariel Re