Article
Could Increasing Ransomware Frequency Bring Back a Repeat of the 2021 Hard Market?
Pricing pressure is mismatched with spurt in ransomware activity in 2023
Insurance pricing is cyclical. When loss ratios are sustainably higher, over time prices rise in response, creating a hard market. The last hard market in cyber was in 2021 when an onslaught of ransomware and high-profile cyber attacks drove a spike in demand for cyber insurance and a decreased supply of capital, which led to increased premiums.
Once prices are higher and loss performance begins to improve, the market looks appealing — driving new entrants and adding pressure on existing players trying to stay competitive. This drives prices back down and creates a soft market. Eventually, the loss ratio climbs back up, and the cycle inevitably begins anew.
In traditional lines of insurance, a full cycle can take 5-10 years. However, cyber insurance doesn’t follow the same playbook. The risk is much more dynamic and volatile and the cycle moves faster. The market has lacked some of the data needed to demonstrate the cadence of loss and pricing trends in cyber insurance. Until now.
At-Bay’s proprietary claims and pricing data illuminate the time frame of the cyber insurance pricing cycle. Based on our data and point of view, we believe there’s a mismatch between pricing and loss activity, similar to 2020.
Based on our data (and exemplified in the chart below), the cyber insurance market cycle can take 1-2 years. There is a consistent cycle between ransomware frequency and policy pricing. Two to three quarters after ransomware frequency peaks, we see a responding increase in pricing.
The below chart shows trends from Q1 2020 through Q1 2023 for the following data:
- Turquoise line: Ransomware frequency by month of all claims reported by At-Bay customers
- Dark blue line: Average new-bind At-Bay policy premiums by month
Our data shows ransomware frequency precedes pricing by 2-3 quarters, causing cyclicality:
Because ransomware drives the vast majority of loss in the cyber insurance industry, ransomware frequency is a reliable indicator of overall loss behavior. At-Bay’s pricing is informed by current market conditions and is therefore representative of industry pricing levels.1
We believe the ransomware frequency for At-Bay customers reflects the overall attacker activity levels for small and mid-size businesses (SMBs) in the U.S. While the exact frequency would change between any specific carrier, the overall changes would be consistent across the market.
There’s a Clear Trend in Cyber Insurance Pricing Cycles
Based on our data and exemplified in the chart above, there is a consistent cycle between ransomware frequency and policy pricing. Two to three quarters after a peak in ransomware frequency, we see a responding increase in pricing.
The first pricing peak on the chart (2021) is significantly higher than the second pricing peak (2022). This is because cyber insurance prices before 2021 were much lower, so a substantial price increase was needed to combat the high loss ratio in 2020.
Currently, we’re observing a squeeze on the loss ratio: Ransomware frequency has been climbing while prices are declining.
At-Bay data clearly demonstrates a two- to three-quarter pricing cycle for cyber insurance. Considering how dynamic risk is in cyber insurance, insurers need to be on top of it on a weekly/monthly basis rather than quarterly/annually.
With Ransomware Frequency Increasing, a Hard Market May be Around the Corner
There’s an undeniable correlation between ransomware frequency and pricing that takes a couple of quarters to materialize. We see clear pressure from heightened ransomware activity, but that is not translating into increased rates creating higher loss ratio pressure. The market should be aware of this and adjust its pricing accordingly or source additional capital as necessary, otherwise the industry might see itself in another hardening cycle with prices rising to recoup (significant) past losses.
The current low pricing is unsustainable based on prior trends and the growing loss ratio.
If ransomware claims continue to trend in the same direction, we anticipate a price adjustment similar to what we saw in 2021. Right now, the pricing level is more reasonable than it was before the 2021 spike, so we will likely see a smaller correction than we saw back then — but nonetheless, there may be a correction in pricing over the coming months.
This much is clear: the frequency and pricing trends are getting to unsustainable levels and the market needs to be on top of it, not playing catch-up months from now.
About The Author
Roman Itskovich is the Co-Founder and Chief Risk Officer of At-Bay, the InsurSec provider for the digital age. At-Bay combines world-class technology with industry-leading insurance to help clients meet risk head-on. Partnering with brokers and business owners alike, At-Bay provides modern insurance products and active risk monitoring services for companies of every size and in every industry.
Before founding At-Bay in 2016, Itskovich built an online lending business as the VP of Financial Products at Ebury, a Greylock-backed firm helping businesses accelerate international growth. He has more than a decade of experience in finance and financial modeling, having served on the investment team at Bain Capital and as a consultant at McKinsey & Company. Itskovich holds a BA in Economics and Accounting from Tel Aviv University and an MBA from Harvard Business School.
Footnotes
1. Pricing trends shown were driven by market purchasing behavior, mix, and security controls.