Skip to main content

Report

US Cyber Purchasing Trends

With cyber resilience in mind, more organizations purchase cyber insurance.

As the cyber insurance market stabilizes, the number of clients buying coverage continues to increase. Read on to find out why — and what comes next.

Despite the challenges in the cyber insurance market over the past two years — which included steep pricing increases, tighter terms and conditions, and intensified scrutiny from underwriters — the percentage of clients buying coverage continued to climb in 2022. Looking back on 2022 and ahead into 2023, we see a number of trends, including:

  • Cyber insurance pricing increases moderated for the fifth consecutive quarter, rising 11% on average in the US in the first quarter of 2023, compared to 28% in the prior quarter.
  • The largest companies, those with greater than $1 billion in annual revenues, continue to be far more likely to purchase cyber insurance.
  • Innovative, data-backed analysis allows clients to better understand and prioritize the impact of cyber risk controls.
  • Over the past two years, many cyber insurers have focused on potentially catastrophic cyber risk, including fallout from geopolitical conflicts and corresponding nation state activity, changing policy exclusions, and the possible impact from single points of failure.

Effective March 31, 2023, Lloyd’s of London mandated new war exclusion wording inclusive of language to manage systemic loss. Marsh continues to question insurers on clients’ behalf regarding the approach to war and cyber catastrophic risk.

Concurrently, cyber risk management is being driven by advances in predictive aggregation models, improved cyber hygiene, ways to prioritize investments, greater information sharing between private and public entities, and increased government actions in support of a cyber resilient society.

As these forces shape the future state of cyber resilience, it’s important to understand the role of cyber insurance, including purchasing trends.

 

36% (2022) vs. 27% (2018)

Percentage of clients buying cyber coverage keeps climbing through a challenging market.

17.1% (Dec. 2022) vs. 133% (Dec. 2021)

Average rate increases continue to decline from a December 2021 high.

A shift in cyber insurance retentions and limits purchasing

The increase in the number of organizations purchasing coverage is a positive trend, reinforcing the view that insurance is an important part of any cyber risk management strategy.

  • 63% majority of executives surveyed see insurance as a key piece of cyber risk management strategy. (Source: The State of Cyber Resilience)

Another significant shift in purchasing in 2022 was in how clients made coverage decisions and managed their cyber insurance programs.

Early in the year, clients generally continued to increase their self-insured retentions (SIRs), bringing more financial risk in house as they had been doing for several quarters due to prevailing market conditions. However, as the market improved and pricing stabilized throughout 2022, many clients began to decrease their SIRs as coverage became more available and affordable, a trend that has continued into 2023 (see Figure 1).
 

And as SIRs declined, the percentage of clients purchasing higher limits increased, from 10% in the second quarter of 2022 to 16% in the fourth quarter (see Figure 2). Rising competition among cyber insurers — driven in part by improvements in potential clients’ cyber controls — positively affected pricing for clients seeking to increase limits.

Many clients sought to regain a sense of control of their cyber programs as 2022 progressed. In the last two years, for example, we saw a 75% increase in the number of Marsh-managed captive insurers writing cyber coverage.

Another way to view pricing conditions for cyber coverage, or any other insurance product, is through rate on line (ROL) data (see Figure 3). ROL is a measure of what reinsurers charge insurers for coverage, and is calculated by dividing the total premium into the total limits purchased.

This provides a more consistent measure of pricing compared to data that is based on monthly percentage changes in overall premium. This is largely because the starting point for the latter varies, while the starting point for ROL is concrete — it’s the limits purchased.

ROL provides a more consistent measure compared to data that is based on point-in-time percentage changes in overall pricing. This is largely because the starting point for the percentage-based rate changes varies; premium is a variable and some organizations may have a higher or lower base to start from. ROL is a more accurate measure of the cost of risk transfer as it is based on how much organizations pay as a percentage of limits purchased.
 

Who is buying cyber coverage?

Large companies continue to be more likely than smaller ones to purchase cyber insurance. Larger organizations typically have more robust cyber risk management infrastructure, and many view cyber insurance as part of their overall cyber resilience strategy. Further, there’s a perception that larger companies are potentially more lucrative targets for bad actors and thus, face a higher level of threat from factors such as employee and supplier errors.

However, it’s important to understand that organizations of all sizes are targets. Those with weaker cybersecurity controls present a lower barrier to entry for cyber criminals.

  • 47% of clients with annual revenues greater than $1 billion purchase cyber insurance vs.
  • 34% of clients with annual revenues below $1 billion.

By industry, education clients continued to have the highest take-up rate in 2022, followed closely by healthcare (see Figure 4). Most industries experienced slight upticks in take-up rates in 2022. Over three years (2020 to 2022), financial institutions and life sciences clients saw the largest change in take-up rates, both increasing by 20% (see Figure 5).

Tech industry highlights growing complexity of cyber risk

In Marsh’s annual technology industry survey, risk professionals noted that cyber risks are dynamic, complex, and accelerating. For example, four of the five risks of most concern to tech companies involve areas with clear relationships to digitization and cyber risk (see Figure 6).

As cyber-related risks accelerate, tech and other organizations should continue to evaluate their approach to cyber resilience and the role insurance can play to support organizational goals.
 

After slowing in 2022 compared to 2021, ransomware claims increased in the first quarter of 2023 to a level not seen in more than a year.

A variety of external factors had contributed to a decrease in last year’s attack frequency, including international sanctions in response to Russia’s invasion of Ukraine, which hindered ransom money movement. In February and March of this year, however, new ransomware groups emerged at the same time that established threat actors executed mass ransomware attacks. Ransomware-as-a-service has also become more prolific, making it easier for bad actors to execute an attack.

At the same time, privacy claims nearly doubled in the first quarter compared to the prior quarter.
 

Number of privacy-related claims increased by 85% in first quarter 2023 compared to the fourth quarter of 2022.

Number of ransomware-related claims rose 77% in the first quarter of 2023 compared to the fourth quarter of 2022.

Conclusion

Cyber insurance has a positive influence on a company’s efforts to build both cyber and overall organizational resilience. It has provided a backstop to companies that experienced financial losses to ransomware and other events, while also influencing many others to adopt key cybersecurity controls.

An effective approach to building cyber resilience starts with comprehensive cyber risk management. Cyber insurance plays a key role — not only does it transfer some of the risk off of organizations’ balance sheets, but the process itself encourages clients to understand this evolving risk. From being fully informed about how various retention levels will affect your organization’s financial volatility to prioritizing cyber risk controls, Marsh cyber specialists can help develop the cyber risk management program that is right for you.

Is your organization evolving with the cyber risk landscape?

Marsh’s cyber specialists offer best-in-class services and solutions to improve your cybersecurity and resilience.