The cyber market’s maturity moment

When asked about the state of the cyber market, it would be easy to talk about underwriting trends, loss developments, or other hot topics in today’s market like war exclusions, rate adequacy, and even ransomware trends. However, sometimes it’s the simplest questions that are toughest to answer.

At a recent event in Chicago, a delegate asked me during a panel discussion: “In what ways is the cyber market developing?” I responded in a way that I don’t typically like to do – with a question: “How many of you have ever raised teenagers?”

My response prompted discussion, and agreement, around the view that our cyber market has hit its teenage years – that period when you’re not quite a child, but not yet a full-grown mature adult. It’s a turbulent time that comes with a lot of growing pains and, as a market, we are now at that maturity moment.

I have had the privilege to be in the cyber insurance market since its birth. In those early days, many of my conversations in broker offices focused on educating and building awareness about what a cyber policy was, even before explaining why customers should buy one.

There was a lot of nurturing, learning, and patience. Over time, we moved from this “education era” to a “building era” where the market grew and hit its stride. Policy counts increased, coverages broadened, data breach laws were introduced, and geographies expanded – the cyber market was healthy, building muscle and, by all accounts, developing normally.

But the last few years have been different. We have used words like “inflection point” and “crossroads” to describe the pivotal transition that the cyber market has been undergoing since 2020. That was the year it hit its stride as a teenager and the market that we had nurtured fell into those awkward years, stretching the boundaries and outgrowing its current form.

Losses came in, rates went up, and capacity went down. It was the parental equivalent to your child crashing the family car: sudden and costly, but it could be salvaged, and there were lessons to be learned. The cyber market was growing up, and a new era was upon us.

How we deal with this “maturity moment” and ensure we progress through this next phase of the market cycle successfully are critical. The answers to how we do this can be found in five basic principles that were developed to help navigate these challenging times:

Monitor and observe

Portfolio management has long been the foundation of every insurance line of business and cyber is no different. As underwriters, we cannot simply sit back thinking that the last few years of rate increases and capacity diminishment will be enough to move us forward – or that last year’s events will be next year’s losses. Thanks to the advancement of technology, threat actors and geopolitical tensions, the cyber market is always on the move. Paying careful attention to current trends, market developments and threat intelligence is crucial, and will always be a part of our culture, particularly in this new era.

Guide and limit

We all know how important underwriting guidelines have become in the last few years and, by all accounts, have elevated both awareness of and standards of cybersecurity for the good of society. Discipline around risk controls and management practices have provided the necessary guardrails to allow the market to progress, even during times of unprofitability. These parameters are not only foundational but are also crucial to our market’s long-term sustainability.

Model and consult

It’s hard to believe but the first cyber catastrophe models were only launched in 2016 making them a younger cousin to their property counterparts, developed decades prior. Since then they have evolved significantly, and play a key role in managing systemic losses, predicting severity of key events and aiding decision-making. Even with debate over what a 1-in-100 or a 1-in-250-year event could look like, there is no question that these will continue to play an important part in the cyber market and what we learn from these will direct how we behave in the future.

Provide and advocate

The insurance industry is not an ecosystem unto itself, and collaboration is key. Introduction of new sources of both capital and information can only make it stronger and more resilient. Whether it’s participation in public/private partnerships or trade associations, or collaboration with academia, these provide new sources of information and viewpoints with which to further build out future products and capabilities.

This applies to capacity as well: the introduction of ILS or other forms of alternative capital – as witnessed in the recent flurry of activity which included the launch by AXIS of the first 144A cyber cat bond – also provides greater options and market opportunity in the future. We must continue to advocate for this innovation to support the resilience of our market and the needs of our customers over the long term.

Support and connect

While far from unique to the cyber insurance market, I would be remiss not to mention the talent gap that our industry is currently facing. The last few years have taught us that diversity of thought and background truly makes for a stronger market. I am among the cohort that entered the cyber world by chance, in my case bringing E&O experience. Some bring property knowledge, others have cyber security expertise, and some bring a general hunger, curiosity and passion for innovation.

Whatever the motivation, building a diverse and inclusive talent pipeline is one of the most important ways we can ensure sustainability and build the depth of experience necessary to help take our market forward. We must seek support, build connections, learn from one another and, most importantly, pay it forward.

These five principles might sound very simple but you will not find them in any insurance or risk management textbook or training modules. While I might have added some insurance context to them, these principles are adapted from the “Five Basic Principles for Parenting Adolescents” as published by the Massachusetts Institute of Technology.

In acknowledging the similarities between raising teenagers and guiding the cyber market, there are lessons we can learn from the former that can be equally applied to the latter. All of us have an obligation and a role to play in this market. Just as the actions we take in raising teenagers will shape their adulthood, so too will our actions shape the cyber insurance market of the future. These are formative years that will have a lasting impact on generations to come.