Sizing the Standalone Commercial Cyber Insurance Market
Cyber liability is a risk that s rapidly permeating every business that relies on digital technology in some phase of its operations which means very few enterprises today are free from exposure. Data theft and privacy breach pose an ongoing threat to many businesses. The number of reported ransomware incidents and denial-of-service attacks has been growing among organizations of all sizes and across industries. According to a recent Verisk analysis 1, the percentages of historical losses incurred by industry include: 28% Healthcare 17% Financial services 12% Media 6% Education 7% Retail 6% Professional services But while the risk is widespread, recognition of the need for insurance protection from cyber attacks has lagged among many businesses especially outside the realm of large accounts until now. Therein lies an opportunity for commercial insurers, if they can get a clear picture of the market and identify niches with potential for growth. $4.1B by 2020 Sizing the standalone U.S. commercial cyber liability market Gains in small and midsized accounts will be an increasing factor as the market matures and cyber coverage becomes a contractual requirement in growing numbers of business-to-business relationships. By sector, healthcare and education remain especially important to the market, with almost daily revelations of cyber breaches in those sectors. Many cyber policies address first-party exposures such as forensic costs following data breaches and respond to losses related to regulatory actions, legal defense, and remediation when third-party information is compromised. In addition, Verisk estimates reflect the widespread integration of coverage for first-party exposures such as spurious fund transfers, extortion, and business interruption into many cyber policies. 1. ISO analysis of licensed third-party data. 1
Standalone commercial cyber liability in 2016, excluding package policies, amounted to almost $1.5 billion of written premium as estimated by Verisk, using ISO MarketStance Commercial Insight. The total, including package policies, was an estimated $2.5 billion. ISO MarketStance solutions projects that, assuming Verisk s forecasted average annual growth in take-up rates of 20-30%, the standalone cyber market could reach $4.1 billion by 2020, with a total forecasted cyber market of $6.2 billion. Commercial cyber market projection: Standalone, package, and total 7.00 $1.14 $1.38 6.00 5.00 4.00 3.00 2.00 1.00 0.00 Direct Written Premium: Standalone Policies Direct Written Premium: Package Policies Direct Written Premium: U.S. Market Total 2016 2020 Source: ISO MarketStance Commercial Insight V.17.0 (December 2017) 2
Standalone cyber liability market potential Services* $0.48 $1.38 Finance, Insurance, and Real Estate $0.41 $1.14 State and Local Government $0.22 $0.62 Retail Trade $0.12 $0.35 Wholesale Trade $0.11 $0.32 Manufacturing $0.07 $0.21 Construction Transportation, Communications, Electric, Gas, and Sanitary Services $0.08 $0.03 $0.03 $0.01 Other** $0.02 $0.01 Source: ISO MarketStance Commercial Insight V.17.0 (December 2017) $0.0 $0.5 $1.0 Cyber Liability Premium 2020 projection Cyber Liability Premium 2016 estimate *The education and health sectors are included in the Services SIC category. **Agriculture, Forestry, and Fishing; Mining; Industries Not Classified 3
Where is the standalone cyber opportunity? Number of companies (by size) and expected premium for standalone commercial cyber coverage by 2020, as projected by ISO MarketStance Commercial Insight. Standalone Commercial Cyber Market 2020: 242,000 companies Small Commercial <$10m revenue 2016: 96,800 companies $0.26 billion direct written premium 2020: 83,300 companies Middle Markets $10 $250m revenue 2016: 43,200 companies $2.46 billion direct written premium National Accounts $250m+ revenue 2016: 6,000 companies 2020: 9,400 companies $1.43 billion direct written premium 3
Standalone Standalone Commercial Commercial Cyber Market Cyber Market About our methodology Any effort to size the cyber market requires a clear definition of what s being measured. What business is included? Does the baseline data support an accurate calculation of growth? Is the buzz surrounding this business influencing estimates of its size? A proven, bottom-up methodology points the way to capturing the most accurate numbers. Verisk relied on the relative demand factors reflected in the ISO Cyber Data Call from 2016, a special Verisk initiative to collect, aggregate, and analyze premium and loss data for cyber-related first-party and liability coverages. Also reflected are high-level estimates of the take-up rates generated within Verisk and from other sources. These sources supported company size as a key driver of take-up rates, with small commercial extremely low at less than 5 percent. The relative demand factors yielded a first approximation of the number of companies covered, which were benchmarked to the NAIC count of cyber policies in force as adjusted by Verisk. 2 ISO MarketStance solutions also factored in coverages for both first- and third-party exposures. Many cyber policies address first-party exposures such as forensic costs following data breaches, and many also respond to losses related to regulatory actions, legal defense, and remediation when third-party information is compromised. In addition, our estimates reflect the fact that coverage for first-party exposures such as spurious fund transfer, extortion, and business interruption has become widely integrated in the cyber policies written in the market today. ISO MarketStance solutions has provided the most detailed available estimates, derived by a proven, bottom-up methodology, for many lines of business, including directors and officers, errors and omissions, and employment practices liability for more than a decade. We re pleased now to provide the same for standalone commercial cyber liability. 2. Verisk data hygiene procedures identified outlier values in the NAIC reported data from one company. This data was excluded from the market benchmark. 5
Standalone Commercial Cyber Market About Verisk Verisk (Nasdaq:VRSK) is a leading data analytics provider serving customers in insurance, natural resources, and financial services. Using advanced technologies to collect and analyze billions of records, Verisk draws on unique data assets and deep domain expertise to provide first-to-market innovations that are integrated into customer workflows. Verisk offers predictive analytics and decision support solutions to customers in rating, underwriting, claims, catastrophe and weather risk, global risk analytics, natural resources intelligence, economic forecasting, and many other fields. Around the world, Verisk helps customers protect people, property, and financial assets. Our industry-leading brands include ISO, Xactware, AIR Worldwide, Argus, and Wood Mackenzie. Learn more about our commercial cyber solutions at www.verisk.com/cyber. 2018 Insurance Services Office, Inc. ISO is a registered trademark and Verisk is a trademark of Insurance Services Office, Inc. All other product or corporate names are trademarks or registered trademarks of their respective companies. is18149 (2/18)