Cyber Update - Aon Benfieldthoughtleadership.aonbenfield.com/Documents/20170504-ab-cyber-n… · Our aim is to provide insights for insurers ... 47.6 percent includes pure loss, defense

Aon Benfield Analytics

Risk. Reinsurance. Human Resources.

Cyber Update 2016 Cyber Insurance Profits and Performance

May 2017

Revised with data as of June 23, 2017


Cyber Update: 2016 Cyber Insurance Profits and Performance 1

Key Findings on 2016 Cyber Insurance Performance We are pleased to bring you the second edition of the Aon Benfield Cyber Insurance Profits and Performance study. The US cyber insurance market continues to grow, with an increasing number of carriers participating in it. Last year, this study was the first of its kind to assess the profitability of the industry, and this year we update our analysis with performance numbers for 2016.

We again use the data from US NAIC statutory filings to perform this analysis. We take this data set as representative of US industry experience and strive to glean the insights that can be found in it. See “About the Data” at the end of this paper for a discussion of the data’s limitations.

A total of 140 US insurers were found to have underwritten cyber insurance in 2016. Aon Benfield has analyzed these filings and has outlined the key findings below. Our aim is to provide insights for insurers that currently offer cyber insurance, as well as those seeking to offer it, to provide a performance benchmark and give perspective on the industry experience. Our initial data for analysis was pulled on April 27, 2016; after this date, several insurers made significant restatements to their 2016 results, resulting in material changes to our estimates of the overall industry performance. We are updated this report to reflect these changes, with revised data as of June 23.

Cyber insurance was profitable in 2016, despite higher loss ratios Cyber insurance across all companies averaged a 47.6 percent direct incurred loss ratio1 in 2016. This 47.6 percent includes pure loss, defense and cost containment expenses, and adjusting and other expenses. We estimate that industry expense ratio for cyber insurance to be 29.0 percent2, implying an estimated 2016 industry combined ratio for cyber insurance of 76.6 percent.

Exhibit 1: Estimated US 2015 & 2016 cyber insurance combined ratios

The 47.6 percent loss ratio was a 6.1 percent increase from the 2015 loss ratio of 41.5 percent.3 The major cyber claims story of 2016 was ransomware, which some insurers saw quadruple compared with the year prior4 – yet ransom requests are typically (and intentionally) small, below most policy deductibles.

35.1%

37.1%

4.8%

8.8%

1.6%

1.8%

31.3%

29.0%

72.8%

76.6%

0% 20% 40% 60% 80% 100%

2015

2016

Pure losses Defense and cost containmentAdjusting and other expenses Estimated expense ratio

47.6% loss ratio

41.5% loss ratio



While the 2016 year did see some potentially aggregating events, such as the distributed denial of service (DDoS) attack on Dyn, the impact on insurers was expected to be minimal since the DDoS’s duration was well below the standard 12-hour waiting time deductible for business interruption coverage.

Since the data is reported to the NAIC on a calendar year basis, it is possible that the increase in loss ratio for 2016 is due to adverse development on earlier accident years – or simply to price competition.

To view the results a different way, we segmented insurers based on the magnitude of their loss ratio change from 2015 to 2016, looking only at writers with at least USD 5 million in direct written premium to avoid potential skewing from small premium bases. A change of at least 5 loss ratio points was selected to indicate a material change. The results appear in Exhibit 2. Exhibit 2: US cyber insurance loss ratios | 2015 vs. 2016 For insurers with direct written premium greater than USD 5 million

These results indicate that slightly more insurers saw a loss ratio increase in 2016 than saw a decrease, 36 percent versus 32 percent. This is broadly consistent with the slight increase to industry loss ratio that we saw in Exhibit 1.

Cyber losses varied widely among insurers in 2016 While 47.6 percent was the average loss ratio across all insurers, individual insurer results varied greatly. Among underwriters with at least USD 5 million in direct written premium, loss ratios ranged from zero percent at the low end to 157.5 percent at the high end.

The table below shows the range of results among insurers with more than USD 5 million in written premium, based on percentiles to remove the influence of extreme outliers.

36%

25%

32%

7% Loss ratio increase of more than 5%

Loss ratio change of less than 5%

Loss ratio decrease of more than 5%

No 2015 data for comparison



Exhibit 3: Cyber insurance loss ratio percentiles by year

Calendar Year 5th Pctl 25th Pctl Median 75th Pctl 95th Pctl 2015 0.0% 7.2% 33.2% 54.4% 102.6% 2016 0.4% 5.3% 20.5% 51.2% 92.7%

We do see that large loss ratios are also in the data, as seen from the 95th percentile result of 92.7 percent. Also, note that the median for 2016 is actually lower than for 2015, 20.5 percent versus 33.2 percent. Overall, the 2016 distribution shows slightly less skew than the 2015 distribution.

For insurers providing cyber insurance, these results illustrate the potential for both extremely good and extremely bad underwriting outcomes, and underscore the importance of managing limits.

Severity is driving loss ratios We analyzed the correlation of insurers’ loss ratios against their claim frequency and severity. Last year claim severity, or average claim size, was found to be highly correlated with loss ratios, showing a correlation coefficient of 0.794. This year, the observed results yield a correlation coefficient of 0.759 – fairly similar. Frequency, in contrast, shows a correlation of 0.108 with the loss ratios, indicating that it is not a strong driver of insurers’ results.

Note, though, that outliers do impact the calculated correlations, as can be gleaned from the charts. For severity, if we remove the two largest outliers, the correlation coefficient drops to 0.58. For frequency, if we remove the four largest outliers, the correlation rises to 0.25. So outliers are driving the impacts of severity upward and frequency downward, respectively. Severity has greater bearing on loss ratios than frequency, regardless of outliers, but the impact may not be as pronounced as we saw at first glance. Exhibit 4a: Severity versus Loss Ratio

Exhibit 4b: Frequency versus Loss Ratio

These results again emphasize the importance for insurers to manage their limits carefully as they grow in the cyber line. Larger portfolios are, on the whole, less swayed by large severity events, but offering larger limits is often a necessary step for growth.

R² = 0.576

0%

20%

40%

60%

80%

100%

120%

140%

160%

0 $1.0M $2.0M $3.0M

Loss

Rat

io

Average Claim Severity

R² = 0.012

0%

20%

40%

60%

80%

100%

120%

140%

160%

0.0 0.2 0.4 0.6

Loss

Rat

io

Frequency (# of Claims per Policy)

Correlation = 0.759

Correlation = 0.108



Underwriting performance appears to vary considerably between standalone and package business We observe standalone cyber insurance having the lower loss ratio in 2016, averaging 45.0 percent of which 33.8 percent was pure losses, with defense and containment costs (DCC) making up 9.6 points of the balance. Package cyber policies showed a higher average loss ratio of 53.3 percent. This is a marked reversal from last year, when the standalone LR was nearly 16 points higher than the package loss ratio.

Unfortunately, this reversal is at least partly attributable to data quality issues. One major insurer reported its business last year largely as package but this year entirely as standalone, and another insurer saw its package loss ratio increase from 1.5 percent in 2015 to 108.5 percent in 2016. That said, a number of insurers wrote package business in both 2015 and 2016 and saw loss ratio increases in 2016 – so the package loss ratio increase does seem supported by the broader data. See the “About the Data” section for additional commentary on the shortcomings of the data for package policies.

The differences between standalone and package cyber performance are summarized in the table below.

Exhibit 5: Estimated US 2016 cyber insurance combined ratio | standalone vs. package

If we choose to treat the standalone results as the more reliable indicator of industry experience, then 45.0 percent would be the industry average loss ratio, including defense costs and other adjusting expenses.

Claims rates were significantly higher for standalone business. Cyber claims occur at a rate of 2.0 per 100 standalone policies, versus a rate of 0.2 per 100 package policies – the same ratios as last year. Note that “package” business for insurers can be interpreted extremely widely, ranging from a small cyber endorsement on a small commercial or BOP policy, to a large cyber / technology E&O blended policy. We see this in the policy counts for package insurers: several have more than 100,000 policies issued, while others with fewer than 20,000 are collecting significantly more premium. If we focus only on the insurers we believe are primarily small commercial cyber writers, we see a lower claim frequency of 0.1 claims per 100 package policies.

44.1%

33.8%

7.0%

9.6%

2.2%

1.6%

34.4%

28.7%

87.7%

73.7%

0% 20% 40% 60% 80% 100%

Package

Standalone

Pure losses Defense and cost containmentAdjusting and other expenses Estimated expense ratio

45.0% loss ratio

53.3% loss ratio



First party claims predominate Similar to last year, most of the claims reported in 2016 were for first party coverage. Indeed, first party claims outnumbered third party claims by a ratio of 1.2:1. Last year we saw a ratio of 3:1, which suggests that third party claims rose significantly. Here again, data quality paints a misleading picture. One large insurer reported nearly all its 2015 claims as first party, but in 2016 reported nearly all its claims as third party – impacting the ratios materially. When we strip this insurer out of the results, we see an approximate ratio of 1.9:1 for first party and third party claims respectively, in 2016 vs 2.2:1 in 2015.

The claim results for 2016 are summarized below.

Exhibit 6: US 2016 cyber claims

Policy type First party Third party All Standalone 1,535 1,241 2,776 Package 1,741 1,435 3,176 All 3,276 2,676 5,952

This is consistent with what we hear from conversations with our clients, with cyber incidents primarily triggering the first party coverage.

Premiums are growing and the field is widening In 2016 US cyber premiums grew approximately 34 percent year on year, to USD 1.35 billion.5

As we expected to see, a growing number of insurers participated in the US cyber market in 2016, reducing the market share held by the largest players. In total, 140 insurers reported writing some cyber premiums in 2016, with 29 insurers writing premium in 2016 that did not in 2015. 68 insurers wrote more than USD 1 million, and 28 wrote more than USD 5 million. All these numbers are higher than in 2015.

The top five cyber insurers accounted for 52 percent of direct written premiums, down from 61 percent last year, and the top 10 accounted for 72 percent versus 80 percent last year. By way of comparison, the top 10 writers of other liability claims made insurance account for 60 percent of premium, and the top 10 in commercial multi-peril account for 45 percent of premium.6 The US cyber market is still relatively concentrated, but less than before due to the participation of new entrants.

The charts on the next page illustrate the distribution of cyber premium.



Exhibit 7: US 2016 cyber premium distribution by size rank

Total premium reported: USD 1.35 billion

Exhibit 8: US 2016 cyber count and premium distribution by insurer direct written premium

Total premium reported: USD 1.35 billion

52%

20%

10% 6%

12%

100% of

$1.35B

Top 5 6th - 10th 11th - 15th 16th - 20th Other 118 All Insurers

51%

29%

5% 4% 4% 4% 2% 1% 7%

4% 6%

13%

30%

39%

Under $1m $1m-$5m $5m-$10m $10m-$25m $25m-$50m $50m-$100m Over $100m

Insurer Direct Written Premium

Count Premium



Identity theft insurance update While we have focused primarily on commercial cyber coverage in this paper, the NAIC supplement also gathers information about identity theft insurance. Identity theft coverage is predominantly a personal lines product, and premiums are written mainly by large personal lines insurers. A few comments are worth making:

21.6 million policies were in force at the end of 2016, according to the NAIC data, versus 17.7 million in 2015.

Total US identity theft premiums totaled USD 230 million in 2016, versus USD 241 million in 2015 – a 5 percent decrease in premium volume despite a growing number of policies. This suggests that pricing on identity theft products may be becoming more competitive.

While premiums shrank overall, premiums for standalone identity theft coverage actually grew 12 percent over 2015. Standalone identity theft products make up only USD 23.8 million of the total premium, but this growth suggests that more customers may be switching to standalone identity products such as LifeLock rather than taking an endorsement on their homeowners policies.

Standalone and package identity theft products have very different pictures of profitability. Package coverage was very profitable in 2016, with a 23.9 percent loss ratio. Standalone coverage had a much higher loss ratio at 66.6 percent.

Exhibit 9: Estimated US 2016 identity theft loss ratios | Standalone vs. Package

About the Data The NAIC supplement requests insurers to report on several kinds of coverage:

Standalone cyber insurance policies

Cyber insurance that is part of a package policy

Standalone identity theft insurance policies

Identity theft insurance that is part of a package policy

23.1%

64.3%

23.9%

66.6%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Package

Standalone

Pure losses Defense and cost containment Adjusting and other expenses



For our analysis, we have treated cyber insurance – both standalone and in a package – as the main area of interest. We view identity theft insurance as a different product than “cyber.”

We looked to extract as many insights from the supplement data as possible, but have some concerns about the completeness and quality of the reported information. We suggest reading this briefing not as commentary about the US cyber industry per se but rather as commentary about this particular dataset. We have commented on anomalies in the data where we are able to identify and adjust for them.

We discuss a few specific data issues below.

Premium completeness Our analysis suggests that the data reported to the NAIC is only a partial picture of the US cyber insurance market. Industry estimates of the global standalone cyber market vary, generally ranging from USD 2.5 billion to more than USD 3.0 billion. 7 We estimate roughly 85 percent of premium today is for US risk, but this risk is shared with insurers in Bermuda and London insurers as well as the US. The 2016 cyber premiums reported to the NAIC total USD 1.35 billion, of which USD 916 million is standalone cyber premium. Thus, the NAIC data represents a sizable portion of the market, but is not comprehensive.

Issues with package policies The treatment of cyber package policies creates several issues worth noting, particular when comparing results against standalone policies:

Premiums for the “cyber” portion of package policies can be difficult to break out. About 35 percent of the total package cyber premiums reported are from insurers who were unable to quantify the amounts exactly and instead used estimation techniques.

Losses reported for package policies do not include IBNR. The NAIC requested payments and case reserves for package policies, whereas it requested payments and total incurred amounts for standalone policies. It remains unclear whether insurers interpreted the standalone “incurred” losses to include IBNR. But the results for package business clearly do not.

Insurers were left to interpret the meaning of “package” business for themselves. “Package” in cyber can be interpreted extremely widely, ranging from an endorsement on a small commercial or BOP policy to a large cyber / technology E&O blended policy. We see this in the policy counts for package insurers: several have more than 100,000 policies issued, while others with fewer than 20,000 are collecting significantly more premium. Thus the results for package business are somewhat heterogeneous compared with the results for standalone cyber.

Claims data quality Not all insurers reported cyber claim counts, and of those that did, the number of claims varied considerably. The mix between first and third party claims also varied significantly between some insurers. We analyze the data on a per-claim basis only with a measure of caution.



Contact Information Authors Jon Laux, FCAS Head of Cyber Analytics Aon Benfield +1 312 381 5370 [email protected]

Craig Kerman, FCAS Director, Global Cyber Practice Group Aon Benfield +1 212 441 1568 [email protected]

Aon Benfield Cyber Practice Group Leadership Bill Henriques Global Cyber Practice Group Co-Leader Aon Benfield +1 973 966 3565 [email protected]

Luke Foord-Kelcey Global Cyber Practice Group Co-Leader Aon Benfield | Global Re Specialty +44 (0)20 7086 2067 [email protected]

mailto:[email protected]





Sources: 1 Company calendar-year loss ratios weighted by direct earned premium. Note that all numbers reported to the NAIC are on a direct basis. 2 2016 Insurance Expense Exhibit. Based on a premium-weighted average of the other liability-claims made expenses (for standalone cyber premiums) and commercial multi-peril liability expenses (for package premiums). 3 Readers of last year’s study will recall we published a 49.0 percent direct incurred loss ratio and an estimated 80.3 percent combined ratio. Several insurers reported later revisions to their premium and loss numbers during 2016, which, when recalculated, lead to the numbers we show here: a 41.5 percent loss ratio and 72.8 percent combined ratio. 4 Source: https://www.beazley.com/news/2017/beazley_sees_ransomware_attacks_quadruple_in_2016.html 5 Note we estimate approximately an additional USD 500 million in US cyber premium placed into Lloyd’s. 6 Source: NAIC 2016 statutory filings, as captured in SNL Financial as of April 27, 2016. 7 Sources: Aon Risk Solutions, The Betterley Report, Insurance Business America, PwC, and Aon Benfield research.

About Aon Benfield Aon Benfield, a division of Aon plc (NYSE: AON), is the world’s leading reinsurance intermediary and full-service capital advisor. We empower our clients to better understand, manage and transfer risk through innovative solutions and personalized access to all forms of global reinsurance capital across treaty, facultative and capital markets. As a trusted advocate, we deliver local reach to the world’s markets, an unparalleled investment in innovative analytics, including catastrophe management, actuarial and rating agency advisory. Through our professionals’ expertise and experience, we advise clients in making optimal capital choices that will empower results and improve operational effectiveness for their business. With more than 80 offices in 50 countries, our worldwide client base has access to the broadest portfolio of integrated capital solutions and services. To learn how Aon Benfield helps empower results, please visit aonbenfield.com.

https://www.beazley.com/news/2017/beazley_sees_ransomware_attacks_quadruple_in_2016.html



1 Company loss ratios weighted by direct earned premium. Note that all numbers reported to the NAIC are on a direct basis. 2 Source: 2015 Insurance Expense Exhibit. Based on a premium-weighted average of the other liability-claims made expenses (for standalone cyber premiums) and commercial multi peril liability expenses (for package premiums). 3