U.S. insurers took in almost $1 billion in premiums last year for writing cybersecurity policies, according to new figures from credit analysts at Fitch Ratings.
The $998 million figure for 2015 represents $483 million in standalone cyber insurance premiums and $515 million in cyber premiums where the protection was part of a larger package involving other kinds of coverage, according to Fitch.
The numbers come from an analysis of supplemental filings required of insurers by the National Association of Insurance Commissioners. But Fitch’s analysis cautions that there are some limitations to the new figures, especially where cyber coverage is bundled into a broader insurance package.
“Each underwriter’s approach to assessing premiums from cyber risks in package policies will differ, leading to inconsistencies in the data,” they write, adding that, “a significant portion of cyber-related exposures will not be captured [as] several large companies did not report premiums for [bundled] cyber policies in the supplemental filing.”
Over time the analysts expect consistency to improve as underwriters’ interpretations converge. But in the meantime “total cyber insurance premiums are likely understated,” cautions Fitch Ratings Managing Director James Auden.
[Read more: Insurers are coming for the infosec community]
Although some estimates put the global value of the cyber insurance market at $2 billion a year — and insurance broker Marsh & McLennan estimated that could multiply three to five times by 2020 — the Fitch analysis cautions that information about the cyber-insurance market remains patchy and uncertain.
“The lack of information on cyber insurance is a challenge for insurance companies, policyholders, regulators, and investors to evaluate and price risk,” warned Auden.
Bermuda-based XL Group Ltd. wrote the most standalone coverage, with $113 million or 23 percent of that market. American International Group, Inc., or AIG, wrote the most package-based coverage with $194 million or nearly 38 percent of that market. In the combined market, AIG wrote 22 percent of the coverage, followed by Chubb Limited at 12 percent and XL at 11.
The report says the direct loss ratio — i.e. the proportion of premiums paid out in claims — for standalone insurance policies was 65 percent on aggregate, but warns that “Direct loss ratios on stand-alone cyber business vary considerably by individual underwriter.”
More than 80 percent of the standalone policies — and 94 percent of package policies — were written on a “claims-made” basis, which means they only cover claims made during the period of insurance. This “greatly reduces the length of the policy exposure period and claims payment pattern,” the analysis states.
Nonetheless, “The ultimate profitability of the … industry’s cyber insurance efforts will take some time to assess as the market matures and future cyber-related loss events emerge,” said Fitch Ratings Director Gerry Glombicki.