The outlook for Europe’s cyber insurance market

Guy Carpenter’s global co-head of cyber Anthony Cordonnier examines the state of the European cyber insurance market.

The global cyber market was estimated to be $15.5bn at the end of 2023, with the market in Europe approximately $1.8bn. Guy Carpenter anticipates the European market will continue to display solid growth, especially in the corporate and middle-market sector.

With AI expanding the threat landscape, and increased regulatory oversight, demand for cyber insurance will continue to grow in European economies. Purchasing behaviour is being driven by buyers in all industry sectors, but increasingly manufacturing, financial institutions and energy, in territories such as the Nordics and Central and Eastern Europe, which have experienced a lower penetration of the product thus far.

Currently, Europe’s cyber insurance market is comprised of well-known global brands, local insurers and syndicates at Lloyd’s. The recent emergence of local, dedicated cyber MGAs, in addition to large US-based insurtechs expanding their global footprint, will broaden the product offering in Europe, foster competition and stimulate growth in the region.

Pricing

Pricing for cyber in Europe has typically followed the rate movements seen in the more mature US market. It has also been impacted by the rate increases driven by ransomware losses globally. Steep increases in 2020 and 2021 have now tapered to single-digit rate decreases, but pricing adequacy remains favourable.

Since H2 2022, competition in Europe has increased, driving improved rates and coverage, despite increased and evolving threats of zero-day exploits. More recently, pricing has depended largely on industry, perceived risk quality and company size.

Insureds with revenues above €250mn and effective cybersecurity controls typically experienced greater rate decreases. The downward movement in rates was observed mainly in excess layers, with larger accounts generally achieving savings at the primary and first excess layers.

Coverage generally broadened on accounts due to perceived improvements in underlying risk quality and increased flexibility on the insurer's side, with underwriters paying particular attention to digital supply chain management.

Regulation

Across the region, General Data Protection Regulation (GDPR) enforcement continues to be robust, with Ireland leading the table for imposing the highest and most cumulative GDPR fines, totalling €2.86bn, driven mainly by the largest tech and social media companies domiciling their European headquarters there – though many of these fines are being appealed.

GDPR fines are likely to continue spreading across Europe, with Germany, the Netherlands and Poland reporting high numbers of data breaches in 2023.

Claims activity

Despite an increase in the overall number of policies purchased in Europe, Marsh did not see a corresponding increase in the number of claims reported from 2022 to 2023. This is thought to be related to improvements in IT security and increased policy retentions.

Cyber extortion and network breaches are the most commonly reported claims, with lack of multifactor authentication remaining the most frequently exploited vulnerability in ransomware events. Overall increase in resilience and data backup storage have helped decrease cyber extortion payment rates.

As cyber continues to grow, threat actors will pivot in the way they exploit vulnerabilities and monetise their activities. Underwriters will continue to use a variety of tools and information collection methods, paying particular attention to digital supply chain management.

Looking ahead

Across the industry, we have seen a reassessment in how cedants purchase cyber reinsurance. Whilst proportional covers remain prevalent globally, and specifically in Europe, cedants are investigating utilisation of non-proportional covers to control tail and catastrophe exposure as portfolios grow. The recent emergence of small to mid-size events (so-called “Kitty Cats”) has led to an increase of occurrence covers, such as Guy Carpenter’s CatStop+, a blended reinsurance structure that provides cover for cedants on an occurrence and aggregate basis.

Cyber will remain a complex line of business that is changing rapidly in the face of an uncertain threat landscape. Guy Carpenter is at the forefront of working with cedants, capital providers and model vendors to help build a bespoke view of risk.

Anthony Cordonnier, global co-head of cyber, Guy Carpenter