The global cyber cover premium pool is set to increase 25% a year, reaching $US22.5 billion ($32.49 billion) by 2025, though profitability in the insurance line will continue to be a challenge, according to a new report from S&P.

The ratings agency says recent growth in total premiums, which stood at around $US9 billion ($12.97 billion) last year, was mostly due to rising rates - not an increase in the number or size of insurance contracts.

S&P says rate adjustments and policyholder education mean ransomware is not an “existential threat” to cyber insurers - but making a steady profit from cyber “will remain challenging” and worse-than-expected results last year has led to increased hesitancy to underwrite larger risks and to some insurers reducing their risk appetite.

Insurer wariness toward cyber cover and a tightening of terms is “justified by the systemic risk that comes from interconnected digital services and infrastructure,” S&P’s Rocky road to a mature cyber insurance market report said.

The agency is monitoring the management of accumulation risk at the insurers it rates and says an overly aggressive expansion into the cyber insurance market, without effective risk controls, could be detrimental to exposure, capital and earnings.

“A single cyber event could simultaneously affect a considerable number of policyholders,” S&P said, with the latest modelling revealing a major cyber event could result in damages worth “multiples of the estimated size of the entire cyber insurance market”.

S&P says better risk modeling is needed to see a lift in market capacity rather than “still higher rates underpinned by a supply-demand mismatch due to a reluctance to take on new risk”. The need to continually reassess evolving risk exposures is a challenge for insurers, and dynamic contract conditions are likely to “prove an enduring characteristic of the market”.

S&P says cyber premium prices will fluctuate going forward due to new risk differentiation models, emerging cyber security standards and improvements in cyber security systems.

“This variability has become a key pillar of insurers' efforts to create sustainable cyber insurance products. It has also, in some instances, led to the cancellation of contracts where policyholders have failed to meet security standards and thus an acceptable risk-return profile,” the report said.

Insurers have also increased retention levels to see that more risk remains with policyholders, and reduced coverage for specific types of loss with sublimits, especially in relation to ransomware and business interruption coverage.

“Those changes partly derive from the significant number of insurers whose loss ratios have sharply increased, mainly due to larger and more frequent ransomware-related claims,” S&P said.

The number of ransomware attacks increased 232% from 2019 to 2021 to be the major driver of higher loss ratios, triggering payouts for payments linked to business interruption, data recovery, IT forensic costs, regulatory investigations, and fines.

“Those secondary effects have given rise to more comprehensive questioning of policyholders and innovation in risk assessments during underwriting, and raised the threshold for accepting new risks,” the report said.

Promisingly, the average payment following a successful ransomware attack has declined by around a third and nonpayment of ransom demands was 54% in the first quarter, up from 15% two years earlier.

S&P says victims are feeling more empowered by improved operational resilience as insurers commonly decline cover if a potential policyholder lacks comprehensive IT system back-ups, endpoint detection technology, a protocol that ensures ongoing patching of IT systems, defined cyber attack response measures, or multifactor authentication.

Insurers are also conducting real-time monitoring of new threat actors and emerging attack tactics which S&P welcomes and says “should enable better assessment of the underlying risk dynamics of policyholders and potential clients”.

Going forward, S&P says clear policies with precise wording are key to developing a sustainable cyber insurance market, requiring a deeper understanding of how ransomware drives losses, improvements in scenario modeling, better management of risk accumulation and disciplined underwriting.

“Insurers that aggressively expand in the cyber market without that expertise will expose themselves to increased capital and earnings volatility that could lead us to change our assessment of their operations,” it said.

Those with a disciplined and targeted approach could enhance their reputations and be better prepared for the next growth opportunity, it said.