Post on 20-Feb-2022
Carrie Yang & Ron Sung
May 27, 2021
A Retail
Perspective on the
Growth and
Development of
Cyber Insurance
Aon’s Cyber Solutions
Proprietary & Confidential 1
Cyber insurance projected to grow from
~$5.5 billionat year-end 2019 to
$20 billion
by 2025
Sources
Aon proprietary data; Aon Inpoint; 2017 “Global Cyber Risk Transfer Comparison Report,” Aon/Ponemon Institute; 2016 Cyber—The Fast Moving Target: Benchmarking views and
attitudes by industry; Insurance Business America, PwC, The Betterley Report, Advisen, Allianz, Allied Market Research; CSIS
Growth Drivers
▪ C–suite and Board-level awareness and concern
▪ Reputational risk and balance sheet protection
▪ Stricter regulatory environments, led by GDPR
▪ Supply chain risk – emanating from both third
parties and software compromises
▪ Increases in recent attacks, malware proliferation,
and levels of sophistication
▪ Increased small and medium enterprise (SME) demand
based on exposure and resource constraints
2019 2020 2022 2025
~$9bn
~$14bn
~$20bn
▪ ~$4.4bn in GWP*
▪ 10%-20% growth
▪ All 50 states regulatedUS
▪ ~$800mn in GWP
▪ ~50% growth
▪ GDPR now active
UK &
EU
▪ ~$300mn in GWP
▪ GDPR spurring new
privacy laws beyond
Europe
RoW
$5-6bn
Growth of Cyber (Re)insurance Market
Total cost
2018in
cybercrime of
Total cost
2022in
cybercrime of
Aon’s Cyber Solutions
Proprietary & Confidential 2
High Profile Events / Incidents
2000
Aon founded its
Technology Cyber
Group
2002
2008
2013
Heartland Payment
Systems Data Breach
2015
2016
Anthem Data Breach
2017
2018
2018
2019
Yahoo Data Breach
2020
2021
Marriott/Starwood Data
Breach
2021
Dot com bubble
California Senate Bill
1386 passed – first
Mandatory Data
Breach Disclosure
Law
Target Data Breach
All 50 states enacted
data breach notification
law
WannaCry
NotPetya
COVID 19
Equifax Data Breach
EU GDPR Effective
Mondelez vs Zurich
Significant increase in
ransomware attacks
Solarwinds Cyber
Attack
Microsoft Exchange
Server Breach
C N A Cyber Incident
Colonial Pipeline
Ransomware Attack
Aon’s Cyber Solutions
Proprietary & Confidential 3
Organizations across all industries continue to invest in deploying digital
technologies to stay competitive and drive quality and efficiency objectives
The Evolving Cyber Threat
Automation
▪ Production
▪ Distribution / Supply Chain
▪ Sales
▪ Critical Infrastructure
▪ Property Damage
▪ Bodily Injury
▪ Products Liability
DisruptionRisk
ConfidentialRisk
SupplierRisk
▪ PII
▪ PCI
▪ PHI
▪ IP
▪ Regulations
Connectivity
Artificial Intelligence
Social MediaCloud
Computing
MobilityInternet
of Things
Distributed Ledger /
Blockchain
Virtual RealityBig Data
Economic
Drivers Technology Drivers Strategic Threats
Aon’s Cyber Solutions
Proprietary & Confidential 4
Key Pillars of a Cyber Insurance Policy
▪ Pre-breach
assessments
▪ Access to
pre-vetted
vendors
▪ Cyber security
information
Prevention Assistance Operations Liability
▪ Forensic
investigators
▪ Legal services
▪ Notification
▪ Credit Monitoring
▪ Call Center
Services
▪ Crisis
Management/
Public Relations
▪ Costs incurred to
keep or return the
business to
operational
▪ Loss of revenue,
income, turnover
▪ Costs incurred to
recreate or
restore data and
information
▪ Legal costs and
damages from
claims alleging
privacy breach
or network
security failure
Aon’s Cyber Solutions
Proprietary & Confidential 5
Market Standard Cyber Coverages Overview
– Network Business
Interruption
– System Failure
– Dependent Business
Interruption/ System
Failure
– Cyber Extortion
– Digital Asset Restoration
Operational
Risk
Privacy and
Network Security
Risk
▪ Privacy and Network
Security Liability
▪ Privacy Regulatory Fines
and Penalties
▪ PCI Fines and Penalties
▪ Breach Event Expenses
Supply Chain
Disruption
Network
Business
Interruption
Technology
Infrastructure
Evolving
Regulation
Reputational
Risk
Liability
Breach
Expenses
Aon’s Cyber Solutions
Proprietary & Confidential 6
2020 Aon Sponsored Ponemon Institute: The total value of PP&E and
information assets
$919 $933 $947
$1,082 $1,032
$1,161 $1,223
$1,274
$0
$200
$400
$600
$800
$1,000
$1,200
$1,400
Total value of PP&E Total value of information assets
FY2015 FY2017 FY2019 FY2020
Extrapolated value ($ millions)
Aon’s Cyber Solutions
Proprietary & Confidential 7
2020 Aon Sponsored Ponemon Institute: The PML value for PP&E and
information assets
$804
$1,170
$796
$1,080
$770
$979
$701
$773
$0 $200 $400 $600 $800 $1,000 $1,200 $1,400
Value of the largest loss (PML) that could result fromdamage or the total destruction of PP&E
Value of the largest loss (PML) that could result fromthe theft and/or destruction of information assets
FY2015 FY2017 FY2019 FY2020
Extrapolated value ($ millions)
Aon’s Cyber Solutions
Proprietary & Confidential 8
2020 Aon Sponsored Ponemon Institute: The percentage of PP&E and
information assets covered by insurance
55%
12%
59%
15%
60%
16%
61%
15%
0%
10%
20%
30%
40%
50%
60%
70%
Percentage of potential loss to PP&E assetscovered by insurance
Percentage of potential loss to information assetscovered by insurance
FY2015 FY2017 FY2019 FY2020
Aon’s Cyber Solutions
Proprietary & Confidential 9
Purchasing Trends by Industry
Limit increases at renewal for existing buyers
▪ Industries that have traditionally purchased cyber insurance are generally seeking higher limits options
Rapid growth in cyber captive market*
▪ Healthcare & energy industries leading the way, utilizing their captives for cyber coverage
▪ 41% of captives surveyed are incubating cyber risk
▪ Range in limits of cover taken out is up to USD$100 million
▪ Estimated that 34% of all captives will be writing cyber in five years’ time
New buyers focused on business interruption
▪ Manufacturing, critical infrastructure, pharmaceutical / life sciences, industrials & materials / automotive, public
sector, energy / power and utilities, higher education, real estate / construction, agribusiness and transportation /
logistics industries continue to lead new cyber insurance purchases
Shifting focus on cyber risk exposures
▪ New privacy regulations have refocused many buyers on breach exposures and the potential for fines and
penalties
▪ Clients across industries continue to focus on business interruption coverage, including, among other things,
system failure cover, cyber extortion and digital asset restoration
▪ Non-affirmative (“silent”) cyber coverage on property and casualty policies demonstrate the critical importance of
matching customized cyber policy language to specific insured cyber exposures
*Aon's 2019 Cyber Captive Survey - Creating Value for the Cyber Risk Agenda
Aon’s Cyber Solutions
Proprietary & Confidential 10
Non-affirmative (“Silent”) Cyber:
Potential Cyber Perils Under Property and Casualty Policies
Note that coverage in policy forms can vary materially from carrier to carrier, and from base policy forms to manuscript policy forms. All descriptions, summaries or highlights of
coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the
terms and conditions of the relevant policy.
Business interruption resultant from non-physical damage to computer systems due to a system failure
Security and privacy liability including settlements and defense costs
Breach response expenses
Cyber extortion
Bodily Injury and Property Damage (possible)
Cyber
Property
▪ Hacking automated manufacturing
facilities to halt production
▪ Inflicting bodily injury or property damage
through compromised network systems
▪ Plant explosions or damage due to a
cyber related event
General / Product Liability
▪ Automated system hacking modifies
product specs, creating faulty devices
▪ Increased products exposures to Internet
of Things (“IoT”) vulnerabilities
Crime
▪ Business Email Compromise
via social engineering
▪ Hacking major financial institutions or
accounting software to steal monies
▪ Bitcoin wallet manipulation
Kidnap & Ransom
▪ Social media extortion
Intellectual Property
▪ Proprietary design specs for
tangible and intangible assets
▪ Trade secrets
▪ Copyright materials
D&O
▪ Disclosures of cyber incidents
have a material impact on the
organizations’ financial statements
▪ Reporting requirements
▪ Regulatory scrutiny
Marine
▪ Computerized hijacking
▪ Container tracking systems
▪ GPS navigation systems
▪ Automated shipyard processes
Terrorism
▪ Hacking medical devices to inflict bodily
harm to political or public figures
▪ Deliberate release of misinformation
to cause riot or civil unrest
Recall
▪ Hacking automated manufacturing plants
▪ Hacker contamination of design
specs
▪ Nanotechnology and 3D printing
Environmental
▪ Attacks on nuclear or energy
facilities release hazardous chemicals
or air emissions
▪ Untreated sewage releases to poison
water supply
▪ Disablement of critical infrastructure
leading to fires or explosions
Aon’s Cyber Solutions
Proprietary & Confidential 11
Mondelez v Zurich
June 27, 2017: Mondelez
affected by malicious code later
dubbed NotPetya: 1700 Servers
and 24,000 Laptops affected
June 1, 2018: Zurich formally
denies Mondelez’ claim based on
exclusion b(2)a: War Exclusion
October 9, 2018: Zurich reasserts
denial
July 18, 2018: Zurich rescinds
denial – offers $10M partial
payment
Relevant Details:
Exclusion b(2)(a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected
attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
~$104M earnings reduction, $84M extra expense – 2017 Q4 Earnings Release
According to Property Claim Services (PCS) the total industry loss from the Petya / NotPetya cyber attack has now passed $3 billion, roughly 90% of which was driven
by silent cyber impacts, the remainder from affirmative losses. https://www.reinsurancene.ws/petya-cyber-industry-loss-passes-3bn-driven-by-merck-silent-cyber-pcs/
Sample Cyber Carve-back language: “Cyberterrorism means the premeditated use of disruptive activities against any computer system or network by an individual or
group of individuals, or the explicit threat by an individual or group of individuals to use such activities, with the intention to cause harm, further social, ideological,
religious, political, or similar objectives, or to intimidate any person(s) in furtherance of such objectives. ‘Cyberterrorism’ does not include any such activities which are
part of or in support of any military action or war.”
October 10, 2018: Mondelez files
suit for coverage for losses in
excess of $100M
Aon’s Cyber Solutions
Proprietary & Confidential 12
Ransomware Loss Trends Expected to Continue Through 2021
Pricing - While average pricing increased
from 2019 to 2020 by 5% –10%,
guidance from almost all insurers has been
that those rate adjustments were
not enough to compensate for the increase
in frequency and severity of losses.
Claim Severity - The average loss
severity climbed each quarter of 2020. In
many instances, clients experienced eight-
figure ransomware event-related losses.
Also, many of those large matters continue
to be adjusted over the course of a year,
as subsequent business interruption losses
are reviewed, and liability claims are
litigated.
Risk Selection - Insurers bolstered
supplemental tools throughout 2020. Some
carriers are using public-facing scanning
resources to search for vulnerabilities that
could be subject to cyber threats, and many
have introduced new ransomware specific
applications. These efforts are focused on
improving insured risk controls, as well
as improving risk selection for insurers.
Claim Frequency - Aon’s Cyber
Solutions saw a typical cadence of three
new E&O/Cyber matters per business day
in 2020, up almost 100% from full year
2019, the majority being ransomware event-
related.
In a survey of the top 12 E&O/Cyber insurers Aon trades with, 58% of respondents
suggested they are seeking rate increases greater than 30% throughout Q2 2021.1
1Guidance is provided through Aon’s proprietary survey of the top 12 E&O/Cyber insurers Aon trades with. This is not proposed pricing, or guidance specific to
a particular insured’s program. This is portfolio level guidance offered by underwriters who participated in the survey.2Source: Aon’s Cyber Solutions U.S. Underwriter Survey, January 2021
Aon’s Cyber Solutions
Proprietary & Confidential 13
Cyber Incident Rates Over the Past 12 Quarters(Percent change relative to 2018-Q1)
Proprietary & Confidential: The content, analysis and commentary included herein are understood to be the intellectual property of Aon.
Further distribution, photocopying or any form of third-party transmission of this document in part or in whole, is not permitted without the express, written permission of Aon.
Source: Risk Based Security, analysis by Aon. Data as of 1/5/2021; Ransomware payment per Coveware Ransomware Report as of 11/4/2020
4% 21%
215%
173%
24%49%
27%9%
-39% -40%-57%
0%-6%-11%
34%
103%
189%
237%
354%
311%
380%
486%
-100%
0%
100%
200%
300%
400%
500%
600%
2018-Q1 2018-Q2 2018-Q3 2018-Q4 2019-Q1 2019-Q2 2019-Q3 2019-Q4 2020-Q1 2020-Q2 2020-Q3 2020-Q4
Data Breach / Privacy Ransomware
Key Observations:
▪ Ransomware activity has
dramatically outpaced Data
Breach/Privacy Event activity
over trailing four quarters.
▪ Ransomware up 486%
from Q1 2018 to Q4 2020.
▪ Aon Cyber Claims Intake indicates
2020 will show a compounding
increase of 150%, +300% over
trailing two years.
▪ Data Breach/Privacy Events
tracking to decline in 2020, first
decline in trailing 5 years.
Aon’s Cyber Solutions
Proprietary & Confidential 14
Global Incident Growth Compared to 2012*
Source: Chubb Cyber Index. https://chubbcyberindex.com/#/incident-growth
Aon’s Cyber Solutions
Proprietary & Confidential 15
Total Claims Costs Since 2009
Source: Chubb Cyber Index. https://chubbcyberindex.com/#/incident-growth
*The "Other First Party
Costs" category may
include other types of
losses such as business
interruption and
ransomware payments.
** The "Third Party Costs"
category may include
other types of losses,
including PCI
assessments, regulatory
fines, and defense and
settlements of third-party
matters.
Aon’s Cyber Solutions
Proprietary & Confidential 16
E&O/Cyber Insurance – Market Trends as of Q2 2021
▪ Complex cyber losses have impacted the cyber insurance market, particularly traditional excess insurers where pricing has historically been extremely thin
▪ Ransomware activity has stressed SME and Middle Market segment of insurer portfolios
▪ Regulatory environment continues to gain complexity, particularly with emerging privacy legislation and litigation connected to BIPA, CCPA, and GDPR
▪ Certain insurers have started to retract coverage for ransomware events, in terms of adding coinsurance and/or sublimits
▪ Certain carriers have started to retract coverage for IT supply chain related events
▪ Insurers continue to emphasize panel arrangements, including use of pre-arranged vendors and legal support
▪ Insurers are aggressively managing their global capacity deployment
▪ Insurers are revisiting retentions, with pressure to increase on a primary basis; also evaluating their excess attachment points, and may limit capacity based on market segment or lack of security controls
▪ Certain insurers have started to increase waiting periods for Business Interruption/Systems Failure
▪ Certain carriers have started adding coinsurance for Dependent Business Interruption and with increased waiting periods
▪ The market conditions for E&O / Cyber are firming with a continued acceleration in Q2 2021, due to ransomware activity and concerns around systemic loss aggregation
▪ Insurer feedback suggests the need for 30% - 50% rate increase in the large enterprise segment
▪ The Middle Market / SME segments continue to show average premium increasing at +30%
▪ Aon anticipates continued amplified rate pressure on excess market placements, with more significant premium rate increases to underlying increased limit factors
Claims &Losses
Coverage
Capacity
Rate Environment
Aon’s Cyber Solutions
Proprietary & Confidential 17
Change of Underwriting Strategy ---- Hardening Cyber Market
AppsSupplem
entalsUW
Meeting
Insurability
/ Eligibility
ProfitabilityFrequency Severity Differentiation
Retention
Limit /
Sublimit
Co-insurance
Rate Exclusion
Breath of
Coverage
Aon’s Cyber Solutions
Proprietary & Confidential 18
Global Cyber and E&O Insurance Marketplace—2021
72%
23%
5%
Domestic
London
Bermuda
▪ AEGIS
▪ AIG
▪ Allianz
▪ Alterra
▪ AmTrust
▪ Argo
▪ Ascot
▪ Aspen
▪ At-Bay
▪ AWAC
▪ AXA XL
▪ AXIS
▪ BCS
▪ Beazley
▪ Berkshire
Hathaway
▪ Chubb
▪ CNA
▪ Coalition
▪ Corvus
▪ Crum &
Forster
▪ Everest
▪ Hanover
▪ Hartford
▪ HDI
▪ Hiscox
▪ Intact
▪ Liberty
▪ Markel
▪ MunichRe
▪ Nationwide
▪ Old
Republic
▪ QBE
▪ Resilience
▪ RLI
▪ RSUI
▪ Safety
National
▪ SCOR
▪ Sompo
▪ Starr
▪ Swiss Re
▪ Tokio
Marine HCC
▪ Travelers
▪ W.R.
Berkley
▪ Validus
▪ Zurich
▪ AIG
▪ Allianz
▪ Arch
▪ Ascot
▪ Ascent
▪ Aspen
▪ Aviva
▪ AXA XL
▪ Axis
▪ Beazley
▪ Brit
▪ Canopius
▪ CFC
▪ Chubb
▪ EmergIn
Risk
▪ Generali
▪ Hamilton
▪ HannoverRe
▪ HDI Gerling
▪ Hiscox
▪ Liberty
▪ Markel
▪ Munich Re
▪ Tarian
▪ Occam
▪ QBE
▪ SCOR
▪ Swiss Re
▪ Talbot
▪ Tokio Marine
HCC
▪ W.R. Berkley
▪ Zurich
▪ AIG
▪ Arcadian
▪ Arch
▪ Argo
▪ Ascot
▪ Aspen
▪ AWAC (primary capacity as
well)
▪ AXA XL
▪ AXIS
▪ Chubb
▪ Iron-Starr
▪ Liberty Specialty
▪ Markel
▪ Mosaic
▪ Mutual Insurance Company
(MIC)
▪ RELM
▪ Sompo
LONDON BERMUDA(Excess only)
DOMESTIC
Aon Client Premium Spend
Aon’s Cyber Solutions
Proprietary & Confidential 19
About Cyber Solutions
Aon’s Cyber Solutions offers holistic cyber risk management,
unsurpassed investigative skills, and proprietary
technologies to help clients uncover and quantify cyber risks,
protect critical assets, and recover from cyber incidents.
About Aon
Aon plc (NYSE:AON) is a leading global professional
services firm providing a broad range of risk, retirement and
health solutions. Our 50,000 colleagues in 120 countries
empower results for clients by using proprietary data and
analytics to deliver insights that reduce volatility and improve
performance.
Visit aon.com/cyber-solutions for more information.
© Aon plc 2021. All rights reserved.
Cyber security services offered by Stroz Friedberg Inc. and its
affiliates. Insurance products and services offered by Aon Risk
Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon
Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and
Aon Risk Services, Inc. of Florida and their licensed affiliates.
The information contained herein and the statements expressed are
of a general nature and are not intended to address the
circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information and use sources
we consider reliable, there can be no guarantee that such information
is accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information without
appropriate professional advice after a thorough examination of the
particular situation.