Cyber security is top of the corporate ESG agenda. With cyber warfare firmly established and ransomware on the rise again, half of all companies reported a cyber attack of some sort in 2022. The economic damage from cyber attacks is estimated to reach >$10trn by 2025.
Against this backdrop, the World Economic Forum identifies cyber security as the key risk society faces after climate change. And for boardrooms, it is the top ESG concern as the chart below shows.
Which ESG concerns are of most risk to your company?
© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.
Figures represent the percentage of answers of all participants who responded (2,650)
Source: Citi Research, Allianz Risk Barometer, 2022
Citi Research analysts estimate that stand-alone cyber insurers generate only single-digit ROEs at an 80% combined ratio, with tail risk the biggest issue. This tends to favor larger, more diversified players.
Why do corporates buy cyber insurance?
The report notes that companies tend to buy cyber insurance for five key reasons. These reasons are aligned with ESG principles and form part of good governance. They can be summarized as follows:
Considerations for sector vulnerabilities to cyber attacks
© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.
Source: Citi Research
Cyber insurance is very different in the small and medium enterprise (SME) space compared to the large corporate space. Citi Research analysts reckon that three-quarters of SME distribution is through managing general agents (MGAs) whereas large corporates often rely on relationships with managed service providers (MSPs) for their cyber security solutions – where insurers tend to partner.
Cyber insurance market
© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.
Source: Citi Research, Gallagher Re
Portfolio exposure and premium development
© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.
Source: Citi Research, Aon
MGAs provide the security ecosystem often by leveraging third parties for analytics and services, with capacity mostly from a panel of insurers – although more recently they have been forced to turn full stack and carry their own risk.
The full note titled European Insurance - Cyber insurance – (Nat) Cats without the tails?, published on 4 May 2023, includes more detail on the cyber insurance sector, including a detailed market overview, how to reduce the protection gap, and the role of reinsurance.
Citi Global Insights (CGI) is Citi’s premier non-independent thought leadership curation. It is not investment research; however, it may contain thematic content previously expressed in an Independent Research report. For the full CGI disclosure, click here.