Insurers will find extracting steady profit from cyber policies “remains challenging” and wariness among underwriters is “justified by the systemic risk” from interconnected digital services and infrastructure, S&P Global Ratings says.

Going forward, S&P says clear policies with precise wording are key to developing a sustainable cyber insurance market.

The ratings agency’s new Rocky road to a mature cyber insurance market report says worse-than-expected results last year led to a “supply-demand mismatch due a reluctance to take on new risk” and the cancellation of some contracts where policyholders have failed to meet security standards and an acceptable risk-return profile.

The number of ransomware attacks increased 232% from 2019 to 2021 to be the major driver of higher loss ratios, triggering payouts for payments linked to business interruption, data recovery, IT forensic costs, regulatory investigations, and fines.

“Those secondary effects have given rise to more comprehensive questioning of policyholders and innovation in risk assessments during underwriting, and raised the threshold for accepting new risks,” the report said.

It notes increased hesitancy to underwrite larger risks, reduced capacity and significant premium hikes and policy stipulations – as new modelling indicates a major cyber event could trigger damages worth “multiples of the estimated size of the entire cyber insurance market”.

While S&P says the global cyber cover premium pool is set to increase 25% a year reaching $US22.5 billion ($32.49 billion) by 2025, mostly due to a further rise in rates, the agency says an overly aggressive expansion into the cyber insurance market without effective risk controls could be detrimental to exposure, capital and earnings for insurers – and their credit ratings.

Promisingly, the average payment following a successful ransomware attack has declined by around a third and nonpayment of ransom demands was 54% in the first quarter, up from 15% two years earlier.

S&P says victims are feeling more empowered by improved operational resilience as insurers commonly decline cover if a potential policyholder lacks comprehensive IT system back-ups, endpoint detection technology, a protocol that ensures ongoing patching of IT systems, defined cyber attack response measures, or multifactor authentication.