Gallagher Re Report Explores Sustainable Growth in Cyber Insurance

Gallagher Re's report, The Quest for Growth: Why Preparing for Sustainable Cyber Development Today Will Lead to More Profitable Growth Tomorrow, provides an in-depth analysis of the cyclical nature of the cyber insurance market and outlines a strategy for long-term, sustainable growth. The report emphasizes that while all lines of insurance are subject to hard and soft market cycles, cyber experiences sharper and more accelerated shifts due to factors such as a lack of historical data, evolving risks, and low stakeholder confidence.

According to Gallagher Re, these dynamics have created capacity constraints at the very time the market should be expanding. The industry's failure to instill resilience into its capital base has led to retrenchment during times of stress rather than a proactive response to market volatility. Gallagher Re asserts that balancing supply and demand through proactive underwriting and capital alignment is critical to smoothing out extreme market cycles.

The report draws comparisons to historical market behavior, particularly in property-catastrophe lines. Gallagher Re cites the emergence of Bermuda-based reinsurers after 9/11—such as Arch Re and Axis—as an example of how companies that entered the market during crises captured significant market share. These reinsurers collectively wrote $2 billion in premiums within 6 months and were later joined by others who raised $28 billion in new capital. Per Gallagher Re, this demonstrated how strategic investment during downturns can lead to long-term leadership and profitability.

Cyber insurance, while newer, has experienced similarly stark cycles. Gallagher Re recalls how pre-2017 losses like the Target data breach exposed the market's vulnerabilities. Coverage was underpriced and failed to reflect the real scope of systemic cyber risk, with many policies lacking adequate business interruption and reputational harm coverage. Gallagher Re said this led to uncovered losses despite significant claims, undermining trust in the product.

The 2017 NotPetya attack marked a critical turning point. According to the report, it caused over $10 billion in damage, yet only $3 billion was insured, and just $300 million under cyber policies. The majority fell under property coverages. Gallagher Re explains that this event prompted a re-evaluation of "silent" cyber exposures and a shift toward affirmative coverage, tighter underwriting standards, and refined pricing strategies.

By 2021, the cyber market underwent dramatic hardening. Per Gallagher Re, rate increases for cyber portfolios ranged from 35 percent to 113 percent, driven by rising ransomware losses and revised underwriting models. However, despite better risk management, some insurers began writing fewer policies due to premium limitations, and average limits dropped significantly. Gallagher Re noted that by 2018, 80 percent of cyber policies had limits of $5 million or less, down from prior norms of $10–$50 million.

According to Gallagher Re, while these actions were necessary, they resulted in reduced innovation and coverage availability. Some insureds questioned the value of cyber insurance as premiums soared, especially when policies were not clearly customized to meet specific business needs. The report observes that cyber-security vendors began positioning themselves as alternative solutions, promising better returns on investment than traditional cyber insurance.

Despite these challenges, Gallagher Re identifies improvements. The market has seen stronger baseline security controls and greater use of tools such as multifactor authentication and timely software patching. Per the report, this has enhanced underwriting practices and reduced the frequency and severity of losses, but it has also raised the bar for policyholders, making it more difficult for some businesses to obtain quotes due to stricter minimum standards.

The report also discusses how policy count declined during a time of heightened awareness due in part to affordability and policy access issues. Gallagher Re said this illustrates the unintended consequence of relying solely on pricing levers to manage exposure rather than improving the underlying resilience of insureds or investing in broader market participation strategies.

According to Gallagher Re, the cyber market now faces a softening phase. Insurers have responded to falling demand with limited rate reductions to encourage sales. While some underwriters are pursuing new products or entering new markets, the report warns that cyber soft markets differ from traditional lines: customer lifetime value and retention play a larger role, and the impulse to maintain looser underwriting standards in pursuit of growth could delay necessary recalibrations.

Gallagher Re points to data showing the global cyber insurance penetration rate remains low, especially among small and micro businesses. In the United Kingdom, only 15 percent of small and medium enterprises (SMEs) and fewer than 10 percent of micro-businesses have cyber cover. The report contends this low uptake represents a failure by the industry to communicate the essential nature of cyber coverage and to develop products that adequately meet the needs of this segment.

The report argues that, like other property classes, cyber insurance follows a boom-bust pattern, but the industry has an opportunity to respond differently. Gallagher Re, in collaboration with Munich Re and Beazley, developed accumulation models indicating that severe tail cyber events are survivable. According to the report, this supports the thesis that a proactive, prepared market could reduce the extremes of future cycles.

Gallagher Re noted that the threat landscape has evolved significantly. Ransomware tactics have become more targeted, data theft has increased, and new technologies like artificial intelligence are fueling more sophisticated attacks. Citing external sources, Gallagher Re notes that tools like WormGPT and the commoditization of cybercrime-as-a-service are lowering the barrier for would-be attackers, making it easier for less experienced actors to execute damaging campaigns.

According to the report, maintaining underwriting profitability in this volatile landscape requires more than pricing discipline. While underwriting loss ratios have improved and rate indices are significantly higher than in prior years, Gallagher Re warns that customer trust remains fragile. If policyholders see premiums doubling without claims, they may question the value of insurance and opt for alternatives, including self-insurance.

The report illustrates this point with benchmark data, showing volatile premium growth and fluctuating rate changes across recent years. Gallagher Re contrasts actual growth with an idealized scenario, noting that steady, proactive investment could lead to smoother growth and stronger long-term market performance.

Gallagher Re emphasizes that the foundation of a sustainable cyber insurance market lies in managing both capital and demand. The report argues that insurers must invest during soft market phases, ensuring capital is available post-event and that tailored solutions are in place to meet evolving client needs. Gallagher Re underscores the importance of pre-event preparation and calls for greater alignment among stakeholders.

Unlocking sufficient capital has historically been a challenge, but Gallagher Re highlights progress in recent years through capital market partnerships, such as 144a Cat Bonds, which now attract over $500 million in limit. Per the report, continued collaboration with the insured-linked securities community will be vital to ensuring capital availability in the next hard market.

According to Gallagher Re, long-term profitability depends not just on more capital but also on smarter product development, risk monitoring, and technological investment. The report encourages the industry to develop industry-specific cyber solutions—for example, addressing operational technology risks in sectors like manufacturing, energy, and telecom—rather than relying on generic products.