The cyber risk landscape is “rapidly evolving,” with cyberattacks increasing in severity and sophistication.
Hackers now “use triple extortion techniques and ransomware-as-a-service has lowered entry barriers for cybercriminals.” In addition, increased digitalization of critical infrastructure has made it “more vulnerable to cyber threats – with the potential for systemic fallout should a cyberattack interrupt the provision of clean water, energy or internet services for an extended period of time.” This new risk era “requires a different approach to cyber insurance,” a new Swiss Re Institute study suggests.
Jérôme Haegeli, Swiss Re Group Chief Economist, said:
“As cyberattacks have increased, so has awareness of the risk – and with it, demand for cyber insurance is growing. However, due to the high degree of uncertainty regarding expected losses and the evolving nature of the risk, its insurability is limited. This in turn restrains market capacity, leading to a protection gap of around 90%.”
The study suggests three areas of improvement “where the re/insurance industry can help to manage cyber risk more efficiently and increase insurability: increasing contract consistency and clarity, using standardized data and better modelling, and identifying new sources of capital.”
It is critical “to improve the understanding of the risk, as this will help mitigate overall exposures and make society more resilient to cyberattacks with devastating and potentially systemic consequences.”
The human and networked nature of cyber means the risk “will continually evolve and require a coordinated response.” Enhancing cyber resilience will “require collaboration between corporations, insurers and governments.”
John Coletti, Head Cyber Reinsurance at Swiss Re, said:
“The cyber insurance market has tremendous growth potential. However, the market needs to mature further to ensure enough insurance protection is available. Our industry has a key role to play by addressing three issues: improving data and modelling, increasing contract consistency and clarity and identifying new sources of capital.”
The key findings from the Swiss Re Institute’s publication on the cyber insurance market are:
- Rising frequency and severity of cyberattacks has been a main driver of cyber insurance market growth. Global cyber insurance premiums reached an estimated USD 10 billion in 2021 and Swiss Re Institute forecasts 20% annual growth to 2025, with total premiums rising to USD 23 billion. The market has significant growth potential beyond these projections. Given estimates of annual global cyber losses at around USD 945 billion1, roughly 90%2 of the risk remains uninsured.
- Despite having grown fast, premiums remain only a fraction of annual losses. This is due to insurability limitations: systemic losses could overwhelm re/insurers, cyber losses are caused primarily by humans and are thus not random or accidental, and the risk is hard to quantify because of data and modelling constraints. Also, the accumulation risk poses a challenge. Due to the interconnectedness of the economy, a single cyberattack could generate widespread impact and potentially affect the entire portfolio of a re/insurer.
- Limited insurability restrains capacity despite growing demand, bringing into doubt the sustainability of the market.
To improve insurability and establish a sustainable market, Swiss Re Institute proposes three key measures:
- Standardising data and optimising modelling: Cyber risks are difficult to quantify due to a lack of standardised data and modelling constraints within a shifting risk environment. Future risks are typically inferred based on backward-looking data, but this approach is limited in the context of cyber risk for two reasons: a lack of standardised data and backward-looking information being less useful in a rapidly changing risk environment. Introducing cybersecurity standards should improve cyber data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modelling. Re/insurers must also invest in cyber talent to help strengthen the actuarial and technical skills needed for the forensic analysis that is part of underwriting and claims management cycles.
- Updating policy language for clarity and consistency: The relative youth of the cyber insurance market and complexity of the risk are reflected in a lack of standardisation around exclusion clauses and terms and conditions. Uncertainty about responsibilities in the event of a cyber catastrophe remains a barrier for additional industry capacity. Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem. By clarifying responsibilities, as well as supporting risk understanding and mitigation efforts, contract clarity and consistency can lead to increased cyber capacity.
- Identifying new sources of capital: Public and private sector collaboration is key to mitigating cyber threats to critical infrastructure. A public-private partnership (PPP) insurance scheme, where the coverage of systemic risks is split between insurers and a government(s)-backed fund is one option to address part of the protection gap. Another would be to tap into the market for insurance-linked securities.