The cyber risk landscape is rapidly evolving, with cyberattacks increasing in severity and sophistication. Hackers now use triple extortion techniques and ransomware-as-a-service has lowered entry barriers for cybercriminals. In addition, increased digitalisation of critical infrastructure has made it more vulnerable to cyber threats – with the potential for systemic fallout should a cyberattack interrupt the provision of clean water, energy or internet services for an extended period of time. This new risk era requires a different approach to cyber insurance, a new Swiss Re Institute study suggests.
Jérôme Haegeli, Swiss Re Group Chief Economist: "As cyberattacks have increased, so has awareness of the risk – and with it, demand for cyber insurance is growing. However, due to the high degree of uncertainty regarding expected losses and the evolving nature of the risk, its insurability is limited. This in turn restrains market capacity, leading to a protection gap of around 90%."
The study suggests three areas of improvement where the re/insurance industry can help to manage cyber risk more efficiently and increase insurability: increasing contract consistency and clarity, using standardised data and better modelling, and identifying new sources of capital.
It is critical to improve the understanding of the risk, as this will help mitigate overall exposures and make society more resilient to cyberattacks with devastating and potentially systemic consequences. The human and networked nature of cyber means the risk will continually evolve and require a coordinated response. Enhancing cyber resilience will require collaboration between corporations, insurers and governments.
John Coletti, Head Cyber Reinsurance at Swiss Re: "The cyber insurance market has tremendous growth potential. However, the market needs to mature further to ensure enough insurance protection is available. Our industry has a key role to play by addressing three issues: improving data and modelling, increasing contract consistency and clarity and identifying new sources of capital."
The key findings from the Swiss Re Institute's publication on the cyber insurance market are:
- Rising frequency and severity of cyberattacks has been a main driver of cyber insurance market growth. Global cyber insurance premiums reached an estimated USD 10 billion in 2021 and Swiss Re Institute forecasts 20% annual growth to 2025, with total premiums rising to USD 23 billion. The market has significant growth potential beyond these projections. Given estimates of annual global cyber losses at around USD 945 billion, roughly 90% of the risk remains uninsured.
- Despite having grown fast, premiums remain only a fraction of annual losses. This is due to insurability limitations: systemic losses could overwhelm re/insurers, cyber losses are caused primarily by humans and are thus not random or accidental, and the risk is hard to quantify because of data and modelling constraints. Also, the accumulation risk poses a challenge. Due to the interconnectedness of the economy, a single cyberattack could generate widespread impact and potentially affect the entire portfolio of a re/insurer.
- Limited insurability restrains capacity despite growing demand, bringing into doubt the sustainability of the market. To improve insurability and establish a sustainable market, Swiss Re Institute proposes three key measures:
1. Standardising data and optimising modelling: Cyber risks are difficult to quantify due to a lack of standardised data and modelling constraints within a shifting risk environment. Future risks are typically inferred based on backward-looking data, but this approach is limited in the context of cyber risk for two reasons: a lack of standardised data and backward-looking information being less useful in a rapidly changing risk environment. Introducing cybersecurity standards should improve cyber data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modelling. Re/insurers must also invest in cyber talent to help strengthen the actuarial and technical skills needed for the forensic analysis that is part of underwriting and claims management cycles.
2. Updating policy language for clarity and consistency: The relative youth of the cyber insurance market and complexity of the risk are reflected in a lack of standardisation around exclusion clauses and terms and conditions. Uncertainty about responsibilities in the event of a cyber catastrophe remains a barrier for additional industry capacity. Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem. By clarifying responsibilities, as well as supporting risk understanding and mitigation efforts, contract clarity and consistency can lead to increased cyber capacity.
3. Identifying new sources of capital: Public and private sector collaboration is key to mitigating cyber threats to critical infrastructure. A public-private partnership (PPP) insurance scheme, where the coverage of systemic risks is split between insurers and a government(s)-backed fund is one option to address part of the protection gap. Another would be to tap into the market for insurance-linked securities.
Computer security firm McAfee, The Hidden Costs of Cybercrime, December 2020.
Download the publication here
If you would like to discuss the findings of the research publication in more detail or learn about Swiss Re's approach to the cyber business, contact us to schedule an interview with one of our experts.
About Swiss Re
The Swiss Re Group is one of the world's leading providers of reinsurance, insurance and other forms of insurance-based risk transfer, working to make the world more resilient. It anticipates and manages risk – from natural catastrophes to climate change, from ageing populations to cyber crime. The aim of the Swiss Re Group is to enable society to thrive and progress, creating new opportunities and solutions for its clients. Headquartered in Zurich, Switzerland, where it was founded in 1863, the Swiss Re Group operates through a network of around 80 offices globally.
Disclaimer
The entire content of this study is subject to copyright with all rights reserved. The information in this report may be used for private or internal purposes, provided that any copyright or other proprietary notices are not removed. Electronic reuse of the data published in publication is prohibited. Reproduction in whole or in part or use for any public purpose is permitted only with the prior written approval of Swiss Re Institute and if the source reference Swiss Re: Cyber insurance: strengthening resilience for the digital transformation is indicated. Courtesy copies are appreciated.
Although all the information used in this study was taken from reliable sources, Swiss Re does not accept any responsibility for the accuracy or comprehensiveness of the information given or forward-looking statements made. The information provided and forward-looking statements made are for informational purposes only and in no way constitute or should be taken to reflect Swiss Re’s position, in relation to any ongoing or future dispute. The information does not constitute any recommendation, advice, solicitation, offer or commitment to effect any transaction or to conclude any legal act of any kind whatsoever. In no event shall Swiss Re be liable for any loss or damage arising in connection with the use of this information and readers are cautioned not to place undue reliance on forward-looking statements. Swiss Re undertakes no obligation to publicly revise or update any forward-looking statements, whether as a result of new information, future events or otherwise.
.