Digital Transformation Requires Closing the Cyber-Insurance Gap

In a world with geopolitical instability alongside the growing digitalization of life and business, the risk of costly and disruptive cyber attacks is considerable, raising the need for cyber resilience, a new report suggests.

Despite the magnitude of the threat, some of today's cyber risks don't meet the typical characteristics of insurability, the Swiss Re Institute notes in its Cyber Insurance: Strengthening Resilience for the Digital Transformation report.

"Most notably, the aggregation of losses could quickly and significantly impair diversification and/or challenge market capacity," the November 7, 2022, report says. "The risk is hard to quantify because of immature data and a lack of model consensus."

That limited insurability of cyber risks has limited cyber-insurance capacity despite growing demand, Swiss Re says, challenging the growth of the cyber-insurance market in the longer term. Overcoming those limitations requires more cyber talent, standardized data, better modeling, greater contract consistency, and new sources of capital, according to the report. Such steps could also help activate a market for cyber insurance-linked securities, according to the report.

"Likewise, there is scope to consider opportunities for new types of public-private risk sharing mechanisms," Swiss Re says. "These measures can help mitigate overall exposures, improve risk understanding, and help make society more resilient to attacks with devastating and potentially systemic consequences."

While the world has yet to see a systemic cyber incident, the cyber-risk landscape continues to evolve. As that evolution of cyber risks persists, concerns from both business and governments over ransomware attacks and cyber security are at an all-time high, the report says.

The report quotes a McAfee estimate that global monetary losses from cyber crimes hit $945 billion in 2020.

"Attacks have become more sophisticated. Hackers now use 'triple extortion' techniques, and ransomware-as-a-service has lowered entry barriers to rogue actors," Swiss Re says. "Small and medium-sized enterprises (SME) with little defense capacity have become easy targets for cyber criminals, while digitalization of industries including the healthcare and critical infrastructure sectors, has increased vulnerabilities across entire supply chains."

Those "triple-extortion" techniques see cyber criminals encrypting and extracting a company's data against two separate ransoms—the first to unlock the company's system and the second not to disclose the data, Swiss Re says. Hackers then might leverage the stolen data to extract a third ransom from the data's primary owner.

Businesses, insurers, and public authorities have all upped their risk management efforts, the report says, while industry associations and insurers have worked together to address the issue of "silent cyber"—cyber-insurance losses in policies that were specifically designed to cover cyber risk—by clarifying the scope of traditional policies.

"Insurance plays a key role, providing not just for risk transfer but incentivizing risk mitigation, supporting monitoring, and aiding responses to cyber attacks," the Swiss Re report says.

While the focus of cyber insurance was originally on data breaches and third-party liability, the rise of ransomware attacks has shifted damages to core business and first-party liabilities such as the cost of the ransom, forensic and data restoration costs, and business interruption, Swiss Re says. Businesses could also suffer reputational damage that can affect relationships with customers and their market capitalization.

Global cyber-insurance premiums reached $10 billion in 2021, the report says, with premiums projected to reach $23 billion by 2025.

Despite the growth in cyber-insurance premiums, the cyber-insurance market remains small relative to the size of the fast-evolving risk, Swiss Re says, and there remains a large protection gap. Cyber-insurance premiums represent just a fraction of total cyber-attack losses, according to the report. Most businesses are either uninsured or severely underinsured for cyber risks, the report says, noting the findings of a recent survey (citing BlackBerry) that showed 55 percent of businesses reporting they had cyber insurance and less than 1 in 5 saying they have coverage limits that were above the median ransomware demand.

In recent years, cyber attackers have become particularly interested in SMEs. "Smaller companies with lower cyber-defense capacities have become easy targets for cyber criminals and their loss absorption is more limited than at larger corporations," the report says.

With more limited cyber defenses than their larger counterparts, SMEs often have limited attack preparedness or incident protocols in place when an attack occurs, Swiss Re suggests. "It will thus take longer for the threat to be detected and resolved and all the while, first-party losses rise," the report says.

In relative terms, the total claim from a cyber incident targeting an SME is three times that for large corporations, Swiss Re estimates. Forensic costs typically range from $20,000 to $100,000 for a firm with less than $50 million in revenue, the report says.

"The surge in ransomware attacks drove loss ratios higher in 2020," the report says. "Insurers responded by increasing prices, improving underwriting discipline, introducing sub-limits and coinsurance, clarifying terms and conditions, and excluding—or explicitly pricing for—cyber exposures in other property and liability policies. These actions had a degree of success: loss ratios plateaued in 2021."

As businesses look to improve their cyber-risk management and the insurance and reinsurance industry looks to address such issues as data quality and modeling and clarifying policy language, there is also a need for new types of public-private risk sharing mechanisms to address some of the evolving cyber risks, the Swiss Re report suggests.

"The human and networked nature of cyber means the risk will continually evolve and require a coordinated response," Swiss Re says. "Enhancing resilience will require collaboration between corporations, insurers, and governments."