The cyber insurance market must continue to evolve to answer growing concerns about unquantifiable risks and the availability of coverage.
Head of Professional Liability & Cyber, Zurich North America
To say the digitization of global commerce is moving at a relentlessly accelerating pace is an understatement. Digital technologies are at the forefront of global development, providing ever-expanding opportunities for countries and businesses to accelerate economic growth and keep people connected. And the growth shows little sign of slowing, with digital transformation investment levels for 2022-2024 expected to be about $6.3 trillion.(1)
But with the exponential growth and benefits of digitization comes an increasing toll of cyberattacks. It’s predicted that by 2031 ransomware attacks will cost global business around $265 billion annually, with the potential for a new attack every two seconds as cyber criminals refine malware payloads and related extortion activities.(2)
Most individual data breaches are still driven by human elements. According to one technology industry report, 82% of breaches in 2021 involved the use of stolen credentials, phishing, misuse of network resources or simple error, demonstrating that people continue to play a very large role in cyber incidents and breaches.(3) However, increasingly sophisticated threats, such as more aggressive ransomware attacks by criminal groups, combined with rising geopolitical tensions escalating the potential for nation-state-sponsored cyberattacks on businesses and critical infrastructure, are adding additional worries for corporate CEOs and world leaders.
Focus on cyber resilience
Whether a cyber event occurs due to employee error or a bad actor leveraging vulnerabilities, businesses must focus on building cyber resilience by investing in updated tools on a regular basis and taking other steps to mitigate emerging cyber threats. One of the tools that a growing number of businesses have accessed as part of their cyber mitigation strategies is cyber insurance to transfer some of the financial risk of an attack
Many major property and casualty insurance carriers offer cyber insurance in some form, most often as stand-alone policies. But as losses have risen due to increasingly aggressive and costly cyberattacks, cyber insurance rates have gone up and terms have tightened as many insurers responded to a more challenging cyber risk environment. Among customers, this has led to concerns about the long-term viability of the cyber insurance market.
Zurich believes that a strong cyber insurance market will continue to be a vital component of the insurance industry’s services to customers around the globe. We are committed to providing ongoing cyber risk solutions, from risk transfer to Cyber Risk Engineering services aimed at helping customers defend against many of the tactics used by cybercriminals. But we also recognize that the cyber insurance marketplace will continue to evolve as threats posed both by criminals seeking financial gain and nation-state-sponsored actors pursuing geopolitical aims may intensify in the years ahead.
Managing unquantifiable risks
The most significant challenge facing cyber insurance markets today is that some aspects of cyber risk are essentially unquantifiable from an underwriting perspective. Dedicated cyber insurance products are relatively new entrants in the longstanding range of property and casualty products underwritten by insurers for many years. And while insurance carriers are amassing a growing body of loss data from customers with cyber insurance policies, the potential implications of sudden, large-scale, regional or global cyberattacks impacting entire industries and/or critical infrastructures are keeping risk managers, underwriters and government leaders awake at night. Such a massive cyber event could cause financial loss and commercial, industrial and societal disruption on an unprecedented scale, essentially rendering such unquantifiable risks as uninsurable in traditional cyber risk transfer markets.
As the cyber insurance market evolves, steps are being taken to actively identify and differentiate between unquantifiable versus quantifiable systemic cyber risk. The insurance industry is no stranger to dealing with unquantifiable risks. Traditional property and casualty insurance lines also present unquantifiable risks. For example, as an unquantifiable event, war is not routinely covered by traditional risk transfer products. But because cyber activity is intangible and essentially invisible, the awareness of cyber warfare is far lower than images of buildings and infrastructure destroyed by bombs or artillery rounds. And sadly, businesses using commercially available cyber risk-management tools are no match for militarized cyber weapons, as the WannaCry and NotPetya events of recent history demonstrated.
Like traditional weapons of war, cyberattacks perpetrated by nation-states are intended to disrupt economies and destabilize societies. This is the factor that makes the scale and impacts of such attacks fundamentally unquantifiable. Consider the systemic economic and social impacts imposed on an entire region thrust into darkness for days due to a targeted attack on the electrical grid.
An evolving insurance market
Clearly, the need for cyber insurance risk transfer and risk mitigation services is not going away, which means the cyber insurance market will persist in serving customers around the world. It will continue to evolve as the risk environment changes. But businesses of all sizes must have access to risk transfer and risk engineering services that will help them protect against financial loss and build resilience.
Zurich remains committed to providing cyber risk solutions for the quantifiable exposures such as data breaches and ransomware attacks. As the nature of cyber risk evolves, we will continue to use the insights we have gained with our book of cyber customers to structure relevant risk transfer solutions and risk engineering services to enhance customer resilience. And as the cyber insurance market itself continues to evolve, we will provide clarity around the issue of coverage for unquantifiable versus quantifiable systemic risk.
We welcome the opportunity for our industry to engage and work with governments on solutions for the unquantifiable risks of scale that are essentially uninsurable under the current cyber insurance market framework. What may be required to anticipate and respond to a future cyber mega-event is a public-private reinsurance mechanism not unlike the Terrorism Risk Insurance Act (TRIA) implemented in the aftermath of the September 11 terrorist attacks in the United States. Such state-backed Cyber Risk Pools can help support a viable response to unquantifiable systemic cyber risks.
Zurich views our continuing engagement in the cyber insurance market space as an integral part of the full spectrum of solutions we provide to customers in an increasingly uncertain world. We also stand ready to help customers take the risk mitigation steps that can help them strengthen their cyber defenses and make it easier for them to qualify for cyber insurance coverage. Some of the best available advice for firming up a culture of cyber resilience can be found at the NIST framework for cyber resilience techniques.
The cyber insurance marketplace will evolve as the risks it was designed to help defend against continue to transform. Zurich believes the need for relevant cyber insurance risk-transfer products and specialized risk engineering solutions will remain a vital line of defense for businesses of all sizes. We are here to help customers defend against risk, including one of the most serious threats industries, governments and society will ever face in the years ahead.
Delivering protection against risk is the baton the insurance industry has been carrying for its customers for centuries. And while the risks may change, the mission will remain the same.
1. “Digital Transformation Investments to Represent More Than Half of All ICT Investment by 2024, According to IDC Futurescape.” International Data Corporation (IDC). 28 October 2021.
2. Braue, David. “Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031.” Cybercrime Magazine. 2 June 2022.
3. Data Breach Investigations Report. Verizon. 2022.