Cybersecurity & Tech

How Big Is the Cyber Insurance Market? Can It Keep Growing?

Tom Johansmeyer
Tuesday, June 27, 2023, 11:01 AM
The cyber insurance market may be small, new, and volatile, but it could also become an important form of economic security.
(Ecole polytechnique,; CC BY-SA 2.0,

Published by The Lawfare Institute
in Cooperation With

The cyber insurance market may be small, new, and volatile, but it could also become an important form of economic security. In fact, the Biden administration appears to be counting on that. Cybersecurity strategy could be improved with a better understanding of the basic characteristics of the cyber insurance market, particularly its size, the size of the cyber reinsurance market on which it depends, where future risk capital could come from, and at what price. Publicly available data on the size and reach of the cyber insurance and reinsurance, or re/insurance, market is thin and often dated. Views on how much premium is written or coverage is outstanding often have to be cobbled together from disparate sources, with subsequent projections built on a shaky foundation. 

This piece seeks to provide a better starting point for such analysis. Using a mix of formal and informal research methods—hardly ideal but utterly practical—I’ve pulled together industry-wide estimates for cyber re/insurance premiums and coverage outstanding, as well as a view on historical growth. Further, given the strategic role that the insurance-linked securities (ILS) market could play in bringing breadth and depth to the cyber re/insurance market, I’ve included a few thoughts on the scope of cyber ILS so far, as well as how that market could continue its growth trajectory. 

Sources and Methods

It’s notoriously difficult to form a comprehensive and accurate view of the global cyber insurance market. At best, publicly available data reports tend to focus on the overall U.S. market, which may represent only 55 to 60 percent of the cyber insurance industry worldwide, according to both formal interviews and private discussions. While the data afforded by the likes of A.M. Best and the National Association of Insurance Commissioners tends to be the best available, it still leaves some nontrivial gaps. Company reports can range from pure propaganda to the high-quality research often produced by the Swiss Re Institute and Munich Re NatCatSERVICE. Again, such reports are helpful but still offer only a partial view. 

While the following view of the cyber re/insurance market size and composition is hardly perfect, it aims to advance our collective understanding of the market as it stands today and where it could go tomorrow—while also offering something more than the “anecdata” currently shared by word of mouth. The methods used to compile the data below are mixed, beginning with a review of publicly available sources, as described above, to provide a foundation for the private sources of information gathered. This foundation was supported by interviews with seven cyber insurance executives, 10 cyber reinsurance executives, and 10 ILS managers on a wide range of cyber re/insurance market dynamics. The formal research and interviews focusing on market size and composition are supplemented by informal conversations with re/insurance and ILS market players.

The results below consist of both point estimates and ranges. In an inexact exercise, the latter can help frame the probable, and the included point estimates can be supported sufficiently based on the underlying conversations or publicly available sources. This piece is an attempt to document the side conversations that occur in any market environment and present them in a manner in which they can help with further analysis, cyber insurance market growth, and even improved cybersecurity, given the role of insurance in economic security and the stated reliance on the private sector in the latest U.S. National Cybersecurity Strategy.

Global Cyber Insurance Premiums and Limit Outstanding

Global cyber market premiums tend to be easier to ascertain in retrospect, and time adds at least a bit of certainty. As a result, recent estimates are most likely to defy consensus, with those for 2023 being the most volatile by nature. The year is still in progress, and market conditions could influence the final result. Conversations with the market players and experts suggest that global cyber insurance premiums could end this year at up to $15 billion. Recent rapid rate increases, however, have slowed—which isn’t a surprise—meaning that a more modest outcome of around $13 billion is more realistic. 

For 2022, it’s also fairly difficult to estimate because it’s so recent, but global cyber insurance premiums range from Swiss Re’s $10 billion to Munich Re’s $11.9 billion to as much as $14 billion. Several private sources put the 2022 estimate at around $10-12 billion. These numbers also square with independently calculated estimates of worldwide reinsurance premiums (more on this below). Even at the low end of the 2022 range, global cyber premiums clearly climbed sharply from the 2021 Swiss Re estimate of $8 billion, itself up from only $5.5 billion in 2020.

The high rate of market concentration may contribute to some of the volatility of industry estimates. Despite the high rate of premium growth recently, the cyber insurance market remains highly concentrated. The five largest insurers account for as much as a third of the worldwide total, according to estimates gathered from formal interviews, in conjunction with the market size estimates above. Market share could vary from the range above, but the point nonetheless remains. Further, focus on cyber insurance premiums masks the fact that revenue growth does not mean an increase in protection for end insureds. In fact, premiums have grown far faster than the protection offered for cyber risks.

The amount of cyber insurance limit outstanding is even harder to estimate than premiums. Informal private conversations yield a 2022 range of around $360-500 billion. The estimates at the higher end come from sources who believe that the market shares of the largest players are relatively low, while the lower estimates reflect a belief that market concentration is quite high. A working estimate of $400-450 billion seems to be the right fit, as it would reflect an average rate on line (ROL)—or cost of insurance—ranging from around two and a half percent to a little more than three percent, which seems indicative of the recent rate increases that led to such significant premium growth. There’s still room for people to disagree reasonably, but the range of the potential 2022 premium suggests a limit outstanding of at least close to $400 billion and pretty far down from $500 billion.

Global Cyber Reinsurance Premiums and Limit Outstanding

Historically, estimating the global reinsurance premium in the cyber market was as easy as halving the insurance estimate. A Swiss Re report put the rate at which insurers cede cyber to reinsurers at 45 to 50 percent, although some private sources say it could be as high as 55 percent. That would put the 2022 global reinsurance premium at $7 billion, 2021 at close to $5 billion, and 2020 at a bit under $3 billion. The year to come is more difficult to forecast, as some structural factors have changed the amount of reinsurance that insurers may consume. 

Until this year, insurers have largely relied on quota share structures, through which reinsurers basically share proportionately in the business written by the insurers they cover. On the one hand, some non-proportional reinsurance covers made it into the market, but they represented a small slice of overall cyber reinsurance risk transfer. So-called event covers, which provide reinsurance protection for insurers when there is a single catastrophic cyber loss event, on the other hand, were few and far between. In 2023, however, event covers have begun to gain some traction. Because they consume less capital than quota shares, the move to more event cover may appear to cost the cyber reinsurance sector some growth. 

The increased use of non-proportional reinsurance—including event covers—makes it difficult to estimate cyber reinsurance premiums by halving cyber insurance premiums, particularly because some larger cyber insurers have integrated more event covers into their risk transfer strategies. If we take 2022’s cyber insurance premium at $10-14 billion, then the worldwide cyber reinsurance premium would be something less than $5.5-7 billion, and probably closer to $5-5.5 billion. What’s interesting, though, is that nominally smaller cyber reinsurance growth could enable disproportionately faster cyber insurance market growth, since insurers would be able to keep more of their attritional business, hedge out the catastrophic exposure, and use their capital more efficiently. 

Market concentration appears to have been alleviated to some extent by the entry of new reinsurers into the sector. The five largest reinsurers accounted for more than 80 percent of worldwide premiums in 2021, and for 2022, that concentration fell to 50-60 percent. The sharp drop is implied by two underlying factors evident especially in the formal interviews. One is the entry of new participants, or reinsurers, into the market. Admittedly, this did little to alleviate the previously high rate of market concentration directly. The second factor is that smaller and mid-sized reinsurers not only saw rate increases from their quota share business but also saw those rate increases as a reason to lean further into the cyber reinsurance market, a move further encouraged by the post-ransomware lull (at least in terms of insured losses, if not actual attacks) beginning in the second half of 2021. However, even these expansionary forces have been dulled by access to additional capital. 

Several reinsurers revealed in their formal interviews that they would need access to retrocession (reinsurance for reinsurance companies) to support further growth. While some reinsurers already write retrocession—“retro,” as it’s known colloquially—they don’t offer much capacity. Further, many prospective buyers would like to see retro come from outside the reinsurance sector as a way to protect against systemic risk. Even with the changes over the past year, cyber reinsurance remains highly concentrated. A few changes in business strategy could cause a meaningful chunk of that risk capital to be diverted to other classes of business. That’s why reinsurers need access to a separate source of retro capital, and that points directly to the ILS market.

The Nascent Cyber ILS Market

ILS refers to a segment of the global re/insurance industry that uses capacity from the capital markets. As insurers lay off risk to reinsurers, both insurers and reinsurers may package up risk into a variety of formats to secure protection from these outside sources of capital. Initially seen as an outlet for retro in the property-catastrophe space, the ILS market has evolved to take on additional risks, although natural catastrophe is still the bulk of what the sector covers. In fact, the role that the ILS market initially played in “peak peril” risk transfer—the most difficult systemic risks, such as a hurricane in Florida or a typhoon in Japan—is seen as a model for how it could operate in the cyber re/insurance market, where peak perils could be viewed as cloud outage and self-replicating malware. 

The cyber re/insurance market has sought ILS involvement for years, even before my early efforts to help develop the Property Claim Services (PCS) Global Cyber industry loss index in 2017. In fact, the PCS team (which I led at the time) began working on the loss index to support the forms of alternative risk transfer that ILS managers would want to consume. It has taken time for protection buyers to understand some of the quirks of ILS risk transfer—from collateral management to minimum ROLs—with early trading consisting of small, bespoke transactions with little opportunity to scale. But that’s changing—quickly. 

The cyber ILS market has achieved a limit outstanding of as much as $1 billion, roughly a 100 percent year-over-year increase. The fact that it is still a hair less than one percent of the $104.9 billion in ILS capital currently under management suggests not just that cyber ILS is still small but also that it has plenty of room for growth. The fact that cyber is a diversifying risk for ILS managers focused heavily on natural catastrophes could make it an increasingly attractive class of business for some. 

Further cyber re/insurance market maturation will be necessary to enable access to more ILS capital. Interviews suggest that further improvements to event definition will help, as well as the issuance of liquid instruments (with the recent cyber catastrophe bond being a good first step). Finally, cyber risk and event modeling, according to most interview participants, need to continue to advance in order to more fully meet the needs of ILS managers. The good news is that the market is generally headed in the right direction and simply needs to continue to refine what it already does.

How to Raise the Stakes Responsibly

Cyber re/insurance market growth is certainly important in its own right. It’s possible to claim dismissively—or even derisively—that an expanded cyber re/insurance market is simply a way to drive more profit into the insurance industry. Of course it is. And there’s nothing wrong with that. Successful businesses are good. Successful insurers continue to provide financial protection to society. That’s a worthy enough aim in itself. But the stakes are far higher than commercial success. Cyber re/insurance has emerged as a key pillar for cybersecurity, just as re/insurance has long been a largely unsung contributor to economic security. As the most recent U.S. National Cybersecurity Strategy reveals, cyber re/insurance plays a direct role in economic security and could play a larger one as time passes.

The quantification of the current state of the global cyber re/insurance market explored here—as well as the support offered by the ILS sector—provides a crucial reference point for further strategic planning, be it corporate or state security. Much of the analysis produced has had to rely on tenuous assumptions, optimistic projections, and, frankly, guesswork. It’s tough to operate under those circumstances. With at least a preliminary view of the size and composition of the global cyber re/insurance market, the analysts, scholars, and other stakeholders looking at the cyber re/insurance market hopefully will be able to apply their talent to greater effect.

Tom Johansmeyer is a POLIR Ph.D. candidate at the University of Kent, Canterbury. Based in Bermuda, where he also works in the reinsurance industry, he was previously the head of PCS at data/analytics firm Verisk, which provides data on industry-wide insured loss events for both natural and man-made events. Under Tom’s leadership, PCS developed the first such tools for global cyber risk. Tom proudly pushed paper in the U.S. Army in the late 1990s, and if you were in the 2nd Infantry Division in 1998, you might have bugged him for your reassignment orders.

Subscribe to Lawfare