If Cyber Is Uninsurable, the United States Has a Major Strategy Problem
Debate within the insurance industry over cyber risks reveals an important potential weakness, but the reality is far more nuanced.
Published by The Lawfare Institute
in Cooperation With
The most recent U.S. national cybersecurity strategy leans heavily on private-sector support, to include the insurance industry. Under Strategic Objective 3.6, the administration will explore the “the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.” Prudently taking the view that structuring a solution before an event occurs instead of rushing to provide aid after, the national cybersecurity strategy seeks a supporting role for government in the existing commercial insurance market, a view that many in the insurance industry support.
However, some key insurance industry leaders disagree, and the fact that they don’t could become a problem, impeding the flow of capital to the insurance industry and simultaneously forcing open a gap in U.S. cybersecurity strategy.
Despite the development of a reasonably large, stable, and resilient cyber insurance market, some observers still contend that cyber is not insurable. They claim that the risk is too big, too dynamic, too embedded, or simply too new to understand. Should the worst of worst-case scenarios occur, such as the complete shutdown of the internet worldwide for a week, as one insurance executive told me, the consequences would be virtually unimaginable. The disruptions to communications, supply chains, and end-consumer commerce would be both broad and deep—and on a scale certainly not seen so far. This inherent contradiction in the market could ultimately undermine the U.S. view of cybersecurity strategy. The U.S. national security strategy implies a role for a robust and reliable cyber insurance market, which means that U.S. cybersecurity relies on the availability of insurance.
A Terrifying Prospect
Insurability as a general matter relies on several underlying characteristics, including a large pool of “homogeneous exposure units,” independence among those units, and the avoidance of potential catastrophic events, among other things. Like many risks, including property, cyber could be seen as uninsurable. Technology, as is said all too often, has permeated our lives and become embedded in everything we do. We’ve all heard this ad nauseam, and it is largely true. The outage of a logistics system used by major shipping companies could cause backups at large ports and empty grocery shelves across the country. However, insurability is not limited to the academic definition above: Many classes of insurance risk do not consist of large pools of homogeneous exposure units. Specific and unique risks are regularly underwritten in the specialty market. And catastrophic risks are routinely transferred to reinsurers, as the property insurance market has done as a matter of course for decades. Cyber insurance is no different, with smaller risks following the definition of insurability above, and larger specialty risks requiring unique and specific attention.
The tendency to believe that cyber is uninsurable because of the vastness and interconnectedness described above comes down to a fear of the unknown applied to a large interconnected system that implies swift and significant consequences if something goes wrong. Such concerns are evident in the perspectives of several insurance executives on the insurability of cyber risk, including Zurich Insurance CEO Mario Greco, Convex Insurance Executive Chairman Stephen Catlin, and Swiss Re CEO Christian Mumenthaler. Theirs are opinions not to be taken lightly, as experienced leaders and among the most respected minds in the global market. And they’re concerned. Or downright terrified.
Greco says cyber could become uninsurable, believing that there is a limit to how much loss can be absorbed by the private sector. He goes so far as to claim that “this is not just about data … this is about civilization.” Catlin claimed earlier this year, “As an insurer, I’m avoiding cyber like the plague because I’m so terrified of systemic risk.” This builds on a comment from 2019, in which he explained that the “aggregation of the exposure is mindboggling.” He notes that insurance is a “promise to pay” and he “won’t sell a promise [he] can’t honour.” Mumenthaler called the cyber insurance market “very tiny compared to the total exposure” and said that the “problem is so big it is not insurable,” shortly after the ransomware attack on Colonial Pipeline.
To explore this issue, I interviewed eight cyber insurance executives who represent 40 percent of the industry’s worldwide cyber premium. These subjects are comfortable with the insurability of cyber and have ideas on how to manage the more difficult aspects of the risk, including larger systemic concerns that remain a threat. Further, their views offer insight into how systemic cyber risks could be further mitigated, to the benefit of both the cyber insurance market and society, and how doing so could be a building block for national security strategy.
While it’s true that this piece focuses on the views of insurers already assuming cyber risk, most major insurers are in the cyber market, so this inquiry seeks to understand why they are comfortable with cyber insurance, in an effort to answer the question of insurability. In fact, for many, cyber isn’t just insurable: In the United States and other Western markets, it’s mature to the point of saturation. That in itself speaks to the strength of cyber insurance as an implement of national cybersecurity and economic security.
Cyber Is Insured. But Is It Insurable?
The fact that there is a cyber insurance market is not necessarily incompatible with questions about whether or not cyber risk is insurable. Cyber is a relatively new risk, and there is room for disagreement as to whether or not it is large, diverse, and predictable enough to be insured. For industry executives concerned about the insurability of the risk, as discussed above, management of systemic risk is the concern. They see the pervasiveness of cyber as a barrier to insurability—think of the problem as a digital hurricane with global scale. Such an event, they contend, is impervious to diversification. One such event could conceivably consume disproportionate insurance capital and threaten the industry as a whole. However, the most salient counterpoint to those beliefs comes from the activity of other insurers, who have opined with their capital.
Although it is still small and young, the cyber insurance market has grown from an estimated $5.5 billion in worldwide premium in 2020 to $8 billion in 2021 and an estimated $12-14 billion today (estimates vary). Cyber reinsurance—colloquially, cyber “insurance for insurance companies”—is around half that. The amount of cyber insurance extended to customers is also difficult to pin down, but estimates range from just under $400 billion to just over $500 billion.
Cyber is small compared to other older and more mature lines of business, like U.S. auto—where the top 10 insurers have premiums of around $270 billion, based on data from the Insurance Information Institute. To put this in perspective, U.S. cyber insurance is around 60 percent of the market, meaning U.S. cyber insurance outstanding is $240-300 billion. That’s roughly the amount of premium that auto insurers collect in the United States. The difference is staggering. Compared to other specialty commercial insurance markets, though—such as marine ($33 billion in premium) and directors and officers insurance ($13.5 billion in premium)—it’s meaningful. As to its insurability, therefore, insurers have clearly voted with their capital.
The eight insurance participants I spoke to, who oversee more than $4.5 billion in premium, consistently support the insurability of cyber risks. While this should come as no surprise, given their collective market presence, the reasons for their support are compelling. One executive, based in the United States, differentiates insurance from gambling, noting the analysis necessary for insurers to underwrite a risk, explaining, “We have to be able to have a certain predictability associated with the risk,” which enables insurers to “quantify and price for it.” Another executive, this one based in the United Kingdom, adds that cyber activity “happens with a reasonable level of frequency and manageable severity.” Although specific incidents defy predictability, in general, annual loss activity, he and others contend, is quite predictable, which is a key element of determining insurability.
To keep from being overrun by potential losses, insurers engage in a wide range of risk management activities. Respondents indicate that they keep an eye on how much cyber insurance they write, seek diversification within their cyber portfolios, and use cyber as a diversifier in the overall businesses. Further, they exclude certain problematic risks and purchase reinsurance—a lot of it. As indicated above, insurers cede out roughly half the cyber risk they assume to reinsurers. Cyber risk certainly becomes more insurable with support from reinsurers, which distributes the risk further and minimizes the effects of a major loss event to any one company. Such systemic risks are among the insurance industry’s greatest concerns, especially because the reinsurance protection they secure isn’t enough to cover their exposure. Further, if they could access more reinsurance, insurers would be able to assume more cyber risk, with the resulting growth ultimately becoming a more resilient platform for state cyber and economic security.
The insurers interviewed note several possible catastrophic cyber scenarios that keep them up at night, including a major cloud outage, self-replicating ransomware similar to NotPetya but with more scale, and cyber war. Efforts to exclude systemic risks from insurance policies have gained limited traction, according to the interviews, and reinsurers’ appetites for such risks have been limited. In fact, reinsurers are eager to hedge the exposures they already have to these risks by transferring them into the “retrocession” market, which is effectively reinsurance for reinsurers. The result is that an apparent shortage of capital has resulted, at least for the specific risks insurers want to transfer to reinsurers. Unblocking the flow of capital, through hedging mechanisms and the development of more capital sources, could result in a significant increase in insurance protection, with an attendant impact on cyber and economic security. The federal cyber insurance backstop noted by the national cybersecurity strategy would certainly help, but it is most likely part of a broader capital solution.
From Insurance Capital to Cybersecurity
Insurers need access to more capital for cyber risks, particularly for the specific set of scenarios they find most troubling, such as those described above. Fortunately, there are two potential solutions, although both require some work to develop. The first is risk transfer: a way for insurers to secure additional reinsurance for those risks in excess of the caps on their existing reinsurance protection. Second, the federal backstop for terrorism illustrates how that element of the national cybersecurity strategy could be implemented in a way that bolsters the cyber insurance market while providing ongoing steady protection for society against major cyberattacks.
Seven of the eight responding insurance executives raised the concern that a major event could exhaust their reinsurance coverage and then cause the insurer further losses, although some did so implicitly. The eighth did not raise the issue, and the direction of the conversation suggested adequate reinsurance access for the company’s strategy, although there may be further nuance that we weren’t able to explore. For the seven concerned about the magnitude of systemic cyber risks relative to their reinsurance protection, the need for further risk transfer is evident. Developing a market for these large but more remote risks would not only help insurers hedge the risks they have above their reinsurance caps, but it would also enable reinsurers to raise those caps, because they would be able to hedge out some of the increased systemic risk they would take on by raising those caps.
New sources of capital will be crucial to remedying this problem. Insurers have relied heavily on reinsurers to help them grow. Existing reinsurers are constrained in how much more capital they can allocate to cyber risks, and new entrants have come into the market cautiously, with small commitments. Even sufficient growth among existing reinsurers to meet the needs of insurers could be problematic. According to one U.S. cyber insurance executive, “From just the way the market is structured right now, one reinsurer could have seven bites at the same apple for a large enough client.” The cyber reinsurance market is highly concentrated, although not to the extent it was even a year ago. Still, there is a concern that too few companies could bear too much of the burden. Even if a major cyber event did not pose a solvency risk (which it likely wouldn’t, due to the other risk management measures described earlier in this article), it could still result in enough change in risk appetite to make the economics of such coverage untenable.
More capital could come from the insurance-linked securities (ILS) market, which comprises specialist investment managers who allocate capital to insurance risks. The overwhelming majority of the sector’s $104.9 billion is currently allocated to property-catastrophe risks, but the sector has begun to participate in the cyber insurance market. From an estimated seven participants in early 2022, at least 10 now have experience with cyber ILS. Several of the cyber insurance executives interviewed, in fact, have used support from this market. The potential role of ILS in the cyber insurance market is still evolving, but the potential is clearer than it was even a year and a half ago.
Along with an influx of capital from new sources, a federal cyber insurance backstop, as contemplated by the national cybersecurity strategy, could provide useful support for extremely remote but devastating cyberattacks. One U.S. cyber insurance executive, in fact, notes the “psychological” benefits of such a backstop, explaining that there’s comfort in “knowing that there is a safety net of sorts, not just a continuous open-ended freefall” after a major catastrophic cyberattack. The key, though, is to find the right level at which such support should kick in, given concerns that a federal U.S. backstop would disincentivize reinsurers from taking on more risk—or, alternatively, would deprive them of a market opportunity.
Executed with a view to future insurance and reinsurance market growth, a U.S. cyber insurance backstop could be quite useful. Having chastised the global re/insurance industry in the past over a willingness to pass on a major market growth opportunity, I stand publicly corrected. In addition to such a backstop offering a structured solution in advance rather than a rushed “aid package after the fact,” as proposed by the national cybersecurity strategy, history shows the benefits of such backstops in driving broader re/insurance capacity to absorb risk. The introduction of the Terrorist Risk Insurance Act (TRIA) in 2002, following the terror attacks of Sept. 11, 2001, provided the respite necessary for a large market for terror and political violence re/insurance market to emerge.
The two solutions together—increased private market capital for systemic cyber risk and a federal cyber insurance backstop—could address the major systemic cyber risks that pose the greatest risk to national security. Reinsurance for systemic risks would provide the first layer of protection for the companies today that worry about how much of the risk they have to carry themselves, as well as how much more they could grow with access to further risk transfer capacity. And the support from a federal backstop would provide the comfort necessary to all risk bearers to know that an event too big for the insurance industry to handle on its own would be met with a financial remedy, planned in advance, that is fit for purpose.
Cyber risk may be insurable, but the insurance market could certainly benefit from some more help. Reinsurance support has been crucial in expanding the breadth and depth of cyber insurance protection, but new sources of capital to address specific scenarios will provide the backbone for the next phase of industry growth. And for the risks too large and remote to be transferred even to new capital sources, a federal backstop could provide the comfort necessary that even the worst cases will be addressed according to plan.