ARGUMENT: CYBERWAR SCAREIs the Fear of Cyberwar Worse Than Cyberwar Itself?

Published 15 November 2023

Unrealistic cyberwar expectations could hold the insurance industry back, and that’s the real economic security problem. The “hyperbolic characterization of cyberwar is likely a bigger problem than the threat of cyberwar itself. The problem is one of economic security,” Tom Johansmeyer writes.

Cyberwar is a scary concept. The thought of the grid going down, markets tanking, and mass riots is chilling. Tom Johansmeyer writes in Lawfare that popular media and entertainment accounts of cyberwar would have us believing we’re living right on the edge, with a few keystrokes enough to take the world to a dark place. “This alarmism has found some purchase in more sophisticated circles, which seems to lend credence to the belief that cyberwar is right around the corner, if not upon u,” he writes, adding:

But this hyperbolic characterization of cyberwar is likely a bigger problem than the threat of cyberwar itself. The problem is one of economic security.

The global insurance market has a cyberwar problem. The industry doesn’t understand the associated risks well, which has caused it to seek to avoid involvement with cyberwar altogether. By excluding cyber risks, the insurance industry buys into the culture of fear that has formed around cyberwar. This culture of fear has led insurers to require that their cyber teams hold extra capital out of concern that a major cyber conflict could devastate their balance sheets. This has to change. By refining its understanding of cyber-war risk, the insurance industry will be able to provide more insurance protection and make it more cost-effective. In the end, that would mean more insurance being provided and, as a result, greater economic security for businesses and society as a whole.

Johansmeyernotes that the global insurance market seeks to play a significant role in addressing cyber risk, although the industry’s engagement with cyber risk is still in its early stages. The cyber insurance sector is still small by broader insurance industry standards, with only about $13 billion in worldwide premium and roughly $400 billion in notional protection outstanding (the amount of insurance protection companies have purchased). 

Insurers have become quite adept at handling day-to-day cyber losses, such as isolated ransomware attacks and breaches: “Known as attritional losses, these are the sorts of claims insurers encounter and handle routinely, similar to slip-and-fall claims in liability classes of business and fender benders in auto.”

Systemic risk, by contrast, is more concerning. Also known as “cyber catastrophe” risk, it involves cyberattacks affecting a large number of companies at the same time, resulting in a significant and reasonably simultaneous aggregation of losses.