Is the Fear of Cyberwar Worse Than Cyberwar Itself?

Cyber catastrophe is analogous to hurricanes, earthquakes, and other natural disasters—in which many insureds (and insurers) are hit at the same time.

The reinsurance industry helps insurers address systemic risks outside of cyber, with more than $600 billion in capital allocated for reinsurance globally. This support has been slow to gain ground in the cyber insurance sector, though. Rather than purchase cyber reinsurance designed to hedge against the risk of systemic events, as insurance companies do for property catastrophes, insurers have been more inclined to use proportional structures, through which they effectively give a share of their portfolios to reinsurers. This means that they cede both attritional and systemic risk to reinsurers.

Among the largest and most concerning systemic scenarios for both insurers and reinsurers is cyberwar. There is a persistent fear that cyberwar is virtually uninsurable and needs to be excluded. Leading reinsurer Munich Re, which is also a leader in the cyber reinsurance market, says that cyberwar “risk transfer is not possible” because “its consequences are so large and wide-reaching that private industry simply is not able to bear such a ruinous risk.” 

“Cyberwar is a subset of systemic cyber risk, within the broader category of cyber risk,” he adds. “Aside from war, systemic scenarios include, among others, cloud outages and attacks on centralized software vendors (Kaseya is an example).”

Johansmeyer concludes:

A healthy appreciation for the likelihood and potential impact of cyberwar could help improve how insurers and reinsurers model and price this risk, particularly as part of an effort to include coverage for cyberwar rather than exclude it. The industry’s actuarial capabilities are robust; they just need to be deployed to better effect with regard to cyberwar risk. Using refined assumptions with lessons from the conflict in Ukraine could help insurers and reinsurers pair their actuarial models with a narrative of the events being analyzed. If they want to hedge against a $20 billion industry-wide insured loss from cyberwar, they should be able to explain the nature of the risk and how such a loss could arise. Essentially, actuaries should be given the chance to be actuaries, rather than see the risk dismissed by timid executives long before the models are built. 

Finally, reinsurers need to translate that accumulated knowledge and understanding into underwriting, pricing, and reserving (determining how much capital to hold for future losses) practices. Rather than succumb to fear, reinsurers should equip their professionals with the historical thinking, context, and data available—all of which exists, sometimes to the point of abundance. Done properly, irrational impediments to the flow of capital will fall aside, and the reinsurance market will be able to respond to the nature of the risk rather than to the popular portrayal of it. The natural consequence of this improvement in the treatment of cyberwar should meaningfully fortify global economic security. The United States has made an important bet on cyber insurance by making it a material economic component of the nation’s cyber security strategy. If that bet is any guide, then it’s clear that an improved flow of capital could be a powerful force in global cyber security.