Protecting society from an unprecedented cyberattack will require more than insurance, says Geneva Association report
November 2023 by The Geneva Association
Growing geopolitical tensions and the use of digital technologies are amplifying cyber risks, with cyberattacks increasing by 38% in 2022 compared to 2021, globally.1 Although the dedicated cyber insurance market has grown rapidly over recent years, a huge protection gap persists, especially if an unprecedented, extreme cyber incident – striking multiple, large segments of the global economy – were to occur.
The prospect of such a severe cyberattack significantly hinders reinsurers’ appetites to assume cyber risks. A major incident could trigger claims from policyholders across various lines of business, leading to significant loss accumulation in their underwriting portfolios.
A new Geneva Association report, Cyber Risk Accumulation: Fully tackling the insurability challenge, explores obstacles to insuring peak cyber risks. It concludes that the factors which drive extreme cyber losses cannot typically be modelled with standard statistical approaches, not least because the extent of cyber damage heavily depends on the interplay between the incentives and resources of both attackers and victims, which are not easily calibrated and quantified.
Engaging in knowledge-sharing partnerships with government security agencies, critical infrastructure providers and technology companies, the report recommends, can help re/insurers better understand cyber threats, enabling them to expand the scale and scope of insurance protection. Even so, there are limits to the amount of financial loss the re/insurance industry can safely and sensibly absorb. The Geneva Association’s report suggests that a government ‘backstop’ for major cyber incidents might also encourage re/insurers to extend coverage and increase their risk-absorbing capacity.
Jad Ariss, Managing Director of The Geneva Association, said: “If the COVID-19 pandemic taught risk managers anything, it is that we must prepare for catastrophic events; we cannot rely solely on response mechanisms after the fact. That is why re/insurers, governments and others need to establish the right cyber partnerships now – not only so insurers are positioned to offer more cyber risk protection, but so there are viable financial and operational solutions in place should a widespread, devastating cyberattack actually occur.”
Darren Pain, Director Cyber at The Geneva Association and author of the report, said: “The many unknowns around cyber risk are fostering a massive cyber protection gap. With better data and understanding of cyber threats and their loss accumulation potential, insurance can help narrow that gap. But better cyber risk models alone will not be enough. Our report urges the right partnerships be put in place among re/insurers, technology providers, governments and others to help create a larger, more sustainable cyber insurance market.”
The Geneva Association is the only global association of insurance companies; its members are insurance and reinsurance CEOs. Based on rigorous research conducted in collaboration with its members, academic institutions and multilateral organisations, The Geneva Association investigates key risk areas that are likely to impact the insurance industry, develops recommendations and provides a platform for stakeholders to discuss them. In total, the companies of Geneva Association members are headquartered in 26 countries around the world; manage USD 21 trillion in assets; employ more than 2.5 million people; and protect 2.6 billion people.
1 Checkpoint 2023.