A staggering 90% of cyber risks remain uninsured, according to a new report by Swiss Re.
The report found that due to increased digitization accelerated by the COVID-19 pandemic and current geopolitical tensions, there was a large possibility of catastrophic fallout from cyberattacks targeting private businesses and critical infrastructure. It estimated annual global cyber losses at about $945 billion.
While about 90% of cyber risk remained uninsured, the report said that the insurance sector could help increase cyber resilience by tackling the cyber talent shortage, using standardized data and better modeling, and identifying new sources of capital.
Other key findings of the report include:
Small and medium-sized enterprises were especially vulnerable to cyberattacks thanks to their low defense capacity. Most SMEs are uninsured or significantly underinsured for cyber risks. Swiss Re estimated that the total costs of handling a cyber incident for SMEs are, in relative terms, three times more than for large corporations. Forensic costs for SMEs in the wake of a cyber incident typically range between $20,000 and $100,000.
The increasing digitalization of critical infrastructure sectors means the possibility of a cyber attack is growing rapidly, with attacks becoming more sophisticated. Hackers now use triple-extortion techniques, and ransomware-as-a-service has lowered entry barriers to cybercrime.
The rising frequency and severity of cyberattacks has been the main driver of growth in the cyber insurance market. Global cyber insurance premiums hit an estimated $10 billion last year, and Swiss Re predicts 20% annual growth to 2025, with total premiums rising to $23 billion.
Despite having grown rapidly, premiums are still only a fraction of annual losses due to insurability limitations. Swiss Re found that systemic losses could overwhelm reinsurers.
While increasing prices, improving underwriting discipline, introducing sub-limits and coinsurance, and clarifying terms and conditions have been successful for cyber insurers, Swiss Re said that standardizing data and optimizing modeling, updating policy language for clarity and consistency, and identifying new sources of capital will be necessary to help mitigate overall exposures, improve understanding of cyber risk and make society as a whole more resilient to large-scale attacks with potentially systemic consequences.
“There is much work to do to ensure sufficient risk protection is available to make society more resilient to cyber risk, and this effort will require collaboration between businesses, the insurance industry and government,” Swiss Re said.