Swiss Re wants government bail out as cybercrime insurance costs spike

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.

Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally [PDF], and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association [PDF].

While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. 

"The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

The Swiss Re Institute recommends all three of these points to help mitigate exposure to cyber risk — and keep the insurance industry profitable. 

While the industry has typically quantified risks based on backward-looking data, that doesn't work for cyber risk because of a couple of reasons: a lack of standardized data, and the rapidly changing threat landscape. 

"Introducing cybersecurity standards will improve data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modeling," according to the report.

• Ritz cracker giant settles bust-up with insurer over $100m+ NotPetya cleanup
• Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay
• Lloyd's to exclude certain nation-state attacks from cyber insurance policies
• Higher risks and premiums are creating critical gap in cyber insurance

Swiss Re also recommends insurers update policy language around exclusion clauses, terms and conditions to help clarify the scope of coverage. 

Other insurance firms and marketplaces are struggling with policy language as well. Lloyd's of London recently announced that its sellers' policies will soon stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not. 

Lack of clarity around coverage also landed two other major insurers, ACE American Insurance Company and Zurich American Insurance Company, into legal trouble after the 2017 NotPetya cyberattack. In this case, the question was around what constitutes an act of war — which even in cyberspace could invalidate an insurance claim – and whether insurance companies should pay damages caused by network intrusions supported or organized by nation states.

"Exposures to hard-to-insure systemic risk scenarios remain a barrier for industry capacity," the Swiss Re study noted. "Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem."

Swiss Re also called for "new sources of capital," and added that "public and private sector collaboration is key to mitigating cyber threats to critical infrastructure."

One way to do this would be a government-backed fund to address the cyber-insurance gap, according to the report. Along these lines, the US Treasury recently published a request for comment on questions related to cyber-insurance and catastrophic cyber incidents.

Another option "would be to tap into the market for insurance-linked securities," Swiss Re said. ®