Swiss Re wants government bail out as cybercrime insurance costs spike

Giant forecasts premiums rising to $23b by 2025

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.

Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally [PDF], and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association [PDF].

While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. 

"The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

The Swiss Re Institute recommends all three of these points to help mitigate exposure to cyber risk — and keep the insurance industry profitable. 

While the industry has typically quantified risks based on backward-looking data, that doesn't work for cyber risk because of a couple of reasons: a lack of standardized data, and the rapidly changing threat landscape. 

"Introducing cybersecurity standards will improve data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modeling," according to the report.

Swiss Re also recommends insurers update policy language around exclusion clauses, terms and conditions to help clarify the scope of coverage. 

Other insurance firms and marketplaces are struggling with policy language as well. Lloyd's of London recently announced that its sellers' policies will soon stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not. 

Lack of clarity around coverage also landed two other major insurers, ACE American Insurance Company and Zurich American Insurance Company, into legal trouble after the 2017 NotPetya cyberattack. In this case, the question was around what constitutes an act of war — which even in cyberspace could invalidate an insurance claim – and whether insurance companies should pay damages caused by network intrusions supported or organized by nation states.

"Exposures to hard-to-insure systemic risk scenarios remain a barrier for industry capacity," the Swiss Re study noted. "Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem."

Swiss Re also called for "new sources of capital," and added that "public and private sector collaboration is key to mitigating cyber threats to critical infrastructure."

One way to do this would be a government-backed fund to address the cyber-insurance gap, according to the report. Along these lines, the US Treasury recently published a request for comment on questions related to cyber-insurance and catastrophic cyber incidents.

Another option "would be to tap into the market for insurance-linked securities," Swiss Re said. ®

Send us news

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

BlackCat claims it is behind Fidelity National Financial ransomware shakedown

One of US's largest underwriters forced to shut down a number of key systems

Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Katie Moussouris, who pioneered Redmond's program, says folks are focusing on the wrong thing

New Relic warns customers it's experienced a cyber … something

Users told to hold tight and await instructions as investigation continues

Rights warriors claim online ad auction data a danger to national security

'The industry can not be allowed to put elected leaders, military personnel at risk'

Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

How to give Windows Hello the finger and login as someone on their stolen laptop

Not that we're encouraging anyone to defeat this fingerprint authentication

Ukraine cyber spies claim Putin's planes are in peril as sanctions bite

Aeroflot fleet still has a smoking section, but not for tobacco

Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

Plus: VMware closes critical hole, Adobe fixes a whopping 76 flaws