Swiss Re wants government bail out as cybercrime insurance costs spike

Giant forecasts premiums rising to $23b by 2025

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.

Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally [PDF], and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association [PDF].

While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. 

"The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

The Swiss Re Institute recommends all three of these points to help mitigate exposure to cyber risk — and keep the insurance industry profitable. 

While the industry has typically quantified risks based on backward-looking data, that doesn't work for cyber risk because of a couple of reasons: a lack of standardized data, and the rapidly changing threat landscape. 

"Introducing cybersecurity standards will improve data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modeling," according to the report.

Swiss Re also recommends insurers update policy language around exclusion clauses, terms and conditions to help clarify the scope of coverage. 

Other insurance firms and marketplaces are struggling with policy language as well. Lloyd's of London recently announced that its sellers' policies will soon stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not. 

Lack of clarity around coverage also landed two other major insurers, ACE American Insurance Company and Zurich American Insurance Company, into legal trouble after the 2017 NotPetya cyberattack. In this case, the question was around what constitutes an act of war — which even in cyberspace could invalidate an insurance claim – and whether insurance companies should pay damages caused by network intrusions supported or organized by nation states.

"Exposures to hard-to-insure systemic risk scenarios remain a barrier for industry capacity," the Swiss Re study noted. "Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem."

Swiss Re also called for "new sources of capital," and added that "public and private sector collaboration is key to mitigating cyber threats to critical infrastructure."

One way to do this would be a government-backed fund to address the cyber-insurance gap, according to the report. Along these lines, the US Treasury recently published a request for comment on questions related to cyber-insurance and catastrophic cyber incidents.

Another option "would be to tap into the market for insurance-linked securities," Swiss Re said. ®

Send us news

Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation

Let customers interfere with other tenants? That's our cloud working by design, Redmond seems to say

IBM spin-off Kyndryl accused of discriminating on basis of age, race, disability

Five current and former employees file formal charges with US employment watchdog

Defiant Microsoft pushes ahead with controversial Recall – tho as an opt-in

Windows maker acknowledges 'clear signal' from everyone, then mostly ignores it

FCC takes some action against notorious BGP

How's your RPKI-based security plan coming along? Feds want to know

TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

Beware of zero-click malware sliding into your DMs

Pentagon 'doubling down' on Microsoft despite 'massive hack,' senators complain

Meanwhile Mr Smith goes to Washington to testify before Congress

2.8M US folks learn their personal info was swiped months ago in Sav-Rx IT heist

Theft happened in October, only now are details coming to light

Take two APIs and call me in the morning: How healthcare research can cure cyber crime

In evolving smarter security, open source is the missing link

AI PCs might solve a real problem: The 'friction' that sees users ignore security

Trend Micro says cloudy email scans trigger GDPR warnings that deter users. Local models that use NPUs don't

Miscreants claim they've snatched 560M people's info from Ticketmaster

All that data allegedly going for a song on revived BreachForums

Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up

Lessons learned from the infosec chief convicted and punished for covering up theft of data from taxi app maker

Microsoft Research chief scientist has no issue with Windows Recall

As tool emerges to probe OS feature's SQLite-based store of user activities