Cyber risks – insurable, but within limits

Cyber risk is an increasingly important topic. The cyber insurance market is still small and its development has been hampered by challenges related to the concept of insurability. Are cyber risks simply too big to insure?

Well, the answer is some of them are, but not all. The Institute of Insurance Economics of the University St. Gallen and Swiss Re have jointly published the first systematic analysis of potential risk transfer options for cyber risks. The study recommends using a wide range of risk transfer mechanisms, including reinsurance and alternative risk transfer, to improve the insurability of 'everyday' cyber risks. These could be hacker intrusions leading to data privacy breaches or Denial of Service attacks leading to business interruptions. Additional support could come from an anonymized data pool, accessible for the whole industry, which would help to increase cyber resilience. Certain standards, such as cover limits, risk assessments and a coherent terminology of cyber risk and cyber insurance should also be defined.

By contrast, the key issues related to the protection of critical infrastructures are the lack of data and large cumulative exposures. Here the authors recommend involving the relevant government to enhance the insurability of extreme scenarios.

Jayne Plunkett, Head of Casualty Reinsurance Underwriting at Swiss Re, highlighted that the market can collaborate on improving 'everyday' cyber risk, but that the protection of critical infrastructures, such as power production, must become part of any national and supranational strategy involving all relevant stakeholders.