Some of my Cyber Thoughts – April 2, 2025

I still don’t believe insurance carriers should offer cyber insurance. Why?

Because cyber risks won’t generate combined ratios under 100% on a persistent basis in the months and years ahead. Cyber risks will continue to evolve into more complex forms, more interconnections, more interdependencies. (Hello, CrowdStrike ! … thanks for the smallest taste of the losses that systemic cyber incidents and/or systemic cyber risk can and will deliver at some future points [not point, but points].)

There are three broad groups of insurance professionals who disagree with me:

1. Those who have lived most of their lives with physical artifacts. For all of human history , risks have emerged from some combination of physical artifacts, people, and nature. To this group, cyber risks are just another risk in the very long history of risks that insurers have learned to profitably manage. That is, until the computer age with the introduction and use of computing machines or cyber age with the emergence of IT and/or Telco compute / communication machines linked to the Internet. Advances in compute and communications have, and will continue to, accelerate the speed, shape, and brittleness of commerce.
2. Those who are ‘digital natives’ and just naturally expect all aspects of life, work, entertainment, socialization, purchasing of goods and services, medical care, and other daily activities to be enabled by digital artifacts. Cyber risks are an emergent result of combining cyber artifacts, digital artifacts, digital content of physical artifacts, physical artifacts, people, and nature. To this group, the answer to successfully learning how to profitably manage cyber risks is continually gathering great volumes of data to feed into cyber loss prediction models. Specifically the variety of artifacts connected to the Internet. Data, my boy, data is the answer to cyber risk mitigation (with apologies to The Graduate movie)
3. A combination of people in the first two groups. I have a hunch the number of people in this group is larger than I think.

A constant response

I hear a constant response from members of each group: insurers have been offering cyber insurance since 1997 (or is it 1998?). I wonder if they, when using this response, take into consideration the nature, frequency, and severity of cyber risks that were insured back then, how the cyber risks have evolved since that time, and what the cyber-scape (excuse my made-up phrase) will look like in the future months and years to come.

Aha, cries members of Group 2: of course we have and we are. That’s why we model cyber risk loss costs!

What, though, are you modeling? 

What is the nature, frequency, and severity of the future cyber risk losses that your models strive to identify and measure?

Or, is the purpose of your models to capture the best damn form, frequency, and severity of ransomware of the past? Or extortion of the past? The rear-view mirror is getting used more than an office printer.

Cyber risks don’t just evolve. Cyber risks mutate like a cancerous virus. Cyber risks emerge from the never-ceasing, continually expanding plethora of interconnections and interdependencies of digital artifacts, digital content of physical artifacts (including animals and insects with IP sensors embedded in or on them), and physical artifacts. The cyber risk surface is not a surface but a growing Nth dimensional space from which new cyber attack spaces will emerge and ‘invite’ yet-to-emerge forms of cyber attacks. [There is a bee farm in Australia where the bees have IP-sensors attached to them; some cattle ranchers in the US have IP-sensors attached to their cattle … in both cases, the bees and the cattle IP-sensors are connected to the web.]

Again, I ask: What are you modeling? How can your models see new yet-to-emerge forms of cyber attacks from the ever-expanding Nth dimensional cyber spaces?

The question, actually the answer to the question, is key to insurers’ profit. If an insurance carrier can’t accurately estimate their probable maximum loss … and concomitant combined ratio, they have a fiduciary responsibility not to offer insurance for that risk.

A steadfast reality

A steadfast reality always challenges insurers: just because a risk exists does not mean insurers should sell coverage for that risk unless they can do so profitably.

Terrorism risk, the risk of business interruption during a global pandemic are two such risks that insurers should refrain from offering coverage. And cyber risk (and the scale of business interruption) is a third such risk.

(I hear cries of “we offered cyber insurance in the late 1990’s … we’re fine. We know what we’re doing. Really, we’re fine. And the future of cyber insurance will also be fine.)

Possibly insurers are starting to refrain from going all in offering cyber insurance, in a manner of speaking, by:

• Offering lower limits of cyber coverage;
• Tightening cyber contract terms, conditions, and restrictions;
• Being more selective of the markets (e.g. industries) to offer cyber insurance (at whatever limits and terms);
• Sponsoring ILS cyber cat bonds (and keeping more of their financial capacity safe from cyber losses);
• Fronting cyber captives (and keeping more of their financial capacity safe from cyber losses).

In a December 2022 interview with the Financial Times, Zurich CEO, Mario Greco, warned that cyber attacks will become “uninsurable” as the disruption from hacks burgeon.

“What will become uninsurable is going to be cyber,” Greco said, “What if someone takes control of vital parts of our infrastructure, the consequences of that? There must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”

He was and is right.