A new report from Marsh McLennan and Zurich titled “Closing the cyber risk protection gap” is calling for a closer collaboration between the insurance industry and the public sector as cyber insurance coverage gaps remain.

“Both the insurance industry and the public sector are urged to collaborate, share, and innovate to confront the growing cyber risk protection gap, foster resilience, and safeguard our society and economy from the escalating cyber threat landscape,” the report said. “Strengthening society’s cyber resilience is inextricably linked to the evolution of the cyber insurance market.”

This comes as 87 percent of global decision makers in an April 2024 Munich Re Cyber Risk and Insurance Survey said they believe their organizations are inadequately shielded against cyber attacks as cost and frequency continue to rise.

The cost of cyber attacks is projected to increase to nearly $24 trillion by 2027, up from close to $8.5 trillion in 2022. Ransomware payments hit a record-breaking $1.1 billion in 2023 as well, according to a Chainanalysis blog titled “Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline.”

The cyber insurance market has seen strong growth over recent years despite growing attacks, with the Munich Re report estimating it at $14 billion gross written premium in 2023 and projecting that it will more than double by 2027.

However, a cyber risk protection gap persists, with the Global Federation of Insurance Associations estimating the chasm between insured losses and economic losses due to cyber attacks at $0.9 trillion, or 99 percent of economic losses. This is according to GFIA’s report titled “Report: Global protection gaps and recommendations for bridging them.”

Navigating Protection Gaps Without Risking Too Much

Marsh McLennan and Zurich outlined one solution in their report as a closer industry and government partnership to establish cyber resiliency. That said, insurers will need to navigate one question: How can the cyber insurance market scale without taking on too much exposure?

“Currently, concern exists that the volume of claims arising from a catastrophic cyber incident might overwhelm the resources available to resolve such claims,” the report said. “Government policymakers should consider that the expertise and capabilities currently held by the insurance sector provide strong motivation for the government to create a framework in partnership with industry. In addition, policymakers should consider the tools and resources that government could provide for claims administration.”

As part of this partnership, the report said triggering events for a public-private insurance program will need to be better defined based on what current policies treat as uninsurable. The report suggested one solution as a difference-in-condition product that is triggered when policy exclusions are applicable and responds only to truly catastrophic losses.

“To provide for flexibility and buy-in from industry, any government framework should be voluntary for eligible insurers,” the report added. “At the same time, this will require insurers to acknowledge their support and their belief in the viability of a cyber framework.”

However, the most pressing need from a national preparedness standpoint is to address the gap created by war and infrastructure exclusions in insurance policies, the report said.

“Because these risks are the subject of exclusions, a cyber incident resulting in these losses will not impact the insurance market, but instead would require a government response post-incident,” according to the report. “Creating a cyber framework provides the opportunity to engage in planning of how such compensation would be applied.”

Geopolitical Tensions Adding Fuel to Fire

Challenges in the current cybersecurity environment are being furthered by intensifying geopolitical tensions as technology has become a bigger part of state-sponsored attacks as well, the report said.

Indeed, a recent article in Carrier Management outlined how insurers are rethinking cyber as a coverage area in the face of global conflict.

“There are a variety of reasons that can motivate an individual or group to launch a cyber attack. Political ideologies are one of them,” said John Farley, managing director of the cyber practice at Gallagher, in Carrier Management’s August article titled “Geopolitical, Election Risks Have Insurers on High Alert.”

Additionally, when cyber defense resources are focused on averting any potential civil unrest or terrorist activity, commercially oriented and opportunistic attacks can occur, added Kellam Radford, senior vice president and national programs underwriting leader at DOXA Insurance.

“Three main goals of any conflict are to control the narrative around the event, ensure the flow of capital to fund activities, and minimize any owned supply chain disruptions while maximizing disruptions to the other side,” he said. “All three of these goals create opportunities for cybercrime.”

Protecting the SMB Space

While demand from organizations seeking to transfer their cyber risk has been growing, according to the Marsh McLennan and Zurich report, this growth has been uneven and a trend of small and medium sized businesses that are uninsured or underinsured remains.

“Despite the prevalence of cyber risk, a significant portion of SMBs remain uninsured or underinsured,” the report said. “These companies often lack the necessary funds to invest in cybersecurity, in the same way as they may forego purchasing insurance due to affordability, lack of risk awareness, or not understanding the coverage. To overcome such challenges, our industry should seek to simplify all elements of the procurement process, provide holistic solutions, and support and enable public-private partnerships.”

The report added that it is important to provide insureds with appropriate coverage while avoiding unnecessary limitations and exclusionary language that can lack universal consensus on applicability and create new protection gaps.

A Growing Need

Making the general case for public-partnerships to address cyber risk, the report draws analogies to nuclear energy, flood and terrorism risks, stating that cyber risk is now akin to these.

“The need for a public-private approach for cyber risk has emerged from the continuing transformation of the digital economy, the blending of physical processes with virtual control, and the growing role and expanding capabilities of new technologies, most recently, generative AI,” the report said. “It is evident that there is an urgent need to address these risks due to both their volatile nature and the ubiquitous use of technology. At the same time, we need to foster societies that are innovative, resilient, and adaptable, while safeguarding economic prosperity and national security.”

“The insurance industry, with its proven track record of advancing societal objectives through offering its risk management and transfer capabilities, plays a critical role in this endeavor from both a risk transfer and cyber resilience perspective.”