Insuring the uninsurable; systemic cyber risk

Edouard von Herberstein, founder and CEO of Spectra, discusses what the Great Fire of London, 18th century shipping, hurricanes and cyber all have in common.

Cyber insurance is a basic need in the digital economy – it is a critical safety net protecting businesses from the often-catastrophic consequences of cyber incidents.

However, according to CFC’s former chief innovation officer, only about 10 percent of businesses have cyber insurance.

While some customers might decide not to buy, insurers are also concerned about lack of visibility into cybersecurity posture (data) and systemic cyber risk, therefore limiting cyber insurance availability.

“Cyber catastrophe risk continues to be a major concern for the (re)insurance market, with a lack of scaled, sustainable solutions for systemic risk holding back growth in the market," says Dan Carr at Ariel Re, a leading cyber reinsurer.

Insurers want to better understand what the costs are from potentially systemic events such as the occurrence of a long public cloud outage or the propagation of malware through the tech supply chain, which could cause simultaneous business interruption across thousands of businesses.

However, insurers currently do not have access to this information because adherence to cybersecurity standards is not inspected during the underwriting process, as performed in other insurance lines.

For over 600 years the insurance industry has faced and solved systemic risk challenges, leaving a blueprint to help address the cyber insurance gap we face today.

1666: “Fire is uninsurable”

The Great Fire of London destroyed most of the city, resulting in costs that represented 1,000 times the GDP of London at the time.

Hesitation to rebuild and lack of insurance led to the implementation of fire safety, mitigation and controls including: rebuilding with bricks instead of wood, fire building codes, broader streets (“firewalls”), relying on fire brigades to quickly respond to fire outbreaks and monitor fire hazard, and removing trash. This led to the certification of insured homes (“Fire Marks”).

London was only rebuilt as insurance became available.

1760: “Global shipping is uninsurable”

In the mid-1700s global shipping was booming. However, the risks were many, and often resulted in catastrophic outcomes for insurers.

Fire, foreign enemies, pirates, thieves, jettisons, loss of cargo, mutiny of captain or crew, hurricanes, sea ice, diseases, unsafe harbours, and more pushed voyage financiers to request more comprehensive marine insurance coverage.

This led insurers to drive requirements for new security standards and certification of ship design, maintenance, journey itinerary, moorings, crew training, and thorough and regular inside and outside inspections of ships (anchor, chain, rigs, sails, hull material, etc.).

The Lloyd's Register was created to certify and register ships, producing data evidencing sufficient risk controls and enabling insurers to confidently offer ship and cargo insurance.

Unlocking marine insurance facilitated an explosion in global trade.

1992: “Hurricanes are uninsurable”

In 1992, Category 5 Hurricane Andrew devastated southern Florida in a way that insurers did not think was possible – many went insolvent.

The magnitude of destruction and related losses associated with Andrew led many insurers to conclude that hurricanes were uninsurable as they could impact entire cities simultaneously.

Once again, during the 1990s, insurers set new requirements for insurability, from building codes to collecting detailed information about insured buildings (e.g. street address, construction materials, roof shape, foundations, proximity of trees, etc.) enabling insurers to better map, model and manage hurricane risk, and ultimately insure it with confidence.

This assisted natural disaster-prone states like California or Florida to develop and grow over the last 30 years.

2024: “Systemic cyber risk is uninsurable”

In 1970, most of the market capitalisation was driven by tangible assets. The inverse is true today, where the value of the largest companies is linked to their data and intellectual property, bringing potentially new systemic cyber challenges.

Inspired from concepts across fire, shipping and hurricane insurance, the solution for cyber will likely be led by insurers working with diverse security vendor solutions and IT managed service providers, to establish and monitor compliance of security standards and codes. Finally, accessing security posture information (internal and external data) will enable better modelling, pricing and insurance solutions.

As Jürgen Reinhart, chief cyber underwriter at Munich Re, puts it: “As we continue the path to ever more mature markets and products, expertise and reliability must be at the core of this fascinating line of business. Better exposure data, wording topics, cybersecurity trends and lessons learnt from previous losses are priorities for the entire industry. A thorough understanding of the risks provides the foundation for what our insureds need most: sustainable insurability and sufficient capacity."

The result of this cooperation and access to risk data will contribute to building a more resilient digital economy.

Edouard von Herberstein is founder and CEO of Spectra