Cyberattacks are getting faster, more automated, and more widespread, raising big questions for the insurance world. One key concern is whether cyber risks could become too big for insurers to cover on their own, needing government help to step in. While this worry has been mostly theoretical until now, experts say it’s becoming a very real topic of discussion.
Sarah Thompson, head of cyber for North America at MSIG USA, says the industry hasn’t reached the point where cyber risk is uninsurable. “Not yet,” she said. But she also admits the issue is creeping closer. One reason it’s hard to pin down the risk is because the industry hasn’t seen a major cyber catastrophe that would help put a dollar amount on potential losses. Still, more people are talking about what that kind of event could mean.
The last year and a half has shown that cyber incidents can have far-reaching effects. Events like the Amazon Web Services outage, along with attacks on firms such as Change Healthcare and CrowdStrike, prove that a single breach can disrupt hundreds or even thousands of businesses at once.
At the same time, cybercriminals are using AI and organized methods to automate attacks. This automation means they can cause bigger damage, faster. Thompson explains that once attackers get into a system, they move quickly, increasing the scale of the attack.
Experts say for cyber risk to truly become uninsurable, three things would need to happen together: an attack that affects multiple essential sectors at the same time (like energy, finance, and cloud services), a global economic disruption with many businesses claiming losses, and insurers pulling back because they either can’t afford the losses or are too afraid to stay in the game. If all that unfolded, the insurance market alone might not manage it.
Today, though, there’s still plenty of insurance capacity worldwide. New players are entering the market, and customers are buying more coverage, not less. Pricing remains competitive thanks to new entrants in places like London and Bermuda, even though claims are happening more often. This has created a soft market despite growing cyber dangers.
But the industry hasn’t yet faced a real “stress test” to fully understand the impact a large-scale cyber event could have. Regulators, brokers, and reinsurers have begun asking whether cyber insurance might need a government safety net similar to what exists for flood, terrorism, or pandemic risks.
Thompson admits there are scenarios that would require government backing, but none have happened yet. “It’s a bit of a guessing game,” she said.
Still, the clock is ticking. The insurance industry is split on whether cyber risk will follow the path of those other tricky risks that eventually needed government help. Right now, cyber insurance is still available. But Thompson warns that as losses rise, insurers will react in different ways. Customers need to pay attention to who they buy coverage from because not all insurers have the same strength or staying power.
One key concern is the growing systemic risk. Insurers are now focusing more on the entire digital ecosystem, including third-party vendors, when underwriting policies. The more they know about critical vendors, the better they can avoid overlapping risks that could lead to huge losses.
For brokers, this means operating with two realities: lots of insurance capacity and a threat landscape changing too quickly for past data to fully capture. Thompson urges brokers not to confuse low prices with long-term security. Instead, she encourages looking at an insurer’s financial health, their history of paying claims, and their ability to survive a big systemic cyber attack. “That matters now more than ever,” she said.
As cyber threats grow and evolve, the insurance world is paying close attention. For now, coverage remains available. But the future may require new ways of managing this fast-moving risk.