When the ‘big one’ comes, will enough insurance be available? Fears abound of a major cyberattack, and the nightmare scenarios contemplated by insurers have ‘moved from the realms of science fiction to reality’. Trillions of dollars of economic value, they believe, could be destroyed by a single attack. Such fears have limited the insurance industry’s willingness to allocate capital to cyber risks and left governments concerned about the reliability of insurance markets as a key pillar of economic and cyber security.
But what if we’re wrong about all of this – the paucity of data, the lack of lived experience, cybergeddon, and events that could cost society trillions of dollars?
Hyperbolic concerns about cyber catastrophe – monsters under the bed – have constrained the cyber insurance market’s ability to grow, resulting in a shortfall of protection relative to the overall risk. The ‘protection gap’ – the difference between the amount of insurance that would be economically reasonable and the amount purchased – has become a chasm that may be as wide as $15.84 trillion.
However, new data suggests the problem may not be nearly as severe as it seems at first glance. As economic losses appear to be shrinking and insured losses growing, it appears the gap is closing. This directly challenges past assumptions about whether the cyber insurance market has the depth necessary to serve its national economic security strategy role.
Historical context
Cyber catastrophes don’t happen often, and even when they do, the economic impact tends to be limited. Only 24 catastrophic cyber incidents – those with losses over $800 million and multiple victims – have occurred since 1998, with an aggregate economic impact of approximately $350 billion, which pales in comparison to natural catastrophes. ‘Cybergeddon’ hasn’t come, and the impact of cyber catastrophes has dulled over the past 15 years, with those occurring during this period responsible for less than 7% of aggregate inflation-adjusted economic loss. The economic effects of cyber catastrophe have become more manageable, making cyber insurance more useful as an economic security tool.
Only the six most recent cyber catastrophes have had meaningful insurance losses associated with them. Together, they represent $23.5 billion in economic damage and $2.3 billion in industry-wide insured losses, consistent with insurance industry estimates of a 90% cyber catastrophe protection gap.
A closer look at the data on the cyber catastrophe insurance protection gap
This protection gap has narrowed since 2017; even though there is still plenty of uninsured damage to be addressed, the progress is meaningful. WannaCry’s 2017 $50-60 million industry-wide insured loss covered little of the $4 billion in economic harm that resulted from that attack. While NotPetya, also that year, showed significantly more insured loss on an absolute basis – just over $300 million – the protection gap was only marginally better: 96.95% compared to WannaCry’s 98.63%.
NotPetya was a pivotal event, and not just because of its overall economic impact. Ambiguity as to the protection gap shows that it was significant. The 96.95% gap reflects affirmative cyber insurance losses only – ie, losses from cyber-specific insurance policies. That made up only $300 million of the overall insured loss from the event of approximately $3 billion. The balance fell to the property insurance market, which had unintentionally provided cyber protection. The property losses sustained led to an effort to exclude cyber losses from non-cyber policies, supporting the creation of a cyber-specific insurance sector. The growth of the affirmative cyber insurance market has helped narrow the protection gap further, as the most recent cyber catastrophes have revealed.
Evidence of a narrower gap
Cyber catastrophe struck in 2023 for the first time since NotPetya, and then again three more times in 2024. These events were far smaller than most of the other cyber catastrophes since 1998, and they were also much more robustly insured. The average protection gap across 2023’s MOVEit and 2024’s cyber catastrophes (Change Healthcare, CDK, and CrowdStrike) was 63.71%. MOVEit was narrowest at 40%, with CrowdStrike the widest at 82.35%. Further, their insured losses were higher on an absolute-dollar basis than those of WannaCry and NotPetya. CDK and CrowdStrike were, by insured loss, roughly the same size as NotPetya, while MOVEit and Change Healthcare were each twice as high.
The insurance industry bore greater losses, but they came in an environment with a shrinking worst-case scenario (ie, economic loss level). WannaCry and NotPetya caused $18.2 billion in inflation-adjusted losses, more than three times greater than the aggregate for the 2023-4 cyber catastrophes’ $5.3 billion. Yet, the aggregate insured loss for the 2023-4 events was $1.8 billion, nearly four times greater than the aggregate insured loss of $470 million for WannaCry and NotPetya.
There are several factors responsible for this convergence of insured and economic losses from cyber catastrophes. The decrease in economic losses suggests that companies have become more able to absorb and recover from the economic effects of major cyberattacks, and their relative infrequency may indicate that widespread attacks are increasingly difficult to achieve. However, the CrowdStrike event shows that external attacks are not the only threat – internal errors can cause significant losses, too.
Further, the higher share of insured loss from cyber catastrophes comes from an increase in the availability of cyber insurance, particularly since 2017. And the companies being affected by cyber catastrophes are increasingly insured. Even with the CrowdStrike event, where the protection gap was still relatively wide, insurance coverage was far more prevalent than for NotPetya – and certainly than for WannaCry.
An increasingly reliable economic security lever
Governments have begun to factor cyber insurance into their broader national and economic security strategies, viewing it as an important form of resilience. The UK terrorism insurance program, Pool Re, added coverage for cyber to its terror policies after NotPetya. Cyber insurance featured in the US national cybersecurity strategy. Russia also briefly contemplated making cyber insurance compulsory, with NotPetya one of several events causing $1.85 billion in economic harm that year. However, the insurance industry’s fears of balance sheet calamity following major systemic events have led to a broader discussion over backstops and other measures by which governments seeking to rely on insurance for security are in turn required to provide security for those insurers. The evident narrowing of the protection gap provides an important step toward resolving this circular problem, demonstrating both that the economic effects of cyber catastrophe are smaller than previously feared and that available insurance is already rising to meet the need.
