Improved underwriting has boosted cyber profitability, but “uninsurable” risks still loom over market stability
The growing threat of state-sponsored cyberattacks is exposing a critical limitation in the private insurance market, and it may ultimately require a government-backed solution similar to the Terrorism Risk Insurance Program, according to one industry analyst.
Speaking with Insurance Business America, Jay Sarzen (pictured), director at Conning and author of the firm’s latest cyber insurance report, said the industry has made significant strides in underwriting cyber risk. However, systemic, nation-state-driven events remain fundamentally uninsurable.
“Cyber risks, particularly those coming from state-sponsored groups, are on a scale that the private market simply cannot absorb and really need to be addressed by some type of a private-public partnership, similar to what we have in place with the terrorism insurance program,” said Sarzen.
Where is the cyber insurance market today?
Conning’s report, Cyber Insurance: The Increasing Insurability of Cyber Risk, finds that the cyber insurance market has entered a more stable phase following volatility in recent years. Improved underwriting, increased data availability, and the rise of cyber risk modeling firms have collectively strengthened insurers’ confidence.
Unlike property insurance, which benefits from decades of actuarial data, cyber underwriting has historically lacked a robust loss history. However, that gap is narrowing. Insurers now have access to more granular data on attempted, successful, and thwarted attacks, enabling better risk assessments.
At the same time, underwriting practices have evolved significantly. Insurers are no longer treating cyber like a traditional property risk, said Sarzen. Instead, they are focusing on operational resilience.
“The underwriting process today is dramatically different from even 10 years ago,” Sarzen said. “It’s been a quantum leap. Insurers now have more confidence and a greater understanding of what firms are doing to protect themselves against cyber attacks.”
The emergence of cyber risk modeling firms has further enhanced insurers’ ability to quantify exposure. While still imperfect, Conning said these models provide directional insights similar to catastrophe models used in property insurance.
As a result, the market has attracted additional capacity, supported by favorable loss ratios and disciplined underwriting. Conning noted that this “first scenario,” where private insurers successfully expand their role, has largely played out in recent years.
Cyber’s systemic risk problem
Despite this progress, a major gap remains: systemic cyber risk.
Sarzen points to the potential for large-scale attacks on critical infrastructure, such as power grids, transportation systems, or water networks, as a scenario that could generate losses in the trillions.
“If you’re talking about a coordinated attack that disrupts essential systems, the economic impact could be enormous,” he said. “Even a $5 trillion loss would effectively wipe out the insurance industry’s capital base.”
For context, Conning estimates total industry reserves at approximately $1.5 trillion.
This type of “cyber Armageddon” event has not yet occurred, though incidents such as the NotPetya attack have provided a glimpse of its potential scale. Importantly, such risks remain difficult (if not impossible) to model with confidence.
War exclusions already shaping the market
In response, insurers have increasingly tightened policy language to exclude nation-state and war-related cyber events. These exclusions are becoming more explicit, particularly as geopolitical tensions raise concerns about cyber warfare.
Most of the largest potential losses are already excluded, Sarzen noted. He added that while small and mid-sized businesses continue to benefit from coverage for “attritional” losses, such as ransomware or data breaches, systemic risks fall outside the scope of traditional policies.
This dynamic has created a disconnect between perceived and actual coverage, with brokers and clients paying closer attention to policy wording.
Within this broader environment, Sarzen said the industry must also rethink how cyber insurance is positioned. Rather than serving purely as a financial backstop, it increasingly functions as a tool for risk mitigation and resilience.
“Cyber insurance is as much about defense as it is about indemnification,” he said. “Insurers are helping clients improve their cyber hygiene, which ultimately reduces loss severity.”
The case for a government backstop
Looking ahead, Conning’s analysis suggests that a hybrid model combining private insurance with government support may be the most viable long-term solution.
Sarzen pointed to existing frameworks like the National Flood Insurance Program and TRIP as potential models. Both programs were designed to address risks that exceed private market capacity. A similar structure for cyber risk could act as a backstop for extreme, low-probability events while allowing private insurers to continue covering more manageable losses.
However, Sarzen cautions that progress may be slow. Policymakers may be reluctant to act until a major event occurs, particularly given that current cyber losses remain within manageable levels.
“I think the likelihood of a cyber backstop is strong, especially as awareness grows,” he said. “There’s still some complacency; people think it won’t happen until it does. Cyber attacks are relatively easy to execute with state support, so the risk is real.”
Ultimately, Conning concluded that the question is no longer whether cyber risk is insurable, but how responsibility is to be shared as cyber threats continue to evolve, particularly in the context of geopolitical conflict.
“I don’t know what a program would look like, but it could involve conditions like requiring companies to demonstrate good cyber practices to qualify,” said Sarzen. “Conceptually, it would likely mirror TRIP: a partnership between government and private insurers. It would be there if needed, but ideally never used. TRIP hasn’t cost taxpayers money in over 20 years. A cyber program could work similarly.”
Related Stories
LATEST NEWS
