The action items are targeted at cyber-risk modellers, cyber-CAT bond investors, regulators, and bond-selling (re-)insurers
There are four ways to manage cyber risk. One is avoiding risk by eliminating or foregoing it. Two is mitigating risk by reducing its likelihood or impact. Three is transferring cyber risk to a third-party cyber insurance company. Four is accepting the risk without eliminating, mitigating, or transferring it. Given that eliminating cyber risk is practically infeasible in a digitally connected world, most enterprises usually mix all of the remaining three ways to manage their cyber risk. Despite enterprises mitigating cyber risk via security solutions, the total cost of security breaches worldwide exceeded $8.4 trillion in 2022. We would expect much of this cost to be absorbed by the cyber insurance industry. However, the cyber insurance business worldwide approximates to a paltry $10 billion for the same year – leaving room for exponential growth in the business. According to Conning, around nine out of 10 small and medium businesses (SMBs) in the US are still uninsured, and these businesses form the majority of global enterprises. This implies that enterprises are still accepting trillions of dollars worth of cyber loss. The cyber insurance market is projected to grow to only $20 billion by 2025 and $60 billion by 2029, meeting its growth potential. Limiting the growth is that there currently isn't enough capital in the cyber insurance market for enterprises to transfer cyber risk to insurers and re-insurers. An influx of sources of capital into such a market will be needed to sustain long-term growth. Moreover, enterprise cybersecurity could be improved as a side product of such growth. One way significant capital can be injected into the cyber insurance market is through insurance-linked securities (ILSs).
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]