Insurance groups seek state support for ‘uninsurable’ cyber risks.

Unlock Editor’s Digest for free

FT editor Roula Khalaf selects her favorite stories in this weekly newsletter.

Cyber ​​attacks are as big a risk as terrorism and floods, according to two of the world’s biggest insurance groups, which are calling for state support to help the industry absorb losses.

Insurer Zurich and Marsh McLennan, the world’s largest insurance broker, say in a new report that cyber threats are “exceeding the ability of traditional insurance and risk management approaches to fully mitigate them.”

There are “limits to the amount of financial loss” the private sector can absorb, the report says, given the potentially huge losses that could be caused by a cyber attack on critical infrastructure.

It proposes a number of steps to address this, including the creation of public-private partnerships to share losses from currently “uninsurable” events, such as a cyber attack that causes widespread failure of key infrastructure. Some countries have already created state-backed schemes to share losses caused by floods and terrorism.

“At some point, cyber events can become large enough to move outside the insurance industry and become societal,” said Tom Reagan, global cyber practice leader at Marsh McLennan.

The report says the need to consider state support was driven by “the ongoing transformation of the digital economy, the merging of physical processes with virtual control and the growing role and scaling capabilities of new technologies, most recently, generative AI”.

Last year, Lloyd’s of London estimated that a major cyber attack on a global payments system could cost the world economy $3.5 billion and was “too substantial a risk for any one sector to face alone”.

The cyber insurance market — which at just a few decades is relatively new in insurance terms — took in about $14 billion in premiums last year. Reinsurer Munich Re expects the figure to reach $29 billion by 2027.

Policymakers in the US, UK and elsewhere have been in discussions with industry about how to absorb losses in certain cyber attack scenarios. Insurance executives hope some kind of state protection would encourage more insurers to offer policies and lower prices, spurring buy-in among companies and improving security practices.

Some insurers currently exclude critical infrastructure attacks and state-sponsored attacks from their primary cyber policies on the basis that such exclusions are necessary to protect them from losses that could threaten their viability.

Sierra Signorelli, head of commercial insurance at Zurich, said a state protection system would “provide more security for cover”, in terms of losses that would be covered by the private sector and paid by the government.

“Being clear what is covered . . . we’re getting rid of some of this gray area (about exclusions),” she added.