Cyber underwriters continue to grapple with systemic risk

Concern about systemic risk will continue to grow in the cyber markets throughout 2025.

With the full-year earnings season drawing to a close, there seems to be a consensus among re/insurers the rest of 2025 will see an increase in both the frequency and severity of cyber attacks. Alongside that, re/insurers have entered the year with a renewed emphasis on addressing systemic cyber, with many either planning on building more capital or continuing to actively manage their portfolios to mitigate this risk.

“I do think the market is going to have to grapple with increased frequency and severity,” Beazley’s chief underwriting officer, Paul Bantick, told analysts during the London-listed group’s earnings presentation. Bantick listed a range of factors he expects to impact the loss environment, including “small catastrophe events” and growing systemic exposure, driven by business interruption coverage, which “every cyber policy contains”.

Paul Bantick, Beazley

“For that we need to continue to bring third-party capital into the market to be able to hedge its scale,” he said.

Bantick said the firm had now built “meaningful amounts” of catastrophe protection, with close to $1bn now placed.

Geopolitical risk and the development of liability reserves, such as from the ongoing class actions over the use of pixel tracking, also added to an environment where rates will need to rise, he said.

“Based on these, we do believe market rates will need to show positive movement, which could alter the landscape for the cyber market. But it’s going to be a function of how all these different threats come together and crystalise that will drive that,” Bantick said.

Cyber insurance rates have been falling in recent quarters after reaching their peak in early 2022.

“We do believe market rates will need to show positive movement, which could alter the landscape for the cyber market. But it’s going to be a function of how all these different threats come together and crystalise that will drive that”
_{Paul Bantick
Beazley}

Beazley expects continued growth in its international cyber portfolio, while the medium-sized to small end of the market in the US will see “ongoing opportunity”.

While Beazley is looking to build capacity, other carriers are rationalising their books. Munich Re’s chief executive, Joachim Wenning, said the group is taking a cautious approach to loss cost trends in all casualty lines including cyber, where the business has been substantially reducing exposure. “We remain steadfast on our view on accumulation risk or on excluding systemic risk to be more concrete,” he said.

Modelling is another line of defence against systemic risk re/insurers are becoming much more sophisticated in their use of, but event here there is a lack of consensus. Reinsurance broker Guy Carpenter recently ran its policy data through three of the main cyber models – the second time it has run such a study – and found large variations persist in how they predicted accumulation potential.

Using its own policy data, the broker estimated potential global loss from a one-in-200-year event ranged from $20bn (using Moody’s model) to $46bn (using CyberCube’s model). “The lack of cyber catastrophe experience, unlike natural catastrophe experience, leads to difficult empirical calibration of models and heavy reliance on expert judgment when parameterising these models,” the broker concluded.

Where there is consensus is that rates need to increase – or at least stabilise – and more capacity needs to enter the market. Earlier this year, Lockton Re called for a government-backed cyber risk pool, arguing having such a backstop in place would provide confidence to the market and encourage broader participation. “In the context of cyber insurance, a catastrophe is conceivable in the coming years that could far exceed the private insurance market,” Oliver Brew, the broker’s international cyber practice lead, said.

On top of this, buyers want more limit. The launch of Beazley’s Quantum consortium last year – which offers large clients up to $100m in limit – is evidence of this demand, Bantick said.

“What that ultimately is, is large clients looking for that confidence, looking for large capacity, looking for larger limits from their primary carrier for long-term stability,” he said. “Because I think a lot of the large clients realise the risk is constantly changing and morphing and cyber is going to be with us for a long time.”