Some surprising trends have emerged in the industrial cyber risk landscape. What does this mean for 2023?

Like many business lines in the (re)insurance sectors, those of us in the cyber risk sphere expected to see harder market conditions in 2022.

As we near completion of the renewal season, however, and looking specifically at the industrial cyber risk landscape, a surprisingly different picture has emerged.

The war in Ukraine

The threat of cyber risk was brought to the fore this year, precipitated by the war in Ukraine. Arguably it is the biggest development for industrial/critical infrastructures’ cyber risk this year because state-sponsored actors were given the mandate, and arguably the means, to compromise critical infrastructure.

Despite the news of countless attacks on Ukraine’s energy and commodities infrastructure, we have seen little evidence of industrial infrastructures being compromised. Several hypotheses exist about why, and we will know more and better over time.

An under-protected world

Some customers and (re)insurers with stringent risk management practices have told us about successfully renewing their cyber insurance policies, without experiencing the expected increase in rates.

And some of the larger market players apparently have surplus capacity to deploy, which does not reconcile with the harder market scenario.

This is anecdotal information based on a few data points, but it is still relevant. Why do we have that disconnect?

Perhaps the best way to reconcile these anecdotes is to say that our world is under protected, in part caused by the lack of standardisation of cyber insurance policy terms.

Also, cyber remains an immature line of business and an underdeveloped market. But what does this mean for 2023? We must understand why many risk owners decide to retain the risk rather than hedging it. Is it because they do not fully understand the risk or because they do not find the products they need?

Answering this question is our raison d’être for the year ahead.

Second-generation cyber modelling comes of age… but not everyone is buying

The second-generation of cyber modelling has come to the fore. This means fit-for-purpose solutions tailored (while scalable) to each industry and subindustry vertical. It means technology and not formularies, which until now have been unable to capture the complexity and dynamism of this man-made cyber risk. 

It means using real-time, inside-sourced and outside-sourced data that allows for dynamic responses to fast-changing cyber threats. And it means efficient and safe delivery mechanisms for intrinsically dangerous cyber data, compliant with regulations and prudent business practices.

First-generation modellers take a “one-size-fits-all” approach to cyber risk, which only scratches the surface of the potential for cyber modelling, and is insufficient to develop cyber risk management and insurance business to its full potential.

It is especially important to hedge the risk for critical infrastructures as we move into a fully digitised world, to ensure electricity and/or telecommunication infrastructures are not compromised.

Will 2023 be a tipping point? 

2023 may be a tipping point for second-generation modelling efforts with new entrants, including some (re)insurers who seem to prefer to strike out alone rather than relying on third-party vendors being another prediction for cyber risk modelling in 2023.

How these parallel tracks of third-party risk modelling vendors versus in-house (re)insurance efforts will ultimately unfold is a million-dollar question.

Looking ahead to 2023, the more mature markets are likely to see the most development and for the industrial cyber risk world, that will be the US and Europe. The oil and gas activities in the Middle East also represent a tremendous opportunity for the cyber insurance industry at large.

Jose Seara is founder & CEO of DeNexus Inc

Topics