Cyber insurance has a lower loss ratio than many other lines of business, and there's increasing demand for it from the commercial market, but insurers remain wary of turning on the capacity tap. And rightly so, because there's a sting in the tail.

No one has yet seen a true cyber 'catastrophe' — a cyber campaign or event that could cause thousands of companies to have large claims on their cyber cover. But recent trends have come close and provided hints at the way that this could happen.

Looking back to move forward

NotPetya and WannaCry were wake-up calls across the industry: WannaCry, in May 2017, was a malware attack that caused 300,000 infections across 150 countries, with hundreds of infected businesses suffering business interruption from failures of manufacturing processes, dispatch and ordering systems, telephone exchange equipment, and other system failures. Businesses lost around half a billion dollars, but insurance claims were light, thanks to low penetration levels, retentions, and coverage exclusions.

A month later, NotPetya hit a different sector of business with a different piece of malware, this time with 2,000 infections of machines in businesses across 65 countries, with a more vicious disk wiper payload. Over a dozen multinationals reported impacts to their quarterly earnings from infection, and over 30 international companies suffered disruption, including many Ukrainian businesses, amounting to an estimated $2.5 to $3 billion of losses borne by the businesses, but again the cyber insurance industry came off lightly.