As cyberattacks grow faster, more automated, and increasingly systemic, the insurance industry is facing a question that was once theoretical and is now increasingly urgent: Could cyber risk eventually become uninsurable without government intervention?
For now, the answer from Sarah Thompson (pictured), head of cyber North America at MSIG USA, is “not yet.” However, she acknowledges that the concern is no longer abstract.
“We haven’t had a true cyber cat loss, which makes it hard to put a dollar figure around what a catastrophic event would actually mean,” Thompson told Insurance Business America. “But the conversation is happening, and it’s happening more often.”
The cyber market has long been defined by unpredictability, but the last 18 months appear to have marked a turning point.
From Change Healthcare and CrowdStrike to CDK Global and last month’s widespread Amazon Web Services (AWS) outage, systemic cyber events are proving that a single compromise can simultaneously disrupt hundreds or even thousands of businesses.
At the same time, cybercriminals are automating attacks at scale, fueled by generative artificial intelligence (AI) tools and organized tactics. “Threat actors are getting smarter and faster,” Thompson said. “Automation means the impact of any one attack is now much larger. Once they’re in an environment, they move faster, and the scale keeps increasing.”
But what would make cyber truly uninsurable? Three things would need to converge:
If such an event occurred today, the market alone may not be able to respond, especially if exclusions are triggered or reinsurers pull back. But that’s not what Thompson sees today.
“Globally, there’s an abundance of capacity,” she said. “New entrants are still coming in, and insureds are continuing to buy more limit, not less. I don’t think we're at an uninsurable point.”
New entrants, particularly in London and Bermuda, have kept pricing competitive, even as loss frequency rises. The result is a surprisingly soft market amid heightened cyber volatility.
But Thompson also acknowledged the other side of the conversation: the fact that the industry is operating without a true stress test. The possibility of a cyber cat event has been raised by brokers, reinsurers, and even US regulators, who have begun exploring whether cyber resembles terrorism risk more than traditional P&C exposure and whether a federal safety net may eventually be required.
"Is there a scenario I can think of that would need a government backstop? Absolutely," she siad. "But we haven't seen it. It's a bit of a guessing game."
The industry remains divided as to whether cyber will follow the trajectory of flood, terrorism, or pandemic risk – each of which required government backstops once losses became too correlated and unpredictable.
Cyber is insurable now, but that status should not be taken for granted, Thompson said: “As losses increase, you're going to see carriers respond in very different ways. That’s why who you partner with matters. Not all capacity is created equal.”
The most immediate concern is rising systemic risk, which is also why cyber insurers are drilling deeper into vendor management, redundancy planning, and failover capabilities during underwriting. Thompson said underwriters now analyze not just insureds, but the digital ecosystem connecting them. “The more data we have on critical vendors, the better we can manage aggregation,” she said. “Because aggregation is where systemic loss becomes catastrophic.”
For now, Thompson said, brokers face two realities: abundant capacity and a threat landscape moving too fast for historical data to keep pace. She warned distribution partners not to mistake cheap rates for long-term stability.
“Look at the carrier’s balance sheet. Look at whether they’ve paid claims. Look at whether they will still be here after a systemic attack,” Thompson said. “That matters more now than ever.”
