Reinsurer’s UK and Ireland chief executive believes a public-private partnership focused on cyber cover would be ‘beneficial’ for insurance industry – especially to mitigate possible risk aggregation

Cyber insurance pricing is “under pressure”, with insurers striving to ensure “price adequacy remains at a good level” amid growth in demand for this cover – particularly from small and medium-sized enterprises (SMEs), according to Jason Richards, chief executive of UK and Ireland at reinsurer Swiss Re.

Speaking exclusively to Insurance Times, Richards explained: “There’s definitely demand in the SME space [for cyber insurance] and a number of carriers are trying to enter that space, developing products and heavy service-related products to help people get their [businesses] up and running again, retrieve their data, etc. But there’s some pressure on pricing in the cyber lines.”

Richards added that most large corporate firms have cyber insurance in place, with “smaller companies starting to buy more”.

Data deficiency

For Richards, the onset of cyber attacks across the corporate world is “never ending”.

The UK government’s Cyber security breaches survey 2024, published on 9 April 2024, found that 50% of UK businesses and 32% of charities experienced some form of cyber security breach or attack in the last 12 months.

Digging a little deeper, 74% of large businesses, 70% of medium-sized businesses and 66% of charities with £500,000 or more in annual income reported a cyber security breach or attack in the past year.

Richards noted that although there is “a lot of data” around “smaller frequency type events” – such as ransomware attacks – which helps to inform cyber underwriting, the industry still has a distinct lack of more comprehensive data to support pricing that covers a potential large cyber event.

He explained: “We all know [that] at one point in time, there’s going to be a big event. It just hasn’t happened yet. That’s the bit that’s hardest to underwrite on cyber.

“When you underwrite property catastrophe, you have some data. You know you’re going to get big storm losses or big earthquakes and you have some data to model that.

“You don’t have any data on cyber. We know [about] the smaller frequency type events where you get a ransomware attack. We have a lot of data around that – but big events, we just don’t know yet.

“Getting the pricing right for the catastrophe element is really difficult – and that’s important on an SME portfolio because you could have a big aggregation of many SMEs impacted at the same time. It’s not the risk of [just] one SME.”

Public-private collaboration

One approach that could help mitigate this aggregation risk would be the creation of a public-private partnership centred on cyber risk. Richards said this tactic would be “beneficial” and that Swiss Re would “welcome discussions along those lines”.

A public-private partnership is a collaboration between the government and a private company or industry sector that aims to pool the costs and risks of large scale projects.

Richards notes that the UK has “good examples” where this model has been “very effective”, such as reinsurance scheme Flood Re – which is focused on providing affordable flood cover – as well as terrorism reinsurance initiative Pool Re.

He continued: “There’s definitely a role for public-private partnerships for these larger, systemic type events and cyber would be a good example.”