Product Family


Global Chief Underwriting Officer, Financial Lines

The digital transformation of our economies creates many opportunities but also generates ubiquitous cyber risks. Already in 2017, the OECD considered the insurance sector as a key actor to improve global cyber resilience and cyber risk management.¹ In addition, awareness of cyber risks has greatly increased in the general population, which has witnessed a rising number of attacks during the COVID-19 crisis, including critical infrastructures, such as hospitals.

What are the challenges to cyber insurability?
Technologies that connect to the internet have not always had security as the top priority, as innovation was the first order of business. Therefore, many of the vulnerabilities introduced for companies and governments are not fully insured today. While changing, the number of governments and companies that purchase cyber insurance is still relatively low worldwide. As a result, cyber losses remain mainly uninsured today.  

And indeed, there are many challenges with cyber insurability. First, the insurance sector relies on recognizing patterns in data to be able to price the product. With a natural peril for example, we have historical weather data that helps us predict what happens with a hurricane or a tsunami, while in comparison, we barely have 10-12 years of cyber insurance data. What makes the risk analysis even more complex is that the threat is man-made and constantly evolving. Additionally, there are many layers of connected and interconnected technologies, each with their own specificities, such as software, hardware, IoT, remote monitoring and so on. 

When we look at accumulation modelling within cyber it is very immature. We have a couple of realistic disaster scenarios and models, but they are only a few years old and do not yet fully include changes in threat actor behavior. Further, traditional risks such as fire and explosion and other types of property damage that are a result of a cyber event are not yet fully modelled in the industry. It’s very early days in the accumulation-modelling world. 

Lack of data and issues with modelling generate uncertainty. This is an opportunity for the insurance sector, but you really need cyber security and insurance experts to come together to assess the issues and to analyze the cyber maturity of the company seeking the insurance coverage.
What makes the risk analysis from an insurance perspective even more complex is that the threat is constantly evolving and that there are many layers of connected and interconnected technologies, each with their own vulnerabilities and specificities, such as software, hardware, IoT, remote monitoring and so on.

What are the main trends in the development of cyber insurance?  
What is really new in 2021 is the outsized impact of ransomware cases, with severe losses this past year. It is changing the risk appetite of the insurance sector, which is in reactionary mode at this stage.

Another very important trend is the move from ‘silent’ to ‘affirmative’ policies, that is, being explicit about what is included and what is excluded from policies. The reinsurance community began exploring these questions around 2015-2016. AXA XL made the move in 2019, then Lloyd’s mandated insurers be explicit in their policies and giving insurers 24 months to roll out the form changes. Some in the reinsurance community are now asking their clients whether their policies are silent or affirmative. I think that this will drive the behavior of the insurance sector on all lines of business in the next year or two. This will not only affect the direct cyber products themselves but those products where cyber is a peril in other lines of business such as property or liability.

Finally, there is a growing global awareness of cyber risks and losses. Small businesses will start buying stand-alone policies covering cyber with higher limits, as opposed to insurance packages that include cyber. 

However, the imbalance between supply and demand is impeding the development of the sector. Overall, there are not enough insurance companies or capacity for covering cyber risks yet. On the insurance company side, there is also a fear of the unknown in terms of shifting threat actor behavior. Additionally, there’s a limitation in accessing underwriting and risk expertise in this area. There is also a lack of maturity on the topic with key stakeholders, such as agents and brokers, who are the advisors to companies. However, there is a very strong commitment by the cyber community to improve education and awareness amongst intermediaries. 

What should boards of directors know about cyber risks? 
Another limitation to the development of the cyber insurance sector, is the awareness and maturity of boards of directors regarding the risk and whether they should address it through a combination of cyber security spending, self-insuring the risk or whether they want to transfer it to an insurer. Publicly traded Company Boards tend to have greater maturity than privately-owned ones but like much in cyber this too is relatively immature. 

There are several things a publicly traded board should reasonably be required to know about cyber issues. Think of a three-legged stool: there are standards and frameworks, there is overall governance and finally there is the assessment of the financial harm of a risk un-addressed. The not-for-profit research by the Crossroads Group highlights the need to identify circumstances that contribute to the organization’s cyber risk, first at a local scale within an organization, and to determine the organization’s appetite for these risks.² This leads to the implementation of a cyber risk plan containing actions to be taken to manage cyber risk and of course to setting up oversight mechanisms.

This article is taken from the broader AXA Research Fund report: Building Cyber Resilience: Threats, Enablers and Anticipation.

About the author: Libby Benet, JD is the Global Chief Underwriting Officer of Financial Lines at AXA XL. Libby is a Supervisory Board Member at S-RM, a global intelligence and cyber consultancy and a member of the Minnesota Lawyers Mutual Board of Directors. Libby holds a BA in Political Science from Towson University and a JD from University of Baltimore School of Law.

¹ Enhancing the Role of Insurance in Cyber Risk Management, OECD, December 2017

2 Cybersecurity is at a Crossroads, Cyber Crossroads, May 2021


To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.