Industry experts warned this week that the cyber insurance market is approaching the point where it could become a “peak peril” capable of inflicting catastrophic losses on traditional reinsurance.
The comments came during a panel discussion at ILS Bermuda Convergence 2025, held at the Hamilton Princess & Beach Club.
Ian Newman, global head of cyber at Gallagher Re, told attendees that cyber becoming a peak peril is “only a matter of when, not if,” highlighting the potential for future losses on a massive scale.
The panel defined a “peak peril” as a cyber event that could cause between US$30 billion and US$50 billion in reinsurance losses from a single incident. Newman noted that, despite significant media coverage of cyber events, the industry has not yet experienced the “really big one.”
“It’s funny when I speak to people sure it’s happened already, like, no, [I tell them] it’s not actually happened,” Newman said in a report from the Royal Gazette, referencing the 2017 NotPetya attack, which resulted in US$3.3 billion in industry losses – well below the threshold for a peak peril.
Richard Gray, head of third-party capital at Beazley, discussed his company’s role in launching the cyber catastrophe bond market in 2023. Gray observed that even high-profile incidents, such as the CrowdStrike event that dominated headlines last summer, resulted in industry losses of only “around a billion or so dollars.”
The panel addressed the August cyberattack on Jaguar Land Rover (JLR), which shut down the company’s systems for months and halted production at its plants and stores. “You’ve got a very large company that didn’t buy cyber coverage, yet it’s been evidenced that their loss to a cyber event is as big as if it could be a fire,” Newman said.
He added that a cyberattack on a larger manufacturer, such as Volkswagen, could be even more severe, potentially affecting multiple plants simultaneously and eliminating redundancies present in traditional insurance scenarios.
Panelists noted that JLR’s inability to produce vehicles for months highlighted the broader consequences of such attacks. Newman remarked, “This is a very large organization that, as you say, can’t produce the goods, and still can’t produce months later, and so that, I think, is a wake up call towards the world. JLR did not have cyber insurance. They could have, and they didn’t.”
The discussion also covered the wider impact, including the British Government’s intervention to backstop loans for JLR’s supply chain and the existential risks facing company leadership during such events.
Brittany Baker, head of solution consulting and ILS at CyberCube, spoke about the 2017 WannaCry attack, noting that its impact was limited only because “someone stumbled upon the kill switch within hours of this attack happening.”
She explained that, without this intervention, losses could have reached US$4.5 billion to US$7.5 billion. Baker emphasized that “small changes” in attacker tactics or defender responses could transform a headline-making event into a catastrophic loss for the insurance sector.
The panel’s discussion comes as the cyber insurance-linked securities (ILS) market emerges as a critical alternative capital source for the sector. Over US$750 million has been deployed in underwritten Rule 144A catastrophe bonds, providing underwriters with tools to manage systemic risks and expand capacity as demand for cyber insurance grows.
Gallagher projects that the cyber insurance market will more than double over the next decade, driven by heightened awareness of cyber risks and the need for additional capital to support growth.
What are your thoughts on this story? Please feel free to share your comments below.
