Recent significant hacks yielded valuable data allowing carriers to determine what to demand from policyholders about their minimum defenses against hackers, and informed insurers on how to price the risk they cover, insurers and analysts said.
Still, the biggest risk hasn’t yet materialized: a cyberattack against a company or information services system so important to an economy, or to society as a whole, that it reaches systemic levels. One so big, perhaps, it might take down carriers.
“I think it’s important we stress that the insurance industry has not had a catastrophic event,” said John Coletti, head of cyber reinsurance at Swiss Re.
Major incidents such as the NotPetya virus in 2017, attacks against critical infrastructure providers including Colonial Pipeline Co. in 2021, and vulnerabilities in commonly used software such as Microsoft Corp.’s Exchange product have raised alarms and tested coverage limits, Mr. Coletti said. But none have metastasized into an existential threat.