JAN MARTIN LEMNITZER | Department of Digitalization, Copenhagen Business School

For two decades, the cyber insurance sector had been a niche sector of the insurance industry: tiny but boasting strong growth rates and enormous profit ratios. Yet, between 2019 and 2022, the cyber insurance industry has been devastated by the impact of the explosion in ransomware, causing huge payouts and escalating losses. Some insurers are now fleeing from the sector entirely.

This article will shine some light on how the cyber insurance industry works and how it has responded to the ransomware impact. After discussing why insurers struggle with accurately pricing the cyber risks posed by the companies in their portfolios, it will explore the evidence in support of the claim that having cyber insurance improves a company’s IT security. 

The final section offers a radical proposal to make cyber insurance compulsory for small- and medium-sized companies (SMEs) to tackle their known and longstanding issues with IT security. If combined with an externally established minimum IT security standard developed for SMEs and light regulation on insurance policies, this measure could transform IT security in thousands of companies and vastly improve their resilience against ransomware and other cyberattacks.