Simon Glairy is a distinguished figure in the risk management landscape, renowned for his ability to translate complex digital threats into actionable insurance strategies. With a career dedicated to the intersection of Insurtech and AI-driven assessment, he has watched the cyber insurance sector evolve from a niche experiment into a critical pillar of global economic stability. As geopolitical tensions spill over into the digital realm, his insights into how we quantify the “unquantifiable” have become essential for businesses and policymakers alike.
Underwriting has shifted from traditional property models to focusing on operational resilience and granular loss data. How has this transition improved the accuracy of risk assessments, and what specific data points are now most critical for determining a company’s insurability?
The evolution of cyber underwriting has been nothing short of a quantum leap over the last decade, moving away from the rigid, historical frameworks of property insurance. Instead of relying on decades-old actuarial tables that simply don’t exist for the digital world, we are now diving deep into the heartbeat of a company’s operational resilience to see how they stand back up after a hit. Today, the most critical data points aren’t just past losses but granular insights into thwarted attacks and the specific “cyber hygiene” protocols a firm has actively in place. By shifting the focus to how a business defends its perimeter in real-time, insurers gain a much clearer, more confident picture of risk that traditional property models—which were never designed for the speed of code—simply couldn’t capture.
A coordinated strike on power grids or water networks could generate losses exceeding $5 trillion, far surpassing current industry reserves of $1.5 trillion. In what ways do these systemic scenarios differ from standard ransomware claims, and how should insurers communicate these solvency limitations to policyholders?
Systemic scenarios like a coordinated strike on our power grids or water networks represent a “cyber Armageddon” that operates on a completely different scale than a typical ransomware incident. While a ransomware claim might be a painful local headache for one company, a systemic event could trigger losses exceeding $5 trillion, which would instantly evaporate the entire insurance industry’s $1.5 trillion capital base. We have to be brutally honest with policyholders: the private market is built to handle the attritional friction of daily business, not the wholesale collapse of national infrastructure. It is a sobering and heavy conversation to have, but insurers must communicate that their role as a financial backstop has physical, mathematical limits when faced with the overwhelming resources of state-sponsored aggressors.
Policy language is becoming increasingly explicit regarding exclusions for nation-state actors and cyber warfare. How are these tightened terms affecting the relationship between brokers and clients, and what strategies can businesses use to address the resulting gap in their risk management portfolios?
The tightening of policy language regarding nation-state actors has introduced a new layer of tension and complexity in the relationship between brokers and their clients, often leading to difficult boardroom discussions. As exclusions for cyber warfare become more explicit and rigid, businesses are suddenly realizing that the safety net they thought was absolute actually has significant, intentional holes. To bridge this gap, brokers are now spending far more time dissecting the fine print, forcing businesses to diversify their risk management portfolios beyond just buying a policy off the shelf. Companies are increasingly forced to look at internal contingency funds or specialized captive insurance structures to handle the “uninsurable” grey zone created by high-level geopolitical conflict.
Insurance is increasingly viewed as a defensive tool for improving cyber hygiene rather than just a financial safety net. What specific technical requirements are insurers now demanding from clients, and how does this hands-on approach reduce the severity of frequent losses like data breaches?
Modern insurance has evolved into a proactive defensive shield, where the premium paid is almost a secondary consideration to the rigorous security standards required for eligibility. Insurers are now essentially acting as risk consultants, demanding technical benchmarks like multi-factor authentication, encrypted backups, and robust incident response plans before they even consider offering a quote. This hands-on approach is designed to scrub away the “low-hanging fruit” vulnerabilities that lead to the frequent, attritional data breaches we see in the headlines every day. By enforcing high cyber hygiene, we aren’t just moving money around after a disaster; we are fundamentally shrinking the surface area that attackers can exploit, which keeps the entire economic ecosystem more stable.
Existing frameworks like the Terrorism Risk Insurance Program offer a potential blueprint for a government-backed cyber solution. What would the structural requirements for such a partnership look like, and how could it incentivize companies to maintain high security standards?
A successful government-backed cyber solution would likely mirror the structure of the Terrorism Risk Insurance Program, or TRIP, acting as a massive safety valve for events that exceed all private capacity. For this partnership to work, the government would need to set strict eligibility criteria, essentially mandating that companies maintain gold-standard security practices to qualify for that federal backstop. This creates a powerful, tangible incentive for businesses to harden their defenses, knowing that federal support only kicks in if they’ve done their part to protect themselves. It’s a model that has proven its worth over time; TRIP hasn’t cost American taxpayers a single cent in over 20 years, proving that a public-private partnership can provide peace of mind without being a constant financial drain.
What is your forecast for the cyber insurance market?
My forecast for the cyber insurance market is one of cautious maturation toward a hybrid reality where the line between private industry and public duty becomes increasingly blurred. We will see the private market continue to get better at handling everyday threats like ransomware through better data, but the “big one”—that systemic infrastructure event—will eventually force the hand of policymakers to create a formal federal backstop. As awareness of state-sponsored threats grows, I expect to see a shift from the current complacency to a proactive, standardized national framework. Ultimately, the question won’t be whether cyber risk is insurable, but how we collectively shoulder the burden of protecting our digital society when the stakes involve trillions of dollars.
