Reshaping the future of cyber reinsurance – Guy Carpenter

Cyber is no longer a niche line of business. The global cyber insurance market expanded to reach $16.6bn in premium last year, according to Guy Carpenter’s Behind the Firewall report, with growth outside North America now outpacing that within it.

As it continues to mature, the cyber reinsurance market is undergoing a similar evolution, with buying patterns, risk appetites, and structural approaches shifting to match changing threats.

Anthony Cordonnier and Erica Davis, global co-heads of cyber at Guy Carpenter, spoke about these trends in a wide-ranging discussion ahead of this year’s Monte Carlo Rendez-Vous.

Cyber is different

The cyber pricing cycle has not followed quite the same rhythm as other classes. “What we’ve seen with cyber is a fairly early hardening compared to the reinsurance markets,” Cordonnier says. “It was really driven by the ransomware epidemic in 2019, the emergence of new losses and the consequential hardening of the underlying markets.

“That was followed by a sudden change in appetite and hardening of rates in the reinsurance markets – all while property and casualty were still soft.”

Cyber’s hard market phase, he adds, “finished earlier than the rest of the market”, easing off in 2022–23 while property catastrophe business was still tightening.

On the primary side, Davis says, insurer cyber risk appetites and tolerances “are naturally evolving with the market maturing”.

Over the past two years, “clients are more confi dent about how their portfolios will behave and respond to cyber risk, so they’re reassessing their approach to reinsurance”.

This reassessment has come against a backdrop of heightened loss activity. “In the last 12 to 24 months, there has been a heightened level of both frequency and severity,” she says.

“Ransomware remains one of the prevalent loss trends, most notably with the prominent attacks by Scattered Spider.”

Scattered Spider vs CrowdStrike

The Scattered Spider activity, linked to sophisticated ransomware attacks across sectors including UK retail, is one of several recent reminders of cyber’s systemic risk potential. Guy Carpenter’s Caught in a Cyber Web briefing examined how April and May 2025 ransomware incidents disrupted operations at UK retailers Marks & Spencer, Co-Op and Harrods.

“These were very sophisticated attacks using social engineering and credential exploitation,” Davis says.

“They show the need for clarity in treaty wording and for protections that are really fit for purpose.”

She stressed that Scattered Spider was “a cyber-criminal network executing a series of different attacks”, whereas the 2024 CrowdStrike incident originated from a discrete outage, thus highlighting the need for precision of intent in occurrence wordings.

That outage, caused by a flawed software update to CrowdStrike’s Falcon endpoint detection and response tool, triggered widespread disruption – from thousands of cancelled flights to retail and healthcare interruptions – but limited insured losses.

Cordonnier says such events force reinsurers and cedants to “scrutinise not just the big cat potential, but also the volatility from smaller events adding up during the year”.

Davis adds: “Those big doomsday scenarios are easy to concoct, but they must be grounded in the technological resiliencies of today.

The recent flurry of small-scale cyber cat has taught us to test the boundaries of cyber risk – how it’s quantified, managed, and assessed.”

Proportional still dominates

On structures, proportional reinsurance remains the most common form of cyber risk transfer. “Cession rates have reduced a little – from maybe 50% in 2022 to around 40% now – but it’s still the dominant form,” Cordonnier says. “The maturity of the cedant’s portfolio is a bigger driver of structure than geography.”

However, the fastest growth has been in non-proportional covers.

“Over the years we’ve seen an increase in non-proportional limits being purchased, mostly on an aggregate basis,” he says. “Up until two or three years ago, specific occurrence cyber markets didn’t exist. Now they do, and limits purchased for that have grown tremendously.”

There is also renewed interest in risk excess-of-loss reinsurance treaties: “That market used to exist in the mid-teens until about 2018–19, when those covers disappeared. Now we’re seeing it come back, with a much bigger, more robust cyber market able to manage larger losses.”

Davis suggests that clients are seeking “greater structural efficiencies and innovation as the views of attritional and cyber catastrophe shift”.

Aggregate stop loss is valued for its completeness of cover, “but more recently the pricing hasn’t always made sense – they’ve been attaching too far out and there haven’t been meaningful recoveries after 10 years of being sold”.

Sustainability is key, she stresses: “Our clients want products that are clean, straightforward, and transparent for both buyers and sellers to understand,” Davis adds.

Beyond North America

The biggest growth rates are now outside North America. Guy Carpenter data shows compound annual growth of 17% in rest of world cyber premium between 2022 and 2024, compared to 8% globally.

Davis points to non-North America portfolios “performing about seven points better than North America on an ultimate loss ratio basis, due to the impact loss trends”.

Cordonnier suggests this reflects lower penetration and untapped demand: “It’s a segment that’s delivering very strong growth rates. That’s attractive for reinsurers looking to diversify.”

While APAC penetration is still low – Marsh estimates 4–7% for SMEs – uptake is rising rapidly, particularly in markets such as Japan, India, and Singapore. Europe remains competitive, with falling rates and increasing capacity encouraging large-risk buyers to expand programmes.

Events such as CrowdStrike, CDK Global and the UK retail ransomware illustrate the ‘Kitty Cat’ phenomenon highlighted in Guy Carpenter’s CrowdStrike analysis – mid-size events that meet catastrophe criteria but at smaller scale.

For underwriters, Davis says, these incidents can offer some valuable data points: “They refine how to best protect capital without a doomsday loss quantum,” she says.

Cordonnier adds that clients are increasingly comfortable with tail risk itself: “They’re now just as concerned with the aggregation of smaller events and the volatility in their results, and looking to the reinsurance market to help manage that.”

As the cyber market grows, attention is turning to capacity needs. “There’s abundant traditional capacity currently, but long-term we will need to supplement that, given continued growth,” Davis says. “There’s exploration around structures that can be supported by alternative capital.”

Further expansion

Looking ahead, both co-heads expect more cedants from growth regions to become significant cyber reinsurance buyers. “If we fast-forward five or ten years, we’ll see many more Asian insurers buying cyber reinsurance covers,” Davis says.

Cordonnier adds: “The composition of buyers will broaden, and with it, the structures they purchase and the way they manage volatility will continue to evolve.”

To download the full Monte Carlo RVS 2025 annual issue of GR, click here.