Doris Höpke revealed 90% of Munich Re’s cyber book is made up by SME clients, who she says are disproportionately affected by cyber attacks compared to larger corporates

Nine tenths of Munich Re’s cyber book of business is made up of small- and medium-sized enterprises (SME) exposures, the reinsurer said at its press conference in Baden-Baden.

Munich Re management board member Doris Höpke said this was primarily in response to the needs of the market.

Speaking in Baden-Baden, Höpke said while the larger companies incurred the largest nominal costs in cyber losses, proportionally the loss is much greater for SMEs. So much so she said cyber-attacks threatened SMEs’ survival.

“Larger companies may be more likely to be targeted by attackers, but they are also better protected than smaller companies, they have their own cyber expertise, and bigger budgets to protect themselves,” she said.


“Smaller businesses at cost per head count are disproportionately more affected by a cyber-attack.”

For corporate clients, Munich Re offers tailor-made solutions. But she said Munich Re also focuses on SME risks for its own risk management purposes.

“There are complexities and uncertainties related to cyber insurance and these are higher than in our traditional business,” she said.

“Though we’ve been working on the subject for around ten years now, smaller companies and smaller limits are simply a good starting point to build up our cyber risk.”

She said the protection gap would be best closed in the cyber field by a combination of risk management and risk transfer.

She wants companies to be well-prepared in how to respond to cyber-attacks, to minimise losses after an attack, and said this could be best achieved by working in conjunction with an external partners.

Höpke added: “Support and advice is needed, and so we believe the cyber risk can be best handled by a combination of risk transfer with this type of support advice and services.

“There we will team up with the companies who bring in their specific expertise, probably from mainly outside of the re/insurance industry.”

She warned that the re/insurance sector could not afford to ignore cyber risk due to the lurking threat of silent cyber claims but added that there were certain areas of cyber exposure that Munich Re had deemed uninsurable.

Höpke said this was the case for outages of external networks.

“This can have consequences all around the world that are completely unforeseeable to who is affected in what dimension, she said.

“This would really go beyond the capacity of the insurance industry, so we believe it is not insurable.”

Höpke added: “Addressing cyber risk also includes respecting the limitations of insurability.”

Munich Re has identified and modelled three major insurable loss scenarios within cyber.

These scenarios are virus and malware, data breach, and an IT service provider’s outage.

One of the biggest reinsurance challenges raised by Höpke was the danger posed was how to deal with accumulation risk.

She said through natural catastrophes, the reinsurer was used to dealing with an event affecting millions of policies, but the difference with cyber was the global nature of the accumulation.

“The digital world doesn’t know any boundaries, so we cannot ring-fence cyber risks geographically,” Höpke said. “The risk is spread across the globe and it makes accumulation control so much more difficult than in other lines of business.”