In this report, the authors discuss several factors related to the cyber insurance market, including its state and limitations, the characteristics of risks that allow insurability, the government options for managing catastrophic risk, what a U.S. federal insurance response might be, and the implications of cybersecurity considerations for managing both attritional and catastrophic cyber losses for a federal program.

Insuring Catastrophic Cyber Risk

Sasha Romanosky, Lloyd Dixon, R. J. Briggs, Henry H. Willis

ResearchPublished Jun 9, 2025

The growing information technology (IT) and computing infrastructure and an evolving threat landscape are increasing the difficulty for individual firms to protect their IT systems. At the same time, the interconnectedness of business services (including cloud services) and the widespread use of vulnerable software and hardware have heightened the risk of cyber incidents affecting many companies simultaneously, causing significant aggregated losses. Together, these factors pose the threat of a cyber catastrophe. In response, the U.S. Department of the Treasury is investigating the need for a federal response to manage harms from a catastrophic cyber event. The justifications for such a response and the specific form of that response remain undetermined but are becoming increasingly pressing. To support policymaking on these topics, the authors of this report describe the implications of the nature of cyber risk for the functioning of insurance markets, review trends and potential gaps in insurance markets, and discuss policy options to address observed shortfalls in private insurance markets, including a public-private risk-sharing scheme for a federal Cyber Risk Insurance Program (CRIP) that features two reinsurance towers. This report is intended to inform public- and private-sector deliberations on how to improve cyber risk management and inform policymaking related to cyber insurance markets.

Key Findings

  • Policy exclusions related to acts of war and IT infrastructure help justify a potential federal insurance response. Therefore, an important factor to track is private-sector coverage for these exclusions.
  • Cyber insurance premiums should decline following a federal insurance program, such as CRIP, by removing the tail of cyber risk. The reduction in tail risk and an associated improvement in the ability to estimate expected annual loss should also reduce the catastrophic risk load and the ratio of premium to expected annual loss.
  • The program should also allow insurers to release capital that they would otherwise need to hold in anticipation of a catastrophic (or aggregated) event.
  • Insurance carriers and brokers are improving their ability to track and measure cyber risk. Together with a broader data collection and analysis effort implemented by a federal insurance program, a potentially useful progress measure would be the amount of collected and analyzed data and the insights generated from that analysis.
  • A primary interest of any government insurance intervention is to reduce the amount of uninsured losses that could be suffered by U.S. companies or individuals (i.e., to reduce the protection gap). For cyber insurance, the protection gap is composed of two main components: uninsured losses from firms that do not carry cyber coverage and uninsured losses because of the war and infrastructure policy exclusions.

Topics

Document Details

Citation

Chicago Manual of Style

Romanosky, Sasha, Lloyd Dixon, R. J. Briggs, and Henry H. Willis, Insuring Catastrophic Cyber Risk. Santa Monica, CA: RAND Corporation, 2025. https://www.rand.org/pubs/research_reports/RRA3817-1.html.
BibTeX RIS

Funding for this research was provided by the generous contributions of the RAND Kenneth R. Feinberg Center for Catastrophic Risk Management and Compensation Advisory Board. The research was conducted by the conducted by the Justice Policy Program within RAND Social and Economic Well-Being.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.

Version Note

This publication supersedes a previous version published in 2025 (WR-A3817-1).