The cyber insurance market stands on the brink of becoming a “peak peril” capable of causing catastrophic losses to traditional reinsurance, industry experts warned during a panel discussion on Tuesday.

Ian Newman, the global head of cyber at Gallagher Re, said during ILS Bermuda Convergence 2025, held at the Hamilton Princess & Beach Club, that cyber becoming a peak peril was “only a matter of when, not if”, emphasising the staggering scale of potential future losses. The panel defined “peak peril” as an event that could cause “$30 billion to $50 billion worth of reinsurance damage” from a single cyberincident.

Despite widespread media attention around recent cyber events, the industry has not experienced the “really big one yet”, Mr Newman noted.

“It’s funny when I speak to people sure it’s happened already, like, no, [I tell them] it’s not actually happened,” he explained, pointing out that the largest industry loss to date was the 2017 NotPetya attack at $3.3 billion — far below peak peril territory.

Richard Gray, the head of third-party capital at Beazley, one of the world’s largest cyber underwriters, spoke about how his company pioneered the cyber catastrophe bond market in 2023.

Even high-profile incidents such as CrowdStrike, which dominated headlines last summer, resulted in industry losses of only “around a billion or so dollars”, Mr Gray observed.

During the panel, the speakers discussed the August cyberattack on Jaguar Land Rover, which shut down its systems for months and left the British car manufacturer’s plants and stores unable to operate.

Mr Newman highlighted: “You’ve got a very large company that didn’t buy cyber coverage, yet it’s been evidenced that their loss to a cyber event is as big as if it could be a fire. Indeed, if you think about an even bigger manufacturer, someone like a VW [Volkswagen], who have got multiple plants, actually, a cyberattack could be far greater for them, because it could hit multiple plants at the same time, so you don’t have the redundancies built in that you might do from traditional insurance.”

The panel also noted JLR’s inability to produce cars for months, with additional commentary from Mr Newman: “This is a very large organisation that, as you say, can’t produce the goods, and still can’t produce months later, and so that, I think, is a wake up call towards the world.

“JLR did not have cyber insurance. They could have, and they didn’t.”

The panel emphasised the broader consequences — how the British Government had to backstop loans to keep JLR’s supply chain afloat and the existential risks for company leadership when such attacks happen.

Brittany Baker, the head of solution consulting and ILS at CyberCube, discussed how the WannaCry attack in 2017 could have been far more devastating if not for a stroke of luck. “Someone stumbled upon the kill switch within hours of this attack happening,” she noted, pointing out that this simple piece of code effectively stopped the ransomware’s spread.

Ms Baker explained: “If that kill switch didn’t exist, or we just didn’t find it fast enough, now we’re looking at $4.5 billion to $7.5 billion [in losses].”

In other words, “small changes” in either attackers’ methods or defenders’ response could turn a headline-grabbing event into a truly catastrophic loss for the insurance industry.

The panel's consensus: while cyber has not yet reached peak peril status, it is inevitable that cyber will eventually stress traditional reinsurance balance sheets and call for alternative capital solutions to support the market.