Confronted with increasingly complex risks, the global insurance industry faces many emerging challenges to traditional underwriting and risk management frameworks, particularly from the evolving perils of climate and cyber risk. Though once viewed as independent, research suggests these perils interlock in ways that compound these risks, revealing an urgent need for the industry to begin managing them as an intertwined threat.
To assess these potential interactions and explore how to build a more resilient future, the 2025 CAS Annual Meeting featured subject-matter experts Jess Fung, managing director of North American cyber and analytics lead for North America at Guy Carpenter; Kieran Bhatia, senior vice president of climate and sustainability lead for North America at Guy Carpenter; and Matthew Berninger, senior vice president and principal cyber analyst at Marsh McLennan.
Climate in isolation
Bhatia set the stage by reviewing the financial impact of natural catastrophes, noting that total insurance and economic losses have consistently risen over the last 45 years. This trend links directly to skyrocketing global temperatures and carbon dioxide levels not observed for millions of years. [1]
While loss increases are often the first factor that comes to mind when discussing climate risk, it is critical to recognize other significant influences such as population growth, exposure changes, and supply chain management. Market behavior reflects the industry’s response to these rising risks, with carriers exercising a myriad of strategies including:
-
- Reducing exposure in certain regions and advocating for price increases.
- Exiting entire lines of business.
- Issuing more climate risk disclosures, of which there has been a recent uptick.
- Raising retentions and adjusting occurrence limits.
Furthermore, analysis of property insurance premiums from 2018 to 2023 shows that premium increases have been concentrated almost exclusively in the highest ventile, indicating that the industry is becoming more refined in how it prices changes in physical risk.
Cyber in isolation
Fung led the overview of cyber risk, defining cyber events as both malicious incidents, such as those involving cybercriminals or nation-state actors, and accidental incidents, such as system outages that disrupt computer networks or technology services. The impacts can be non-physical, like data encryption, or physical, such as damage to factories or bodily injury.
Traditionally, non-physical impacts are covered by affirmative cyber policies while physical damage is covered by standard P&C policies. Standard cyber coverage includes first-party costs such as business interruption, extortion payments, and third-party liability. Key cyber risks include ransomware extortion, privacy breaches, cloud outages, business email compromise, and zero-day vulnerabilities.
Berninger emphasized two key forces driving the current cyber environment: artificial intelligence (AI) and operational technology (OT). For AI, the rapid deployment of applications often maximizes functionality but can also introduce new vulnerabilities into cloud environments, leading to insecure configurations. For OT, as organizations become more resilient to standard ransomware payments, attackers are shifting focus to high-leverage sectors like healthcare and manufacturing where even short periods of downtime are costly.
The industry’s response to these trends is transforming the market in:
-
- Underwriting: Carriers are moving beyond traditional questionnaires to incorporate technographic information such as outside-in scanning and software dependencies to better differentiate risk.
- Capital: Mounting systemic events have spurred innovative risk transfer solutions such as cyber cat occurrence coverage and cyber insurance-linked securities (ILS) to bring new capacity into the market.
Risks intertwined
As global interconnectivity and reliance on technology expand, the need for data centers and digital infrastructure rises, which consumes more energy and water for cooling, thus contributing to climate risk. Similarly, by posing a threat to the physical infrastructure of those digital assets, climate events enhance cyber vulnerability, creating a cyclical feedback loop of risk.
As an example of physical climate risks on the cyber landscape, Bhatia detailed how stronger storms that maintain intensity inland could place data centers lacking backup power at risk of significant disruption, leading to major cyber-related business interruption losses. Solutions include resilient infrastructure in high-risk locations and strategic placement of new facilities in areas with lower future climate risk.
Bhatia also analyzed transition climate risks, discussing how the global shift to green energy sources like wind, solar, and nuclear, while essential to mitigating climate risk, can introduce new digitized infrastructure that remains vulnerable to remote cyberattacks, especially through the Internet of Things (IoT). AI presents a vulnerability and a solution, with projects underway that use AI to both simulate and detect cyberattacks on wind farms and on other critical infrastructure by analyzing real-time sensors and network data.
Focusing on cyber threats, Berninger explained how cyber operations are increasingly used to amplify the negative effects of weather events against both power grids and water systems. For power grids, he discussed how adversaries can exploit grids driven by green technology and improved computational management by turning them into target systems. Hitting the power grid during extreme weather offers the greatest leverage and public impact. He noted that the rising homogeneity of OT operating systems makes attacks on OT and AI systems more scalable than in the past, leading to greater potential for widespread blackouts. For water systems, Berninger highlighted the growing interdependence of water and power, rendering the simultaneous disruption of these critical services a high-leverage risk.
Futureproofing the insurance industry
All panelists emphasized that the insurance industry cannot allow climate risk and advancements in technology to outpace its ability to manage the associated risks. Approaches for managing the converging risk of climate and cyber include:
-
- Stress Testing for Compound Risk: Scenarios must be developed that treat climate and cyber as compound risks.
- Hardening Infrastructure: Data centers and energy facilities must be built to withstand extreme weather events. This strategy includes physical measures like ensuring critical technology is not located in basements or ground floors susceptible to flooding.
- Informed Sourcing and Locating: Data centers and energy infrastructure must be located based on both present and future physical risk and climate studies.
- Closing the Regulatory Gap: As green energy and AI adoption outpace regulation, insurance and other risk transfer products must step in to offer needed protection.
By adopting an intersectional view of climate risk and cyber risk, the industry can develop the sophisticated underwriting, capital, and resilience strategies necessary to navigate this complex, converging crisis and ensure the long-term stability of the economy and the insurance marketplace.
[1] https://www.climate.gov/news-features/understanding-climate/climate-change-atmospheric-carbon-dioxide.
William Nibbelin is a senior research actuary for the Insurance Information Institute.
