At RISKWORLD™ 2025 in Chicago, Dan Reynolds, the editor in chief of Risk & Insurance, sat down with Bob Parisi, Head of Cyber Solutions,  Munich Re Facultative & Corporate – North America, and a long-time veteran of the cyber insurance business. What follows is a transcript of that discussion, edited for length and clarity.

Risk & Insurance: Thanks for meeting with us, Bob. As you view the current cyber insurance market, how do you assess its sustainability in terms of pricing and capacity?

Bob Parisi: Sustainability is a critical issue for us at Munich Re, given our significant presence in the cyber market through our various entities. Our board of management views cyber as a crucial product that we must provide to our clients, so we have a strong motivation to maintain its sustainability.

A year ago, I would have been more pessimistic about the market’s sustainability. However, over the last two quarters, we’ve seen a deceleration in price drops, with pricing hovering around a base level, which is less dangerous from a sustainability perspective. This gives hope that we are at a “new normal,” although prices could still fluctuate.

From a coverage perspective, we still see some lack of discipline in the market, with insurers doing things that threaten their sustainability. However, the market is recognizing that there are things we can and cannot insure based on our ability to evaluate risks through underwriting. The constant and often reckless push to expand coverage has stopped, and the focus has shifted to improving underwriting to ensure correct pricing and appropriate coverage.

At Munich Re, we are championing the concept of “inside out” underwriting, which involves applicants voluntarily sharing their cloud configurations with carriers through partnerships like the one we have with Google. This approach makes the underwriting process more transparent and easier, leading to better risk assessment.

Overall, the market is moving on multiple fronts to improve sustainability, including enhancing underwriting practices and leveraging technology. While pricing is a key factor, bad underwriting and coverage creep can undermine sustainability even with higher prices. The current trends in the market are positive indicators for the future sustainability of the cyber insurance product.

R&I: Are you observing a significant influx of new entrants in the cyber insurance market?

BP: While there hasn’t been a substantial number of new entrants recently , we have witnessed a reshuffling of sorts in the market over the past few years. Some existing players have increased their capacity or expanded into new areas, such as moving from the SME space into larger businesses.

We are seeing markets broaden their appetites and footprints. There are new markets emerging in Bermuda and London, with what seems like a new cyber MGA launching every week. Some of these ventures are well-thought-out and intelligent, while others appear to be driven by a fear of missing out.

The cyber insurance market is growing most rapidly in Europe and Asia, while North America continues to grow at a slower pace. As the cyber tide has rolled eastward, Europe and Asia are beginning to recognize cyber coverage as a necessity, much like North America has. This is where we are seeing growth, including insurers that may not have a presence in North America.

R&I: What is driving the growing use of captives for cyber risk, and how are companies approaching this?

BP: The use of captives for cyber risk has increased for several reasons. While cyber coverage is still relatively volatile and less mature compared to other lines like property or casualty, there have been improvements in modeling and understanding over the last few years. Clients have started to view cyber as an operational risk that belongs on their enterprise risk register, making it a normal consideration for captive use.

Captives are being used to buy down or fill in deductibles, participate as a commercial player on towers, or take on the risk with reinsurance from companies like Munich Re. The reinsurer provides underwriting guidance, claims experience, and handling while allowing the captive to participate at its discretion..

As cyber risk increases, particularly with novel exposures from AI or increased privacy exposure in Europe, captives are considering these factors. However, the biggest driver is the SEC’s clear stance that cyber risk is a material risk that boards must oversee. Once the board starts thinking about cyber, it gets pushed down to treasury, and if a company has a captive, they start to consider how to use it for cyber.

Rather than standing up a captive solely for cyber, companies typically align their captive use for cyber with how they use it for other coverages. If they only use it to reduce deductibles, that’s what they’ll do with cyber. If they have a captive participate generally or use it for new risks with reinsurance to gain commercial knowledge, they’ll apply the same approach to cyber. Essentially, captives are starting to treat cyber as any other risk they would consider putting in the captive, which is how it should be viewed.

R&I: What factors have contributed to the lag in cyber risk being covered by captives compared to other lines of insurance?

BP: One reason is that cyber risk is more volatile than what captives typically consider, and it wasn’t on the radar of company boards for a while.

Another factor is that the cyber insurance market is relatively insular. Captive managers are often experts in property and casualty or directors and officers insurance; it’s rare to find a risk manager who manages the captive and has a background in financial lines, particularly professional liability or cyber. It’s possible that this lack of familiarity  with cyber risk has contributed to the lag.

However, as companies realize that cyber risk must be treated like other operational risks, it becomes easier for captives to participate. We have actively engaged in increasing our capacity, ability, and expertise to reinsure captives, including offering limits of up to $50 million. Our strong reinsurance capabilities and knowledge of cyber risk have positioned us to better assist organizations in bringing cyber into their captive.

R&I: How has Munich Re’s strategy of backing captives worked out for the company, both financially and in terms of client relationships?

BP: It’s been quite successful, yielding positive results both financially and in terms of client relationships. When reinsuring a captive, we work very closely with the client’s risk management and treasury teams.

This arrangement, while still an arm’s length purchase, creates a more intimate and close-knit relationship compared to a simple commercial transaction. It allows us to be more helpful to the client, but it also requires the development of mutual trust..

Once that trust is established, it fosters a much closer relationship. We enjoy this approach, and if possible, we would implement it with more clients that utilize a captive. We consider it a value-add that Munich Re brings to the market.

R&I: What impact have cyber attacks had in inflicting property damage?

BP: The WannaCry and NotPetya events were a seminal moment for the insurance industry a couple of years ago. Up until then, property carriers thought cyber was a liability issue, not their concern. However, these events resulted in billions of dollars of losses for property carriers that they hadn’t priced or underwritten for, leading to coverage declinations and litigation.

Interestingly, any triggered cyber policy paid out because it was a cyber event. Property policies with non-physical damage coverage suddenly experienced buyer’s remorse. This served as a wake-up call, prompting property insurers to reassess their exposure to silent cyber and extract it from their books.

As a result, property policies clarified that they covered physical damage, while non-physical damage from cyber events migrated to the cyber insurance market. Cyber carriers, including Munich Re, now provide property damage from a non-physical peril coverage, although it requires additional underwriting expertise. One of the benefits of Munich Re’s breadth is that we were able to tap into the expertise of Property and casualty underwriters, in crafting our approach to this coverage expansion.

Risk managers and brokers are still considering whether to request this coverage and how it should be priced and worded. While it’s an evolving area, the discussion itself has been helpful in maturing the cyber insurance market and aligning it with traditional insurance concepts.

Recent events have been near misses for the cyber market to some extent. However, WannaCry and NotPetya clarified the situation for property carriers .

R&I: What impact do you see AI having on cyber risk?

BP: AI is another type of technology, and from our perspective, we insure technology-based risks. AI is not excluded, but it does create some novel exposures, such as data poisoning and intellectual property issues like using someone else’s material to teach your AI. It also has its own problems, like hallucination.

As a market, we need to look at the new and novel aspects of AI. When we talk to clients or applicants about AI, it’s not so much about whether they use AI, but rather how they are approaching it. There are a couple of red flags: if a client tells us they’re absolutely not using AI, they’re either  naive or they just don’t know they are, which is a red flag. If they’re overly enthusiastic about AI, that’s also a red flag .

However, if we have a discussion where they’re treating AI like a new or novel piece of technology and taking a common-sense, logical approach, that’s good. We want to know what they’re doing. You could focus on the negative aspects, like threat actors having access to AI and using it for attacks and deepfakes, which is kind of the Terminator Skynet viewpoint. Alternatively, you could look at AI as a tool for the CISO to do a better job in defending and protecting their company, which is a good thing.

As an insurer, we have to get our minds around both perspectives. AI can help with tasks like checking logs that might have been overlooked due to manpower constraints, potentially discovering problems. It’s a new technology that we have to be aware of and look at, but the specific concern I have is the speed at which AI is evolving compared to other seminal changes in technology.

For example, it took roughly a hundred years for the printing press to become socialized, usable, and not viewed as evil or untrustworthy. AI, on the other hand, is evolving even as we speak. That level of adoption and change is tough to keep up with. However, if you look at it from a governance perspective and start applying the frameworks we use in evaluating risk, at least as a starting point, and then evolve them to deal with AI, that’s fine. The key is to keep a balanced approach and treat it like any other new risk, avoiding both head-in-the-sand and overly optimistic attitudes. &