Cyber war: the ‘myth’ that’s keeping ILS out of the game
In cyber, the prevailing “myth” of an impending “cyber Armageddon” has kept capital cautious, pricing high and attachment points untested. The irony, as one industry researcher argued at Convergence 2025, is that the catastrophe reinsurers and ILS investors fear most — cyber war — simply doesn’t exist in the way the market imagines.
Tom Johansmeyer, global head of index classes, Price Forbes Re, previewed doctoral research challenging the market’s fundamental assumption: that a systemic cyber war event could rival a natural catastrophe. “Cyber war is one of the biggest problems in the reinsurance market,” he began, before quickly undercutting that belief.
“What we have here is a hyperbolised view of cyber war by the industry, which is inconsistent with lived experience, empirical evidence and historical analysis,” he said.
The data, Johansmeyer argued, show that despite decades of warnings — from RAND’s “cyber war is coming” in 1993 to fears around Stuxnet, NotPetya and WannaCry — the big systemic cyber cat has never arrived. “The cyber war everyone is scared of — the ‘big one’ — isn’t coming,” he said. “Because cyber war doesn’t work.”
Johansmeyer backed that claim with three decades of empirical evidence. “Cyber damage is easily reversible,” he said. “Cyber is great because it doesn’t leave a scar. It’s a great way to exercise coercive diplomacy rather than to engage in war itself.”
Even the most sophisticated cyber weapons fail to deliver meaningful disruption. “Cyber weapons are of limited effectiveness,” he said, citing Pegasus as an example: “That tool had seven iPhone zero-day vulnerabilities costing at least $3 million each —the raw materials for that cyber tool was more than $20 million, plus the cost to build a tool around those zero days making it roughly $100 million all in. That’s four F-16’s.”
In other words, for the cost of a small air force, you buy one cyber tool that works once. “Integrating cyber into conventional warfare has been found to be virtually impossible,” he said. “That Hollywood view — the hacker shutting down the factory before Delta goes in — isn’t real life.”
Yet this exaggerated threat perception is having a tangible market effect. “The problem with our view of cyber war has less to do with what’s excluded or not, and more to do with the fact that we’re scaring the hell out of capital,” Johansmeyer warned.
By overstating unmodelled cyber war risk, the industry deters precisely the kind of long-term capital — from reinsurers and ILS investors — that could stabilise and expand the cyber market. “If you’re always worried that there’s something on the periphery that can tank the industry, you’ll hang back,” he said.
Cyber, Johansmeyer argued, could be a “much bigger class of business” if reinsurers and alternative capital step in to take volatility rather than avoid it. The path forward, he suggested, is clear: “Look at history, price the risk properly and stop fighting a war that isn’t real.”
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
