If last year's NotPetya ransomware attack had been focused on Western economies rather than Eastern Europe it would have "turned the cyber insurance market on its head", according to Sompo International's global cyber product leader Brad Gow.
Speaking on a panel at modelling firm AIR Worldwide's casualty cyber seminar in New York last week, the executive said the insurance industry had "dodged a bullet" from the malware.
"Had that event affected Western economies rather than Ukraine and Russia for the most part it would have turned into the most significant event of 2017.
"It would have largely turned the cyber insurance market on its head because it gave lie to what is an appropriate time-period deductible," he explained.
Gow added that it was possible that if a similar attack occurred in the West it would lead to significant insurance losses that could wipe out at least 60 percent of available capacity in the short term.
The view was supported by Kara Owens, global head of cyber risk at TransRe, who said that underwriters with a marginal portfolio that had not experienced a cyber cat-type event would be put on the sidelines as loss ratios surged.
"There are only a few well-known carriers out there that have been around long enough [in the cyber market], suffered losses and built up a substantial amount of premium," she observed during the same panel session.
The attack impacted around half a dozen Western firms with operations in the affected region. Losses in the hundreds of millions of dollars emanated from week- and month-long business interruptions, Gow noted.
The Insurance Insider previously reported that Danish shipping giant Maersk and US pharmaceutical firm Merck were among the organisations affected by the ransomware, which exploited a vulnerability in tax accounting software widely used in Ukraine.
Meanwhile, the panel suggested there was a significant amount of naive capacity in the cyber market, particularly backing MGAs.
"It is the hyper-naive capacity with the ILS and alternative capital and other pools of capacity that want to commit to shorter-tail insurance coverage and want to place a bet. They're drawn like everybody else to the hot market, and cyber is the hot market.
"But that's the capacity that will be first out of the door when there's some adverse experience," suggested Gow.
Owens noted that after Equifax and other high-profile cyber losses last year, some underwriters that may have been considered naive capacity and had been writing primary layers have been moving higher up coverage towers.
But the losses also have the effect of increasing demand for cyber coverage, with Fortune 1000 companies buying higher and higher limits and more $500mn or even $600mn coverage towers appearing in the market.
Meanwhile, on the same panel, Frank Cilluffo, director at the Center for Cyber & Homeland Security at The George Washington University, said the insurance industry would "induce changes in behaviour" when it came to corporate and government responses to the cyber threat.
He also noted that Congress needed to introduce legislation to update laws that were drafted "before the internet even existed".
Owens added that the insurance industry would also have to revise policy language in areas like property and general liability, where wordings predate the exposure that now exists.
"As an industry we have to rewrite policies to address that exposure, whether it's excluding it or affirmatively covering it, and we need to understand what the exposure is and underwrite and price for it. As an industry that's our job," she said.
Gow warned of the challenge of trying to address "silent cyber" by changing general liability and property forms that were drafted prior to the emergence of the threat "in a market that's as soft as the current market is".
In other sessions at the seminar, AIR briefed on the potential impact and likelihood of systemic cyber events, and emerging tools for managing interconnected risks.