More losses, more pressure, more responsibility: How insurers are tackling climate change operationally
Climate change has become part of everyday life: The frequency and intensity of weather-related extreme events are increasing and are affecting regions that were previously considered low-risk. For insurers, this is shifting the focus from a purely actuarial view of historical data to scenario-based management in real time. This is operationally and regulatory-demanding. At the same time, customer expectations for transparent communication and rapid settlement are increasing; the resilience of claims processes is thus becoming a strategic competitive factor. Board members and division managers face a twofold task: First, to set up the claims organization in such a way that it can handle peak loads without neglecting day-to-day business. Second, implement regulatory requirements — in particular DORA from 17.01.2025 — cleanly from 17.01.2025. The following article bundles reliable facts, quantifies the business impact and outlines an implementable roadmap.
Executive Summary: What decision makers should know and do now
Insured losses due to natural disasters are increasing by 5-7 percent every year [1]. In 2024, global insured losses exceeded 100 billion US dollars for the fifth year in a row. In 2024, they stood at 137 billion US dollars; for 2025, the Sigma trend line points towards 145 billion US dollars [2]. With 206,000 claims and 8.75 billion euros, the 2021 Ahr Valley flood in Germany was the largest natural disaster since statistical records began [3]. At the same time, the mix of risks is shifting: Not only peak risks such as hurricanes, but also so-called non-peak perils such as heavy rain, hail and forest fires are driving up the amounts of claims. In the first half of 2024, 76 percent of insured losses were attributable to these secondary risks [4].
For insurers, these developments have three consequences: First, claims processes must be cross-channel, data-driven and highly scalable — including early warning mechanisms and dynamic capacity management. Second, the legal framework requires robust, testable digital operational stability along DORA, flanked by GDPR-compliant data processing. Thirdly, the active role of the sector in closing the climate protection gap is expected to be stronger, for example through prevention, parameter-based coverage concepts and cooperation with the public sector [5].
In summary: Resilience is the key to operational success. Anyone who combines decision-making capacity, data integration and scalability reduces claims costs, increases customer satisfaction and remains able to calculate despite increasing volatility.
Business impact & ROI: What pays off financially — and when
Against this background, it is worth taking a look at the economic levers in claims management. Increasing event frequencies meet limited processing capacities. The result is longer processing times, higher regulatory costs and reduced satisfaction (on the part of customers and employees). Practical experience and studies show that initial digital reports and photo receipts significantly reduce repair time: In US markets, customers with digital tools report an average cycle time of 15 days compared to 28 days without digital use [7]. Transferred to medium-sized stocks, this significantly reduces rental cars, accommodation and appraisal costs, for example in the event of motor vehicle damage. At the same time, European data shows that digital integration — and, where appropriate, automation — can streamline claims management and improve service [6].
The macroeconomic trend remains clear: Adjusted for inflation, insured Natkat losses have grown by an average of 5.9 percent per year since 1994 [1]. This must be addressed with an operational learning curve: early segmentation (e.g. trivial vs. complex claims), proactive routing to self-service or specialized teams, and dynamic management of external service providers. In major events, the ability to identify bottlenecks in real time and actively redistribute loads can significantly improve the loss ratio.
A conservative profitability calculation provides guidance: Anyone who reduces the average lead time by 20 to 30 percent through automation and video review and at the same time systematically qualifies initial decisions saves variable Opex in the two-digit basis; additional effects result from lower complaint rates and recourse improvements. Experience from J.D. Power studies confirm that speed and transparency drive customer satisfaction and thus reduce their willingness to cancel and switch [7]. The following applies to investment logic: Quick wins occur within 3 to 6 months in the FNOL (First Notice of Loss) route and when using external capacities; structural effects are exploited over 12 to 18 months with end-to-end data integration and intelligent load management.
Finally, the capital market is relevant: More frequent secondary risks increase retrocession and reinsurance costs, particularly in peak years. In addition to operational levers, this puts the focus on regulatory assurance of digital resilience.
Risks & compliance: pragmatically address DORA, VAIT replacement, GDPR and model risk
Effective from 17.01.2025, the Digital Operational Resilience Act (DORA) obliges all supervised companies to implement holistic ICT risk management, reporting channels for significant ICT disruptions, digital resilience tests and stringent third-party management [8]. BaFin has clarified: VAIT, KAIT and ZAIT were abolished as of 17.01.2025; the BAIT will be phased out gradually and will not be fully repealed until 31.12.2026. In order to avoid double regulation, BaFin has published advice and FAQs on governance, incident and outsourcing requirements since 09.01.2025 [9] [16] [17]. For insurers, this means that the claims and operational organization, together with IT, must establish a consistent control system that cushions load peaks just as much as cyber incidents. The BaFin FAQ also details the role of the ICT risk control function under DORA and its relationship with the former ISB under VAIT [18].
Data protection remains a basic requirement. The GDPR requires data minimization and purpose limitation [11] as well as a legal basis [12] for any processing. When using service providers, order processing contracts [13] are mandatory; video review and image analyses require technical and organizational measures that comply with the state of the art.
There is also the model risk. AI-based reviews and prioritization offer speed and consistency, but involve bias and explainability risks. The European Insurance and Occupational Pensions Authority (EIOPA) has specified the regulatory framework for AI governance in 2024/2025 and emphasized that existing insurance law, including DORA and GDPR, must be applied to AI applications [14] [15]. In practice, this means that application and data hygiene standards, role-based approvals, monitoring of error rates and clear escalation criteria must be defined.
At the same time, there is increasing pressure on the market to close the climate protection gap. EIOPA and ECB recommend a tiered state-private model including EU-wide reinsurance mechanisms and an EU fund for public disaster financing (with disbursements for reconstruction purposes) to keep extreme events financially viable [5]. This debate influences pricing, capacities and the expectation of prevention. The following scenario illustrates how these requirements pay off in the event of an incident.
Case vignette (scenario): When two storm fronts hit at the same time
Note: The following example is a model, plausible scenario based on industry-standard scales; it does not describe a specific insurer.
A German composite insurer with 2.5 million private customers experienced two parallel situations at the end of June: hail with extensive roof damage in the south and heavy rain with basement flooding in the west. Within 36 hours, the amount of damage received rises to eight times the normal level. In the past, this would have led to waiting times of several weeks. However, the insurer has prepared three levers: First, a cross-channel FNOL with self-service, chat and prioritized telephone routing. Second, a location cockpit that combines weather data, geodata and FNOL events in real time. Thirdly, a contractually pre-qualified pool of external experts with digital planning.
Result: 65 percent of notifications are automatically triaged within twelve hours. Video assessments cover 40 percent of roof damage; material bottlenecks are identified early on the basis of regional signals and communicated to partners. The average initial information given to customers is 90 minutes, and the average processing time is reduced by 27 percent despite peak loads. Complaints remain below 1.5 percent. The combination of data integration, standardized decision criteria and clear escalation paths — and the ability to manage external capacities in real time — was decisive from an operational point of view. From these components, the following roadmap derives concrete implementation steps.
Implementation roadmap: Resilient claims management in five phases
The following five phases translate the levers described above into an implementable sequence. The aim is to achieve noticeable effects in terms of turnaround time, quality and compliance within 6 to 12 months without destabilizing ongoing operations. Each phase is formulated in such a way that it can be implemented in parallel with regular day-to-day business and specifies clear responsibilities. Dependencies are minimized; quick wins are deliberately preceded in order to create measurable benefits at an early stage. Depending on the initial situation, the roadmap can be streamlined or stretched.
1. Diagnosis & Objective (4 to 6 weeks, responsibility: COO/Head of Claims, CISO/IT Management). Start with a fact-based maturity analysis along the end-to-end claims journey: channels, data flows, interfaces, bottlenecks, controls. Complement regulatory gap analyses on DORA, GDPR and outsourcing. The result is a target with clear indicators (e.g. lead time, initial resolution rate, complaint rate) and a prioritized implementation plan [9] [16].
2. Quick Wins in FNOL & Communications (8 to 12 weeks, responsibility: Claims manager, customer service manager). Standardize initial reporting via web, app and telephone with identical data models. Introduce video reviews for appropriate segments and establish proactive status updates. Define escalation paths and service levels for major locations. At the same time, set up a location board that integrates internal and external data sources.
3. Data integration & management (12 to 16 weeks, responsibility: IT management, data lead). Consolidate claims, customer, and partner data into a robust, documented data model. Deploy versioned decision logic and rules; set up monitoring for capacity, backlogs, and turnaround times. Connect service providers via API and define load distribution mechanisms. Document data flows and responsibilities in compliance with GDPR.
4. Resilience testing & third party management (10 to 14 weeks, responsibility: CISO, vendor manager). Establish scenario tests for load peaks, cyber disruptions, and provider outages. Plan rolling crisis exercises with decision training. Check contracts for DORA requirements (e.g. exit, audit rights, subcontractors) and supplement reporting processes. Implement key risk indicators for ICT incident management and service provider performance
5. Scaling & Culture (ongoing, responsibility: Executive Board/HR/Communications). Establish governance bodies for data-based decisions. Train managers and teams to make decisions under uncertainty. Establish a structured “Lessons Learned” routine after each situation. Communicate openly with customers, communities, and partners to accelerate prevention and recovery initiatives.
With the completion of phase 5, claims management is scalable, measurable and DORA-compliant. It is crucial to institutionalize governance and learning loops so that improvements don't die out. Anyone who consistently implements this sequence reduces operational volatility, increases customer satisfaction and improves the negotiating position vis-à-vis service providers and reinsurers.
Between claim and reality: realistically assessing digital maturity
Many insurers have introduced portals, apps and initial AI-based preliminary checks. However, the differences are significant. EIOPA shows substantial differences in the level of digitization, both technologically and organizationally [14]. At the same time, feedback from consumer and regulatory authorities shows that digital integration and targeted automation can make claims settlement faster and more user-friendly for many, provided that governance and escalation take effect [6]. This is exactly where the case lies: Isolated projects help in normal operation, but fail in large locations without consistent data models, clean interfaces and practiced decision-making processes.
The following applies to prioritization: First, eliminate media breaks and harmonize channels. Second, standardize decisions and make them transparent so that people and systems act consistently. Third, manage capacities dynamically — both internally and externally. Anyone who implements these three components reduces operational volatility, fulfills DORA properly and strengthens customer loyalty even in extreme situations. On this basis, the question of the next stage of development is raised.
What's coming — and how do you stay ahead?
The climate protection gap is on the political agenda. EIOPA and ECB are proposing EU-wide solutions that strengthen insurability and provide prevention incentives [5]. At the same time, reinsurers and capital markets are professionalizing the coverage of secondary risks; Sigma data shows that such risks are now regularly the biggest loss drivers outside peak years [1] [2]. For primary insurers, this means that coverage concepts, pricing logics and customer communication must reflect the new normal. Parametric components, prevention discounts and clear deductibles can improve sustainability in high-risk regions — flanked by education and cooperation with municipalities and crafts.
In short: Digitalization is not an end in itself. It is a means of creating value in a resilient way. Anyone who consistently aligns investments with business impact, regulations and customer benefits is actively shaping change.
Sources
[1] Swiss Re Institute (2024), „sigma 1/2024: Natural catastrophes in 2023“, accessed on 28.08.2025.
[2] Swiss Re Institute (2025), „sigma 1/2025: Natural catastrophes – insured losses on trend to USD 145 billion in 2025“, accessed on 11.09.2025.
[3] GDV (11.07.2024), „Flutkatastrophe von 2021: 7,5 Milliarden Euro an über 200.000 Versi-cherte ausbezahlt“, accessed on 28.08.2025.
[4] Munich Re (31.07.2024), „Schwergewitter und Überschwemmungen treiben die Naturkatastrophen-Schäden im ersten Halbjahr 2024“, accessed on 05.09.2025.
[5] EIOPA & EZB (18.12.2024), „Towards a European system for natural catastrophe risk management“ (Joint Paper), accessed on 28.08.2025.
[6] EIOPA (15.01.2025), „Consumer Trends Report 2024“, accessed on 28.08.2025.
[7] J.D. Power (19.03.2024), „Customer Satisfaction with Homeowners Insurance Property Claims Declines to 7-Year Low Amid Record Catastrophic Events and Slower-Than-Ever Repair Times, J.D. Power Finds “, accessed on 28.08.2025.
[8] EUR Lex (14.12.2022), Verordnung - 2022/2554 - DE, EUR-Lex, accessed on 28.08.2025.
[9] BaFin (10.01.2025), „Aufhebung und Anpassung von BAIT/KAIT/VAIT/ZAIT im Zuge von DORA (Übersicht)“, accessed on 28.08.2025.
[10] BaFin (19.12.2024): Informationsschreiben an die Verbände der beaufsichtigten Finanzun-ternehmen – Aufhebung der Aufsichtlichen Anforderungen an die IT, accessed on 11.09.2025
[11] Europäisches Parlament und Rat (2016): Verordnung (EU) 2016/679 … (Datenschutz-Grundverordnung) – Artikel 5: Grundsätze für die Verarbeitung personenbezogener Daten (konsolidierte Fassung; CELEX: 32016R0679), accessed on 28.08.2025.
[12] Europäisches Parlament und Rat (2016): Verordnung (EU) 2016/679 … (Datenschutz-Grundverordnung) – Artikel 6: Rechtmäßigkeit der Verarbeitung (konsolidierte Fassung; CELEX: 32016R0679), accessed on 28.08.2025.
[13] Europäisches Parlament und Rat (2016): Verordnung (EU) 2016/679 … (Datenschutz-Grundverordnung) – Artikel 28: Auftragsverarbeiter (konsolidierte Fassung; CELEX: 32016R0679), accessed on 28.08.2025.
[14] EIOPA (30.04.2024), „EIOPA’s Report on the digitalisation of the European insurance sector“, accessed on 28.08.2025.
[15] EIOPA (06.08.2025), „Opinion on Artificial Intelligence governance and risk management“, accessed on 28.08.2025.
[16] „DORA kommt: Änderungen bei den aufsichtlichen Anforderungen an die IT“ (BaFin) – 10.01.2025, accessed on 28.08.2025.
[17] BaFin (20.02.2025), Für wen gelten die BAIT jetzt (seit dem 17.01.2025) noch?, accessed on 28.08.2025.
[18] BaFin (27.01.2025): Wird mit DORA der ISB wie in den VAIT beschrieben noch gefordert?, accessed on 11.09.2025.
Dr. Moritz Liebeknecht
IP Dynamics GmbH
Billstraße 103
D-20539 Hamburg
