Cyber insurance: once cheap ‘optional cover’ now the holy grail of insurance
With cyber crime surging globally, the insurance sector is racing to limit exposure.
Here, Demetrio Zema, Founder & Director – Law Squared, shares his thoughts on why the insurance industry is grappling to address the issue, and how getting on top of data handling practices, is the first step for executives looking to manage their risk.
Law Squared Founder & Director, Demetrio Zema, warns spiralling cyber losses are making cyber insurance more difficult and costly to obtain.
Just last week I was reminiscing with a General Counsel of a global underwriting agency how, just 10 years ago, cyber insurance was an optional, nice to have cover that was very much a hard sell for clients to buy into.
Fast forward a decade, cyber insurance is extremely difficult (and expensive) to obtain, and as cyber risk continues to rise, it really will become the holy grail of insurance policies.
It was therefore interesting (although not unsurprising) to read the recent comments made by Zurich Insurance's CEO, Mario Greco, to the Financial Times whereby Greco warned that cyber attacks will become "uninsurable" as the disruption from hacks continues to grow and said that focusing on the privacy risk to individuals was missing the bigger picture. He said: “What will become uninsurable is going to be cyber… What if someone takes control of vital parts of our infrastructure, the consequences of that?”
Insurers seek to limit exposure
Recent attacks have disrupted hospitals, shut down pipelines, and targeted government departments, feeding executive concern about this expanding. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.
There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled.
In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks. But the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught, and cyber experts have warned that rising prices and bigger exceptions could put off people buying any protection.
Greco said there was a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks. He called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks”.
In September, the US government called for views on whether a federal insurance response to cyber was warranted, which could be part of, or outside, its current public-private insurance program for acts of terrorism. A report from the US Government Accountability Office in June highlighted the potential of cyber incidents to “spill over” to other linked firms. It said examples such as the Colonial Pipeline hack, which created temporary gasoline shortages in the south-east US, demonstrated “the possibility that a single cyber incident could ripple across critical infrastructure with catastrophic consequences”.
Local cyberattacks highlight risk to Australian businesses
We’re yet to see similar attacks or ‘call to arms’ in Australia however the 2022 Optus and Medibank data breaches have certainly accelerated the governments positioning on privacy and data protection.
Cyberattacks are an ever growing concern for insurers and clients and it is becoming increasingly important for both parties to be aware of the risks and the importance of having insurance to protect against them. The industry is still trying to find ways to address the issue, with some insurers opting to limit their exposure by pushing up prices and tweaking policies so clients retain more losses. Whilst governments may also have to play a role in creating private-public schemes to handle systemic cyber risks that can’t be quantified, companies handling personal and sensitive data must take active steps to have gold standard systems and processes to protect their client/customer data from the hands of cyber criminals.
Ensuring regulatory compliance is first step for risk mitigation
At Law Squared, we understand the importance of mitigating cyber risk and the potential consequences of a cyberattack. That is why we offer our expertise in assisting insurers (and their clients), and/or companies who are unable to obtain cyber insurance coverage.
Our team can assist in ensuring compliance with laws and regulations surrounding the handling of client and customer data. We can also provide best practice guidance for protecting against cyber threats and navigating the aftermath of an attack.
If lack of insurance coverage has left you vulnerable, we can help you navigate the ever-evolving landscape of cyber security.
Reach out to our Commercial Team to learn more about our services and how we can help protect your business.