Companies will need to reassess their cyber insurance premiums after major insurers have adopted exceptions for catastrophic cyber attacks by “state-backed” actors.
This limits the risks companies can offset with cyber insurance and security and the risks experts tell Dark Reading – making policy-making not worth it.
In the latest restrictions on cyber policies, the insurance market Lloyd’s of London It issued a notice on August 16 to insurance companies or member unions, asking them to exclude coverage for state-backed cyber attacks. The Lloyd’s Market Bulletin stated that the motivation behind the additional restrictions was to protect insurers and their insurers from catastrophic losses, and to help manage the systemic risks that could overwhelm insurers.
Is e-insurance still worth it?
While the position of insurers is understandable, companies — which have already seen a huge rise in premiums over the past three years — must be wondering if insurance is still mitigating risk effectively, says Pankaj Goyal, senior vice president of corporate sciences. Data and cyber insurance at Safe Security, an Internet risk analysis company.
“Insurance operates on trust, [so answer the question,] “Will the insurance policy keep me in full when something bad happens?” ‘He says ‘Today, the answer might be ‘I don’t know’. When customers lose trust, everyone loses, including insurance companies.”
The e-insurance industry has seen profits plummet in the past decade, with losses jumping from 35% of revenue from premiums five years ago, to 72% in 2020. To adjust, insurers have raised the cost of insurance policies dramatically — by just 74% in 2021, after up 22% in 2020, According to FitchRatings.
However, insurers have also focused on limiting their liability. In 2021, the global insurance company AXA I decided to stop paying the ransom to cybercriminals. Over the past two years, insurance companies have Add exceptions to the law of war to their policies.
in Market Bulletin (PDF), Lloyd’s has argued that the threat posed by cyber attacks continues to evolve and that its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often dismissed, Lloyd’s requires that unions go further and ensure that certain policies contain an “appropriate clause that excludes liability for losses arising from any state-backed cyber attack”.
“If not managed properly, it potentially exposes the market to systemic risks that unions may struggle to manage,” the insurance facilitator stated. In particular, the ability of adversaries to easily deploy the attack, the ability to spread malicious code, and the critical dependence of societies on IT infrastructure, including the operation of physical assets, means that losses can greatly exceed what the insurance market can comprehend it.”
These decisions come after the pharmaceutical company Merck won a lawsuit against its insurance companies after that Refused to pay $1.4 billion in business losses NotPetya crypto-ransomware was attacked in 2017. The judge in the case Ruled that the War Work Exclusion for Insurance Policies does not applybecause the purpose of the clause is to exclude losses during armed conflict only.
Regardless, the political changes were not well thought through, some argue.
“Signals point to continued breaches and hacking, leading to a lengthening of the claims process and more lawsuits,” Goyal says. “Unless the industry can collectively reform the way electronic insurance policies are understood, written and priced, ensuring that they are based on actual data and individual regulatory risks – one size does not fit all – there is no end to the challenges and mistrust of the Internet.”
Too broad exclusion
The main problem is that the term “state-backed cyber attack” can be a very broad exclusion, and if misused by the insurance industry, it will undermine the usefulness of cyber insurance, experts say.
Attributing an attack to a nation-state is very difficult, says James Torgall, vice president of cyber risk and strategy at Optiv, a cybersecurity consultancy.
“Even if a computer involved in the attacks was traced back to an IP address located at an Iranian or North Korean military base, this does not necessarily mean that it was an attack that was carried out with the knowledge or direction of government authorities,” he says. “It could have been hacked by hackers in other countries [as a false-flag attempt]. “
Currently, nearly two-thirds of companies – 64% – suspect they have either been directly targeted or affected by a nation-state attack, says Kevin Busick, Venafi’s vice president of security strategy and threat intelligence. Many of the main sources of cyber-attacks against North American, European and Asian companies come from groups of cybercriminals that are in some way connected to China, Iran, North Korea or Russia. Whether this association will equate to being “state-backed” is an open question.
“Obviously these companies will be concerned about whether insurance companies will consider most attacks to be sponsored by a nation-state,” he says. “As a result, we expect most companies who are serious about security to redouble their efforts to protect themselves from hackers in the first place.”
Insurers will have to establish clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider when determining whether an attack is state-backed, he says.
It’s time to strengthen cyber defenses
In fact, the exclusion will likely lead to fewer companies relying on electronic insurance as a way to mitigate catastrophic risks. Instead, companies need to ensure that their cybersecurity controls and measures can mitigate the cost of a catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security company.
Creating data backups, such as backups, expanding network event visibility, using a trusted forensic evidence company, and training all employees in cybersecurity can help strengthen businesses against cyberattacks and reduce damage.
“Organizations cannot rely solely on their own cyber insurance policy and must proactively protect themselves from these catastrophic cyber attacks,” Lindner says.
Companies also should not expect insurance companies to reverse course. Their approach is just a continuation of the industry’s reactive approach to cyber insurance, says Goyal of Safe Security. Insurers have increased premiums, set sub-limits on ransomware, and now, have embraced arguably broad exceptions that may only delay payments and increase lawsuits when insurers refuse to pay on a large insurance policy.