To cope with increasingly costly pay-outs, providers are redefining the terms of cyber insurance to reduce their exposure. The implications could spell myriad changes for the cyber security industry. Whatever the outcome, it’s time for organisations to re-evaluate whether their policy will cover them against the attacks they are most susceptible to.
TL:DR
JUMPSEC explores the current state of cyber insurance, and whether its potentially diminished role presents a problem or an opportunity for organisations looking to reduce their cyber risk exposure.
- Cyber insurance loss ratios are now consistently above 60%, presenting an existential threat to the insurance industry and making cyber risk unprofitable to the extent that it may become uninsurable.
- Cyber insurance premiums have risen by over 94% from 2019 to 2022, in large part due to the rise of ransomware over that period. While cyber-insurance appears to be growing sustainably, this is predominantly due to premium costs, not increased take-up rates or expanded coverage.
- The Merck and Mondelez insurance settlements of $1.4b and up to $100m (stemming from the Russian NotPetya attacks in 2017) have prompted insurers to tighten terminology on ‘state actor’ attacks to further limit their risk exposure, whilst simultaneously raising premiums.
- Less than 1% of UK organisations have claimed on their cyber-insurance policy. Faced with inflated premiums, increasingly demanding compliance requirements, and doubts surrounding the payment of legitimate claims, organisations are now forced to reconsider the value of cyber insurance.
Making the market
AIG first took cyber insurance to market in 1997 in a bid to gain market share despite any actuarial data to inform policies or premiums – making it completely unknown territory. Whilst more established today, cyber insurance is still a highly unpredictable landscape compared to other forms of insurance cover.
Before 2016/17 cyber insurance was still an emerging market and was generally seen as an optional add on for organisations with heightened IT security risks, with less legal ramifications for data breaches (i.e. GDPR requirements) and far less knowledge or awareness of cyber threats generally.
Taking Lloyds (the world’s largest insurance marketplace) as an example, the UK-based insurer referred to cyber in its pre-2016 annual report as a “newer or less well understood sector”, mentioned in the same breath as “nuclear, chemical, biological and radiological (NCBR) threats” at that time. The cyber market was predominantly mentioned as part of its plans for “thought leadership” and “innovation”, with Lloyds noting that “many insured [were] first-time buyers”.
However, the cost and frequency of cyber-attacks have risen enormously over the past five years.
- 2016-17: Total attack figures rose as did the notoriety and scale of incidents with the emergence of notorious malware such as WannaCry and NotPetya, and a number of high-profile private sector companies falling victim such as Uber and Equifax.
- 2018: The introduction of new GDPR laws and additional high-profile cases (i.e. British Airways, Facebook, Marriott) further increased demand for cyber insurance, expanding the market.
- 2020: The rise of ransomware marked a significant year for the cyber insurance industry with an unprecedented attack rate (i.e. Travelex, Orange, Toll Group). The reputation cyber insurance had acquired for being “more profitable for insurers than other lines of insurance,” came to an end, as insurers’ average loss ratio reached a record high of 66.9%.
In 2022, FinCEN (the US financial crimes agency) reported the cost of ransomware alone increased from $416 million in 2020 to reach almost $1.2 billion in 2021, putting significant pressure on cyber-insurers’ profitability and increasing their loss ratios (currently as much as 66.4%).
While the global cyber-insurance market is still anticipated to grow from $12bn worth of annual premiums to $60bn in the next five to ten years according to Lloyds, much of that growth has primarily been due to premium rate increases, rather than increased take-up rates or the broadening of coverage, according to MIT’s Josephine Wolff.
The future of the cyber insurance market is impossible to precisely predict. The insurance industry wants to send a clear message that the market is beginning to stabilise as it continues to grow. Others are announcing the industry’s dramatic decline or ‘imminent death’ of cyber insurance as we know it (i.e. Forbes). And it isn’t simply the media catastrophising. The CEO of Zurich, Mario Greco, recently stated “what will become uninsurable is going to be cyber” – citing threats to critical infrastructure that can fundamentally disrupt wider society as his primary concern.
How is cyber insurance changing?
Two landmark cyber insurance cases were resolved in 2022: Merck & Co and the recently resolved Mondelez vs Zurich dispute. Both disputes trace back to the 2017 NotPetya malware attack, which was attributed to Russia’s military intelligence agency and deployed as part of the conflict with Ukraine. The former resulted in a $1.4b win for Merck, whilst the Mondelez case was settled behind closed doors – potentially suggesting a less favourable outcome which fell short of Mondelez’s demands.
Both cases were founded on the contention of an ‘act of war’ clause. Merck’s policy for example did not cover ‘hostile or war-like action’, but the court agreed with Merck’s defence that this exclusion only applies to actions which explicitly “involves the use of armed forces” as part of a recognised conflict.
Some welcomed these outcomes as a win for policyholders; the reality is that insurance companies are raising premiums and tightening terminology to cover their costs in the coming years. AIG has reported a more than 40% rise in cyber premiums, adding that like Lloyds, the insurer is “obtaining tighter terms and conditions to address increasing cyber loss trends”.
In a key bulletin to underwriters in August 2022, Tony Chaudhry, Underwriting Director at Lloyds, addressed the size and scale of the risks posed by cyber-attacks to the insurance industry, specifically at the “state actor” level, warning that “losses have the potential to greatly exceed what the insurance market is able to absorb”. Chaudhry also reiterated numerous times the need for more “robust” language around clauses in their policies “to exclude cyber-attack exposure arising both from war and non-war state-backed cyber-attacks”, in order to reduce their exposure. These clarifications indicate the continued desire of insurers to dispute similar claims in future.
Even if organisations manage to afford increasingly expensive cyber premiums, the process of actually claiming compensation has been proven to drag on for years (over 5 years for both the Mondelez and Merck cases mentioned above).
In addition, companies are required to deploy an ever-increasing set of security controls in a changing regulatory landscape to qualify for cover in light of increasingly rigorous compliance checks, with:
- Stricter demands from banks and financial regulators
- Updated cybersecurity frameworks (i.e. NIST’s framework revisions)
- New guidance from the Information Commissioner’s Office (ICO)
Specifically, insurers are requiring greater detail on how organisations monitor and manage their day-to-day cyber security operations, including minimum standards for multi-factor authentication (MFA) and endpoint detection and response (EDR). Auditors Grant Thornton outlined that higher-level evidence of staff training, vulnerability scans and monitoring system logs will be ongoing requirements.
Between such geopolitical ambiguity, soaring premiums, and compliance challenges, organisations can no longer rely on insurance as the primary method of managing their cyber risk exposure.
Rethinking cyber-insurance
Zero coverage may be daunting. But the removal of the perceived safety net that insurance provides may be exactly what organisations need – a wake-up call to make their business more secure. Not by checking compliance boxes to satisfy insurers, or relying on minimum standard annual testing, but by implementing controls that will make their organisation more resilient to attack.
This isn’t to say that cyber insurance is a waste of money with those who have the means and resources to fund it as an added layer of risk mitigation. However, many organisations are now reconsidering the role of cyber insurance and whether to renew their policy in 2023 and beyond.
Cyber insurance is not the norm for the majority of UK organisations. The UK government Cyber Security Breaches Survey 2022 revealed that only 43% of UK businesses have an insurance policy which covers cyber risks. Further, the fact that less than 1% of organisations have made a claim is evidence that the diminished role of cyber insurance may not be as impactful as some might speculate.
Advice for security teams
As many organisations opt not to renew their cyber insurance policy for 2023 it is vital that they reinvest in their cyber defence capabilities, ensuring that the potential impact of a breach can be minimised. Organisations should assume that compromise is inevitable – and plan accordingly.
Even the most stringent cyber-insurance compliance requirements are still relatively basic. Regardless of how the cyber insurance market may change, organisations must ensure they are confident in their ability to prevent, detect, respond, and recover from cyber attacks by looking beyond compliance.
As a minimum, all organisations must first be confident that:
- Backups have been tested to ensure that recovery is possible and practical.
- The ‘blast radius’ has been minimised in the event of a compromise through effective identity and access management, and network segmentation.
- A well-established recovery plan has been designed and tested against specific incident scenarios, and contingencies for critical business functions are in place to ensure operational resilience.
Beyond these foundational controls, threat-led testing approaches enable organisations to move beyond a compliance-driven approach to:
- Accurately assess which business processes, digital systems, technologies and people are most likely to be targeted by an attacker, and how they are most likely to be abused.
- Evaluate the likelihood of certain attacks (based on specific threats the organisation faces) against the impact of compromise and identify the highest risk scenarios possible.
- Implement tailored and targeted prevention, detection, and response controls to mitigate the likelihood of a systemic compromise occurring, ensuring business continuity, and accelerating the restoration of normal operational levels.
Just as insurance companies are urging their subsidiaries to be extremely careful with the wording of their policies, organisations continuing to subscribe to cyber insurance need to provide clarity. Organisations with cyber insurance should review their policy, and perhaps schedule a frank conversation with their broker about when their organisation is covered, and when it is not.
Sean Moran
Sean is a researcher and writer with a keen interest in geopolitics and its impact on the cyber security industry.