What happens if insurance against cyber risks becomes unviable?

Although insurers are innovating furiously to keep cover against attacks affordable, they’re running short of options. The problem is becoming so serious that government intervention may soon be required

Wintry scene showing single figure with umbrella walking between trees and battling the snow and wind

Last year, the average global cost of a successful cyber attack hit a new high of $4.35m (£3.41m), according to IBM’s Cost of a Data Breach Report 2022. That total could include ransom payments, regulatory fines and the loss of data, intellectual property, custom and productivity as the victim struggles to restore its disrupted operations to normal over the ensuing months. 

That’s not the end of the bad news: research aggregator Statista has forecast that the global cost of cybercrime will double within the next four years to $23.8tn. 

Not surprisingly, the cost of insuring a business against this threat has been rocketing too. Insurance broker Marsh has reported that cybercrime premiums leapt by 28% in Q4 2022 and another 11% in the following quarter.

Premiums are rising, but going uninsured isn’t an option

There have even been suggestions that cyber cover is becoming unsustainable. Huntsman Security, for instance, has predicted that the number of firms that will be unable to afford the premiums or be declined insurance (or face significant cover limitations) will double year on year in 2023. And the Federation of European Risk Management Associations (Ferma) warned late last year that cyber insurance was in danger of becoming “an unviable product”.

The federation’s CEO, Typhaine Beaupérin, reports that, “spurred on by a growing understanding of the risk landscape and a spike in claims, the cyber insurance market has experienced a period of significant rate hardening and a narrowing of the scope of cover in recent years, as more stringent conditions and exclusions are applied”.

For most organisations, discontinuing this cover isn’t an option, because such insurance is often a standard requirement in requests for proposals.

Insurers are limiting cover to keep products viable

As a result, insurers are resorting to new methods to keep the boat afloat. Many are trying to keep rates affordable by changing their policies to restrict the types of incidents they will cover. 

Late last year, for instance, Lloyd’s of London announced that it would no longer indemnify firms against losses from nation-state cyber attacks or those taking place during wars. Chubb has proposed a broad hacking exclusion and insurance deductibles for certain large-scale hacks, while Beazley has excluded catastrophic events, making war insurance a separate product.

Businesses and the insurance market cannot be expected to carry this burden alone

“Insurance carriers have had to learn quickly and continue to iterate on offerings, coverage and approaches to assess cyber risk and policy language,” says Heidi Shey, principal analyst, security and risk, at Forrester. “We have seen a push for standalone policies with much clearer language about what is and what is not covered. And we have seen the introduction of new war exclusion clauses that specifically address cyber attacks.”

Other insurers are trying to keep their policies affordable by requiring ever-stronger security practices from their clients in return for premium discounts, notes Anthony Cordonnier, MD at risk and reinsurance company Guy Carpenter.

“Given the heightened risk landscape, underwriters are exercising a stronger level of technical acumen than ever before,” he says. “There are higher security hurdles to clear in order to secure cover.” 

As a result, controls such as regular patching and the use of multi-factor authentication are considered “industry table stakes”, Cordonnier adds.

Cyber insurance options for smaller businesses

New deals are emerging for SMEs, with insurers offering them more affordable cover alongside risk monitoring and alerting or cybersecurity-related services. These can include virtual CISO services; incident-response planning and tabletop exercise assistance; security training and awareness resources; risk assessments; and monitoring and managed services.

Paul Handy is global head of cyber risks at Crawford & Company, a specialist in claims management. He reports that “insurance carriers have introduced managed risk solutions for SMEs in which they engage with customers throughout the policy term to manage any potential exposures. We’ve been seeing some innovative solutions, such as defined benefit policies for cyber business interruption, parametric coverage and limited coverage and co-insurance clauses for ransomware risk. These are all new ways of managing overall risk and exposure, making things sustainable from a claims management perspective.”

Also emerging are product-specific partnerships, such as AIG’s CyberMatics model, offered alongside support from security tech providers, and the Cloud Protection + solution that Munich Re and Allianz are marketing to Google Cloud users.

Is public-private cooperation needed?

Despite such innovations, there is widespread concern that the industry’s efforts still won’t be sufficient. This has prompted some governments to consider intervening. The US Treasury, for example, is exploring the idea of a federal insurance response to catastrophic cyber events, possibly on condition that organisations adopt certain minimum security standards.

There have been calls for a similar scheme in Australia, while talks are taking place in the UK between insurers and the government about a possible expansion of the Pool Re terrorism reinsurance scheme. This was introduced in 1993, when insurers stopped offering coverage against acts of terrorism after a string of bombings by the Provisional Irish Republican Army. Insurers are hoping that it could be extended to cover state-sponsored or war-related cyber attacks. 

“Ferma firmly believes that collaboration is needed to address the systemic potential of cyber risk. Businesses and the insurance market cannot be expected to carry the burden alone,” Beaupérin says. “If we’re to manage the scale of threat posed by systemic cyber risk, we need collective action that combines insurer capacity and expertise with public sector funding in the form of public-private partnerships.”

Ferma also favours a concerted international initiative to tackle digital risks that would run along similar lines to the United Nations’ COP climate events. Key issues for discussion could include systemic risk; public-private partnerships and state backstops; and security standards. 

For Beaupérin, the bottom line is that no one – not organisations, not insurers and not governments – can afford for cyber insurance to become unviable. 

“At this critical stage in the growth of the market”, he says, “greater cooperation is central to maintaining a sector that meets the risk needs of both insurers and policy-holders.”