[Head Scratcher] The cyber insurance market is badly broken. But why exactly?
Greg Noone at the Techmonitor site covered this problem early October 2022, starting with a horror story.
A company had taken cyber coverage for the past year with no claims, but during a routine scan a software vulnerability was discovered. They did not fix it in time. A new policy was proposed that would not cover ransomware. They signed it. Guess what happened a week after? Right. Here is a short extract and further below a link to the site.
“I would be disingenuous if I told you that ransomware wasn’t a key factor in some of the headwinds that we’ve seen in the market with regards to pricing,” explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re.
The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware. Its reasoning, according to the firm’s underwriting director Tony Chaudhry, was that policies shouldn’t “expose the market to systemic risks that syndicates could struggle to manage”.
Cyber insurance does not have a long history. The market itself, explains Mario Vitale, chief executive of cyber insurance provider Resilience., has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size.
“I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a “less stable market… and also just a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”
Ongoing volatility is making reinsurers nervous
Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they “have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients”, he says. Resilience’s answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimise their vulnerability to breaches as far as is humanly possible.
The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defence: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff. This is the link to the full article. Warmly recommended.
As Cyber Insurance Dries Up, Treasury Department Eyes a Backstop
Bloomberg law covered the same topic from another interesting angle: “A US Treasury Department request for public input on a potential federal cyber insurance program highlights a coverage gap for US companies as insurers reduce offerings.
The regulator is seeking public comment until Nov. 14 on whether the government needs to shore up the insurance industry to pay for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.
Cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks. Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.
The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.
Cyber insurers have seen losses jump 300% from 2018 to 2021, according to Fitch Ratings. Insurers, including Lloyd’s of London, Chubb Ltd., and Beazley PLC are racing to cut coverage for catastrophic cyberattacks that can paralyze multiple industries at once.
Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP. “A cyber insurer can write policies with comfort knowing it can transfer some risk to the government, so it can offer bigger policy limits for businesses,” Moss said. Link to full Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/as-cyber-insurance-dries-up-treasury-department-eyes-a-backstop?