IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are Cyber Attacks at Risk of Becoming 'Uninsurable'?

There are dark clouds on the horizon as well as conflicting forecasts regarding cyber insurance in 2023 and beyond. Where will the insurance market go from here on cybersecurity coverage?

padlock icons overlaid on a
Shutterstock/VideoFlow
Back near the end of December 2022, Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber attacks are set to become "uninsurable."

As you might expect, these comments have set off global alarm bells.

First, what did the Zurich Insurance Group CEO say?

Greco’s comments to the Financial Times were widely reported all over the world. Here is an excerpt of that article:

“The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become 'uninsurable' as the disruption from hacks continues to grow. …

“Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.

“But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. ‘What will become uninsurable is going to be cyber,' he said. 'What if someone takes control of vital parts of our infrastructure, the consequences of that?’”

CYBER INSURANCE CHALLENGES — COMMENTARY ABOUNDS


Shortly after I posted this article on LinkedIn, a firestorm of comments began. Here is a small sample of the hundreds of comments received:

From Gerry Kennedy, CEO Observatory Strategic Management: “The country of Japan’s LNG supply is in jeopardy due to the 'Supply Chain Problem of Insurance.' Yes, as we predicted the availability of the 'Flow of the Effluent of Insurance' will affect the global economy. Making reckless statements by the Zurich chief has already had repercussions. Please have your readers understand that the ubiquitous nature of 'cyber events' colliding with geopolitical risk has made the perfect storm we called the cyber hurricane years ago. Here is an eye-opening example of what insurance does for the world and why it too needs basic architectural repairs.

“We have 'CVE patches' too; they are called endorsements like the War Exclusions! Whether it be coding/programming or insurance policy wording, 'patches' are proof of basic design flaws.”

From Maureen Niemiec, Chief of Staff, Office of the CISO Kontoor Brands, Inc.: “What has occurred is that the premiums were not in line with the risks. What I see happening are more limits of liability and clauses to ensure due diligence was performed. I also see them moving to a reinsurance model to share the exposure, similar to hurricane and other natural disaster insurance. Many companies may individually find themselves subject to a premium they are unwilling to pay. Some insurers will exit the market similar to when long-term health-care policies were not profitable, but then new companies will jump in. The days when $50,000 of insurance will buy you $100,000 of coverage are most likely limited.”

From Taiye Lambo, Founder and Chief Technology Officer CloudeAssurance, Inc.: “If the FDIC can provide insurance to protect our funds deposited in banks up to a certain limit, then I see no reason why we should not at least consider the idea of a federal cyber insurance to protect our data being 'deposited' in companies, however the risks have become more than just protecting data, but our way of life — civilization.”

From Andy Jenkinson, Group CEO CIP, Fellow Cyber Theory Institute and Member of the International Advisory Council Human Health Education and Research Foundation: “Finally ... Would you provide a policy to a drunken, drug-taking driver in a 750 bhp Pagani? Of course not, but insurers have been — and are — insuring uninsurable exposed, vulnerable and insecure companies playing digital whack-a-mole for years. Insurers have actually fueled losses and costs driving the market northward.”

There are hundreds of other comments on my LinkedIn post that are all over the map, but, needless to say, there are many different opinions on the future of cyber insurance. The over-riding opinion is that major reforms are coming — but cyber insurance is not going away.

And just as the CEO of one of the world’s largest insurers says cyber insurance may be going away (or that organizations are uninsurable), this report comes out from the Insurance Times (U.K.): Cyber insurance set to be one of the biggest property and casualty lines.

FEDERAL SPENDING BILL DIRECTS CISA TO REPORT BACK ON CYBER INSURANCE


Meanwhile, on Dec. 30, The Record ran this story: “Cyber highlights in the $1.7 trillion government spending bill.” Here’s a notable excerpt:

“President Joe Biden on Thursday signed a $1.7 trillion federal spending bill that includes a significant funding increase for the Cybersecurity and Infrastructure Security Agency (CISA). …

“The bill allocates more than $1.7 billion for cybersecurity efforts, including the 'protection of civilian federal networks that also benefit' state, local, tribal and territorial government networks. It also grants CISA $46 million for 'threat hunting and response capabilities' across those systems.

“Lawmakers also want CISA to report back in 90 days about the feasibility of a public-private 'cyber insurance and data analysis' working group and establishing an accreditation program for third-party cybersecurity providers that work with federal agencies, critical infrastructure operators and state and local governments.”

To add some more background to this topic, CISA already offers this web portal on cyber insurance which provides a number of reports and recommendations on cyber insurance. Watch this space in 2023, as much more will be coming on this topic when CISA reports back to the White House and Congress regarding their cyber insurance strategies.

VIDEO PRIMER: CYBERSECURITY INSURANCE EXPLAINED


For those who want to learn more on cyber insurance and how it works, I like this YouTube video posted by Valiant Technology that brings in industry experts to discuss details:

FINAL THOUGHTS


Back in March of last year, I wrote this piece on the cyber insurance market, which provides many resources and additional background to examine.

No doubt, there will be many more developments on cyber insurance in 2023. I plan to write another post in the summer that updates where state and local governments are going with cyber insurance.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.