Why might cyber attacks become uninsurable?
As cyber attacks hit a year on year increase of 38% in 2022, Mario Greco, CEO of Zurich Insurance, told the Financial Times that “cyber attacks, rather than natural catastrophes, will become ‘uninsurable’ as the disruption from hacks continues to grow”. This is quite something when you consider that the global insured losses for natural disasters exceeded a whopping $130 billion USD last year. However, the potential loss and impacts of cyber attacks continue to grow to a scale that no single insurance company can cover: as Greco puts it: “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Indeed, attempted and successful cyber attacks in recent years on major national infrastructure such as the Colonial Pipeline, the Ukrainian electricity grid, and a water treatment plant in San Francisco, are increasingly making this fear a reality.
Transferring a risk has always been a valid risk management option; and insurance is an attractive option for many businesses given the ever evolving sophistication and methodology of cyber attackers – many organisations accept a successful attack is a ‘when’, not an ‘if’. However, it is understandable that insurance companies would want to limit their liability. They are the ones covering the costs of cyber attacks, yet have little to no control over the security posture of a company. When the likelihood or impact of a risk is low this makes financial sense, but when the likelihood and impact are both high this poses an unsustainable position for the insurance industry.
So what next for cyber security insurance?
Two options are likely. The first is that insurers will raise their premiums and edit their policies, or cease offering cyber insurance at all, as Hiscox did in 2020 for nation-state attacks and Lloyds did in March 2023. This will severely limit affordable risk transfer options for organisations, keeping liability for growing risks with the business and its shareholders. Indeed, the UK Government’s cyber security breaches survey 2023 identified that already less than 1:4 (37%) of companies and a third (33%) of charities have some form of cyber insurance, with only 7% of businesses and 8% of charities having a dedicated cyber insurance policy. This means that many organisations are already at risk of having to pay significant costs to cover the impacts of cyber breaches alone.
The second is that insurance companies will require organisations to take preventative steps to reduce their cyber risk as a condition of offering insurance. Take the example of car insurance as a comparison. Insurance companies require a number of ‘guarantees’ before they will insure a car or approve a claim: often including a successful MOT, continued vehicle maintenance, and adherence with traffic and highway regulations and laws. Could we see a similar regime mandated for cyber security? After all, what is an MOT but an annual audit; continued maintenance but another form of vulnerability management? The equivalent of a driver’s licence could even be found in the form of professional qualifications or executive accountability. The UK Cyber Essentials certification already offers a form of this conditional cover: organisations who meet certain criteria can take out free cyber insurance as part of their certification to help cover the costs of successful cyber attacks.
Cyber criminals do not care about where the money comes from. Whether they leave the company out of pocket or if the money comes from investments or insurance, ultimately it is always the companies that lose out. Whether you are concerned that you will be unable to transfer your cyber risk to an insurance company; or whether your insurance company is already applying conditions to your policy cover, you may need to seriously consider increasing your level of security in the future.