In 5 years, the number of insurances claims have raised by a factor of 10, and the overall payment was 3 times higher than the initial claim because companies were unable to evaluate the actual losses.
In recent years and considering the rising ransomware threats, many companies have purchased cyber insurance coverage. Cyber insurance was the new trend and many large insurance firms such as Lloyds of London, Munich Re and Allianz of Munich have developed new cyber insurance products. However, things are not as bright. In 5 years, the number of insurances claims have raised by a factor of 10, and the overall payment was 3 times higher than the initial claim because companies were unable to evaluate the actual losses.
Marsh, a large reinsurer firm, has stated that the frequency and severity of claims reported by its clients were persistently high in the past few quarters. Healthcare firms were among the most targeted in 2021, and along with communications, media, and technology companies made up almost a third of total claims.
Limiting the Cyber Insurance Cover
Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd’s of London continue to add restrictions, including excluding losses related to state-backed cyberattacks.
In a bulletin published recently by Lloyds, they state that the risk posed by cyberattacks continues to evolve also considering the war in Ukraine. They are now asking cyber insurance underwriters to be careful with what they commit to and “… we have consistently emphasized that underwriters need to be clear in their wordings as to the cover they are providing.” And that “[recent] exposure to cyber-attack losses has been an area of market focus in circumstances where the losses arise from attacks sponsored by sovereign states… [and that insurance underwriters] need to take account of the possibility that state backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.”[1]
Practically insurance companies have begun limiting and exclude coverage for State sponsored cyberattacks. This is mainly to protect the insurance market from huge loses. As a result, companies will need to reevaluate their cyber risks and invest more in their cybersecurity risk management and cyber defense measures. They should also consider the question if cyber insurance is still worth it? To make sure that they are covered if a major cyberattack hits them.
Putting More Security Requirements
Regardless of the limitations of cyber insurance coverage and the raise of premiums, the insurance companies, are pushing for more cyber measures before they consider underwriting of an insurance policy. Insurance brokers and underwriters are now requiring various cyber risk assessments such as non-intrusive (and sometimes even intrusive) penetration tests, non-intrusive and self-cyber risk assessments of defense tools conducted by the insurance applicants. As a result, the insurance companies demand a series of mitigations and cyber defense tools to be in place before they continue the insurance process. Therefore, companies should develop new cyber security standards and requirements.
Time to Enhance Cyber Defense
As we see now, less companies relay on cyber insurance, as they understand that it will not replace the defense tools they need to put in place. Companies need now to improve their cybersecurity measures to mitigate the costs of ransomware attacks or any other cyber incidents. Basic measures must be in place: Backup data with a well-defined proven backup strategy, install best practice protection software on all end devices, regularly upgrade the operating system and software, develop, and maintain cyber-attack awareness program, and put in place crisis management practices and teams.
Conclusion
Companies should not expect that the insurance sector will go back to where it was 5 years ago when almost no defense requirement where needed, and insurance companies paid millions, no questions asked. Insurance firms have increased premium costs and are now requiring more and more defense investment. Now companies must consider their risks in a more holistic way to avoid delayed insurance payments and lawsuits when incurrence companies avoid paying when a severe ransomware attack happens. In the meantime States should adopt laws and measures that restrict companies from paying ransom demands.
[1] https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf