March 28, 2023
The growth of ransomware and cyberwar have highlighted possible fault lines in current cyberinsurance. Cyberinsurance has been much debated over the last eighteen months because of a self-inflicted double whammy. Firstly, it failed to recognize the speed and extent at which ransomware and ransomware costs would grow, and was rapidly forced to increase premiums, demand…

The growth of ransomware and cyberwar have highlighted possible fault lines in current cyberinsurance.

Cyberinsurance has been much debated over the last eighteen months because of a self-inflicted double whammy. Firstly, it failed to recognize the speed and extent at which ransomware and ransomware costs would grow, and was rapidly forced to increase premiums, demand basic preconditions, and increase refusals. Secondly, it failed to understand the current legal and practical differences between war and cyberwar, and has been forced to introduce new and specific cyberwar exclusion clauses.

The basic cause is simple: insurance and insurance premiums are primarily based on historical facts — that is, experiences learned in the past. This is not a viable approach for cybersecurity. Cybersecurity is the only insurance area where the cause of loss is a moving target based on the continually changing tactics of very intelligent adversaries — what has happened in the past is not a reliable scientific predictor of what will happen in the future.

Because of this fundamental difference between cyberinsurance and, for example, life, motor, property and other basic insurances, many commentators have begun to question the viability of cyberinsurance as a longterm risk transfer option for risk management. 

SecurityWeek decided to give the cyberinsurance industry the opportunity to comment on these industry concerns, and spoke to Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, for the cyber insurers’ view of cyberinsurance.

Storer accepts that cyberinsurance got its sums wrong, particularly over ransomware. In one sense, this is understandable: cyber is perhaps the only reactive area being insured. Elsewhere, while the cost of damage might increase, the cause of damage usually changes very little. A car crash is a car crash; a flood is a flood – but cyber damage is continually evolving and changing with whatever intelligent adversaries can think of next.

Chris Storer, head of the cyber center of excellence at Munich Re

But he refutes the idea that insurance is simply seeking to increase profit at the expense of the insured. Insurers, he says, are seeking to make the cyberinsurance industry sustainable – and that once this level has been found, cyberinsurance will be as mutually beneficial as motor, life, and property insurance.

The key to this is eliminating the bugbear of all insurance – unmanageable systemic risk.

“A systemic risk,” said Storer, “is an issue that not only impacts a single risk, but can actually impact a significant proportion of a portfolio.” Systemic risks are not necessarily unmanageable but can have the potential to become so. “The loss potential from an unmanageable systemic risk could be so huge that it would not merely impact the solvency of a company like Munich Re, but could put into question the entire insurance industry.” That, he contends, would benefit nobody.

War exclusion and systemic risk

The cyberinsurance industry learned the potential for systemic risk in cyber the hard way – through NotPetya. War has always been an exclusion in property insurance – the problem was that cyberwar was not excluded in cyberinsurance.  The spread of NotPetya made it systemic, but manageable. 

Companies that claimed for NotPetya-related loss under a cyberinsurance policy were paid; but companies without cyberinsurance that claimed under the ‘all-risks’ element of property insurance were refused. The insureds’ view was that ‘all-risks’ includes all risks that are not specifically excluded, while the insurers’ view was that NotPetya came within the purview of the war exclusion clause. It comes down to a definition of ‘cyberwar’ and whether it is an aspect of actual war — a question that has bedeviled cybersecurity and international relations for many years.

Unsurprisingly, this question went to the law courts. Here, the TLDR is simple – the courts instructed the insurance companies that they could not rely upon property war exclusions to exclude cyberwar claims – and any attempt to exclude the effect of cyberwar would require specific cyber exclusion clauses.

It is this that led Lloyds of London to announce, in August 2022, that, in the future, its insurers would need to include one of four supplied cyberwar exclusion clauses in future cyberinsurance policies. This in turn led to a common perception among insureds that cyberinsurance companies were attempting to eliminate claim payouts.

Storer doesn’t accept this interpretation. “I think it is very important to understand these exclusions are simply intended to be a clarification in terms of what should and should not be covered within cyberinsurance. It was never the market’s intention to cover anything resulting from the acts of war.”

Within this clarification, the insurers’ purpose is to avoid the potential for systemic risk (which the industry is discovering to be potentially rife within cybersecurity) becoming unmanageable systemic risk threatening the entire insurance industry.

Of course, the war exclusion clauses applied to cyberinsurance are merely a step in the right direction rather than a solution. There is, for example, no clear-cut definition of what is and what is not ‘cyberwar’ – only opinions.

“The Lloyds Market Association (LMA) has a proposal to define this,” said Storer, “defining it in terms of its impact. An act of cyberwar would need to have a significant detrimental damage to an attacked state for it to qualify under war exclusion. It goes far beyond the actions of an ordinary threat actor who might be looking to monetize data, really going in the direction of pure destruction.”

He pointed out that most of the damage done by NotPetya was collateral damage in nations that were not under attack. The implication is that companies with cyberinsurance – even those with specific cyberwar exclusions – would still have been paid for NotPetya claims. 

Storer’s argument is that the insurance industry is not trying to avoid its liabilities with new war exclusion clauses, but to provide a clear definition of those liabilities that everyone understands. This reduces the systemic risk inherent in cyberinsurance while trying to avoid unmanageable systemic risk. Its purpose is to provide stability and continuance for cyberinsurance.

Understanding cyber risk

Part of the drive to reduce systemic risk in cyberinsurance sees an expansion of the role of the insurance companies from risk transfer into risk mitigation. This is not unique to cyber – for example, insurance pressure has led to several safety improvements in the motor vehicle. The argument is simple – if insurers can improve risk mitigation in the insureds, there is less likelihood of systemic risk payouts arising.

All cyberinsurance companies understand this, and have been increasing their in-house knowledge of cybersecurity dramatically over the last few years. The result so far is primarily one of advice – cyberinsurance can offer insureds advice on how to improve their security posture. The carrot could be reduced premiums; the stick could be a refusal to offer insurance. 

Storer doesn’t see this as interfering in a company’s security approach, but rather as a win-win for both sides. Companies that refuse to meet the insurer’s recommendations can be offered higher premiums or even refused cover, and the loss risk to the insurer is reduced or removed. But companies that follow the advice will have better security and less expensive insurance.

This raises what seems to be an obvious question: will the insurance industry go the route of the payment card industry (PCI). The PCI developed a security standard (PCIDSS) that firms must meet before being allowed to accept online card payments. Will insurance develop its own standard that insurance applicants must meet before being offered cyberinsurance?

Storer recognizes advantages to such an approach, but didn’t provide a clear yes or no answer. “Resiliency is a huge topic in the industry,” he said. “How can we as an industry collectively increase the minimum standard of risks? There has been much more focus on risk selection and what is required of clients to really receive insurance cover. So, certainly, this has happened to some extent, but to have requirements more far reaching and standardized would need the support of the government.”

In the meantime, insurance is likely to increase its partnerships with technology firms, which may even result in the acquisition of specialist cybersecurity vendors. “It could be possible,” he said. “We’ve certainly seen many partnerships already. I could draw your attention to the arrangement of Munich Re and Allianz with Google Cloud announced in March 2021.” Here a specialized insurance package is tied into the security evaluation provided by Google Cloud Risk Manager.

“We offer a unique insurance policy to Google Cloud customers directly tied to the use of Google’s Risk Manager. I’m certain we’ll see more partnerships and more collaborations like that – and even probably, an extension of those business models. So, maybe in future cyberinsurance could become a sort of tech-led proposition with risk transfer sat behind.”

One of the problems for cyberinsurance is that the insurance learns from its past experiences. It doesn’t know how to insure what it’s never seen. This doesn’t fit well with cybersecurity – while existing threats continue, the really big and potentially systemic events are always new and unforeseen. 

“Insurance generally has a rear-view mirror,” admitted Storer. “But we must learn to see cyber through different lenses. The ability to see what is ahead of us is very important.”

Liaising with governments

One area worth considering is the possibility of cyberinsurance becoming a compulsory legal requirement, in the same way as auto insurance, workers’ compensation and professional liability insurance are all compulsory. SecurityWeek asked Storer if the insurance industry is lobbying government to make cyberinsurance compulsory.

“No. No we are not,” he replied. “We have a list of topics that we are discussing with governments – such as insurance pools and governmental backstops – but compulsory cyberinsurance is not a topic that has been actively discussed.” 

An insurance pool is formed when several insurers band together when a financial risk it too high or even catastrophic for a single insurer’s financial viability. By combining resources, an unmanageable systemic risk can be reduced to a manageable systemic risk — it’s the insurance industry’s own form of risk management.

“A governmental backstop,” explained Storer, “is essentially a guarantee by governments that they would step in as the capacity of last resort in the case of a truly catastrophic unmanageable systemic risk.”

He gave a pandemic as an example. “It will be no surprise that there have been many discussions around pandemics and the ability of the insurance industry to truly digest losses resulting from a pandemic situation. We’re exploring similar effects in cyber, which includes examining cyberwar, major infrastructure outages, a total and extended cloud outage, and similar scenarios. It’s in the industry’s interest to cover as much of such events as possible, but there are some scenarios where we feel there’s a joint interest in having some sort of public/private partnership as a last resort.”

Cyberinsurance is not ready to be made compulsory. Basically, the cyberinsurance industry is neither sufficiently stable nor the risks sufficiently understood for it to be considered as a compulsory form of risk management.

Storer’s position over current concerns about cyberinsurance is that – without being patronizing – critics do not fully understand the role of insurance. Where it works, it is an important and valuable option within risk management.

He accepts that the industry is still learning about cyber – and is still in the process of finding the necessary level playing field where the insurer and the insureds can have confidence. His standpoint is that the insurance is not on a money grab to increase profits, but is rather in the process of finding stability for the mutual benefit of everyone.

But there is one final question to ask. Cyberinsurance has been described as a ‘gap filler’. Storer accepts this. “Cyberinsurance evolved from an innovation platform within Munich Re. This unit was dedicated to coming up with new solutions for emerging exposures that sort of fell between traditional products.”

A cynic might call this a business expansion unit. A believer would describe it as a genuine attempt to provide a complete risk transfer option for industry. Either way, cyber was a gap that could or should be filled. 

The question is: is it possible that cyberinsurance has attempted to fill a gap that is far deeper than it realized? Is there any possibility that insurers might simply withdraw from cyber?

“Yes,” he replied, “if at some point it becomes apparent that cyber risk is so systemic and so uninsurable, there would be no option but to withdraw. Insurance is a business, and like other businesses is answerable to its shareholders. But that’s why we’re talking to governments, learning more about cybersecurity and developing relationships with the tech and cybersecurity industry. My hope is that cyberinsurance can reach the same level of maturity as other insurances, like property insurance.”

Related: Cyber Insights 2023 | Cyberinsurance

Related: Cyberinsurance Analytics Firm CyberCube Raises $50 Million

Related: Law Enforcement Blowback, Cyber Insurance Renewals Powering Anti-Ransomware Success

Related: The Wild West of the Nascent Cyber Insurance Industry