Cyber Security: The challenge for insurers and practices alike

The problem for insurers

“…the market for cyber insurance is experiencing strong growth, providing contracts that mitigate the increasing risk exposure—with significant potential ahead. However, cyber insurance differs from other lines of business in multiple ways that pose significant challenges to insurance companies offering cyber coverage:

  • Data on cyber events and losses is scarce and typically not available in the desired amount or granularity.
  • Cyber threats are evolving dynamically in a highly non-stationary cyber risk landscape.
  • Aggregate cyber risks arise due to common IT architectures or complex interconnections that cannot easily be captured.
  • The term ‘cyber’ risk itself comprises many different types of risk with different root causes and types of impact. Insurance companies cannot solely rely on standard actuarial approaches when modelling and pricing cyber risks. Their traditional methods need to be complemented by novel and innovative techniques for both underwriting and quantitative risk management.” (Awiszus, et al., 2023)

Whilst a big part of this article will be dedicated to the issue of how individual practices will likely need to approach their cyber insurance and broader cyber protection, the best context for the size of the issue is drawn from the current challenges that insurers face. As you will see, one of the biggest problems appears to stem from people (especially policymakers) not actually taking the issue seriously enough.

As Mario Greco, the chief executive of Zurich was quoted as saying – “First off, there must be a perception that this is not just about data…this is about civilisation. These people can seriously disrupt our lives.” (Smith, 2022) In this article the author addressed the issue raised frequently by insurance companies and that is the punishing level of claims that are resulting globally from things such as natural catastrophes which are topping USD $100 billion annually and expected to head higher on the back of climate change. The unknown scale and means by which a cyber-attacks may occur means that insurers are choosing to sharply increase premiums, steer clear of the market altogether, or put comparatively aggressive exceptions in their policies with a notable example being state-backed attacks. The consequence that Smith noted is that if premiums reach a threshold in combination with overly large exceptions, then it may put people off buying protection at all. This returns us to the earlier point that prevention needs to be at the forefront of any solution since the use of insurance to deal with the problem is only going to become more difficult.

Where you can see how seriously some areas take the threat is from language used by the US government which has raised the concept of some parts of cyber insurance to be incorporated into the public-private insurance program that is used to defend against acts of terrorism. This is not surprising given the potential flow-on impacts that could occur following shutdowns of key infrastructure such as oil pipelines, which have already occurred.

The UK government seems to be being put into a similar position by insurers regarding attacks that are considered state-sponsored with the incorporation of support being drawn from the same safety net in place to deal with more conventionally defined acts of terrorism via Pool Re (Smith, 2023). “Pool Re was set up in 1993 after underwriters, spooked by IRA bombing campaigns in the UK, pulled back from insuring acts of terror. It shares risk with primary insurers, and though it is owned by the insurance industry, it can call on funding from the government in extreme circumstances. It has so far paid more than £600mn in claims for events declared by the government to be the work of terrorists and built up a near-£7bn investment fund. It has never called on the government guarantee.” (Smith, 2023) This same article highlighted how Lloyd’s of London has already announced action to write in an exemption for state-backed attacks given the potential for the industry to be simply unable to absorb the cost.