The blurring of cyber-warfare and traditional acts of war has increased in recent years, as attacks on infrastructure and businesses have become more sophisticated.

“Underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers,” says a Lloyd’s Market Bulletin from last August.

In March 2022 law firm Eversheds Sutherland detailed the significant risks to both insureds and insurers posed by unclear cyber insurance policy wording. The firm detected a recent trend of limiting cyber incident coverage, as insurers attempt to limit their exposure for cyber incidents by raising premiums, limiting policy coverage and excluding coverage for certain events.

Deny coverage

Referencing a case involving pharmaceutical company Merck, Eversheds said “it was found that insurers could not rely on traditional war exclusion clauses to deny coverage for damage caused by state-backed cyberattacks, because such clauses, ‘applied only to traditional forms of warfare‘. The new exclusions are an attempt by Lloyd’s to counteract that decision and narrow the coverage available.”

“If the insurance industry doesn’t step up, [cyber] will be one of the biggest missed opportunities with companies self-insuring or government schemes being developed to deal with the challenge,” Michael Steel, head of Moody’s RMS, a major risk-modelling firm, told the Financial Times. But the decision to omit state-sponsored crimes makes perfect sense, say some industry experts.

“You can develop a policy that does cover cyber, but how the hell do you prove who’s done what in a state-sponsored attack?”

Branko Bjelobaba, general insurance specialist

“Most insurances do not cover war risks. A lot of risks around the world are either uninsured or uninsurable,” says Branko Bjelobaba, a general insurance specialist and former vice-president of the Chartered Insurance Institute. “The capacity for the worldwide insurance market is not 100%. It’s a small part of that, with self-insurance and governments covering the rest.

“We’ve had Flood Re deal with floods, Pool Re deal with terrorism, so sometimes working on a partnership basis it’s possible to risk pool because no insurer is going to want to insure something that brings them down. You can develop a policy that does cover cyber, but how the hell do you prove who’s done what in a state-sponsored attack?”

Uninsurable

In December, CEO of Zurich Insurance Mario Greco praised the US government’s steps to discourage ransom payments to cyber attackers. However, he also warned that cyber attacks could become ‘uninsurable’, because of the rapidly rising impacts, costs and proliferation of ransomware and related cyber incidents – coupled with the increasing commoditization of hacking tools on the one hand and the increasing determination of state and state-sponsored threat actors on the other. 

But the classification of what can be considered state-backed can be a very murky area. “How do you prove who has done it? It can be an agent of the state. A North Korean citizen may feel it’s his duty to subvert Western business, but he’s not been told by the government. In this case, is it state-sponsored or not?” asks Bjelobaba.

GRIP reported in January on the launch of a “catastrophe bond” by specialist Lloyd’s insurer Beazley, indicating that there is a pressing urgency for cyberthreats to be included in policies. At the end of 2021, McAfee Enterprise and FireEye said 81% of global organizations experienced increased cyber threats with 79% experiencing downtime due to a cyber incident during a peak season. Supply chain, e-commerce, and travel were among the hardest hit sectors.

Meanwhile, premiums increased by an average of approximately 27% per quarter between Q4 2021 and Q3 2022 according to a report by the CIAB. The surge in prices directly reflects the increasing frequency of claims as well as their severity.