It’s been less than 30 years since cyber insurance was first introduced to help companies survive the losses involved with cybercrime. It was seen as another defense against possible financial disaster, much like insurance against fire or flood or third-party liability. The increase in claims, however, from cyberattacks is growing to be far more significant than any other threats. In an interview with the Insurance Journal, Dennis Kessler, Chairman and CEO of SCOR (a major reinsurance company), said that he predicted that cyber risks would soon become greater risks than natural catastrophes for the insurance sector, exceeding $600 billion per year.1 For example, in March 2019, on one instance alone, insurers had to pay out $3.6 million after an extremely damaging and public ransomware attack on its client, Norsk Hydro AS.2 However large a settlement this seems to have been, it was still a fraction compared to the estimated final bill of $75 million to restore Norsk’s systems.3
Beware of the Exclusion
The Norsk incident shows that there will always be a limit to how much risk companies can transfer to their insurer. Indeed, it may have been lucky to get anything at all, as there has been speculation that the attack, using a version of ransomware called Lockergoga, was sponsored by a foreign state, and therefore a hostile act. When the food retailing multinational Mondelez was hit by the NotPetya malware in 2017, their insurer, Zurich, refused the claim, stating that they considered NotPetya to be a hostile act by another ‘government or sovereign power’ and, therefore, an exclusion.4
That Zurich was able to use the ‘act of war’ exclusion was due to the United States, the United Kingdom, and other Western powers placing responsibility on Russia for NotPetya. The virus had initially been created to destabilize Ukraine, as part of the ongoing war between the two. However, it appears that it was also directed at other countries that had criticized Russia’s actions in Ukraine. Of course, Russia has never accepted culpability for the malware. The lawyers for Mondelez have argued that NotPetya could not be seen as a hostile act in the usual sense. To qualify as an act of war, physical damage to bricks and mortar needed to have occurred, not just economic injury, even if the losses involved were large ones. Also, the victims in these cases were non-military and worked at a distance from any conflict area. If looked at in this way, the attack was really cybervandalism, and hence a criminal issue and should still be covered. Mondelez wasn’t the only one to suffer in this way: the pharmaceutical giant, Merck, was also hit by the virus and suffered $700 million in damage. Several of its insurers also refused for the same reason. The arguments surrounding these cases are still ongoing, and the insurance situation regarding state-sponsored ‘attacks’ remains unclear.
Furthermore, if you put aside the ‘act of war’ problem, a cyber insurance policy will not automatically cover a cyber-incident. Companies need to conduct their own due diligence and possibly consult an expert. Pretending that cyber insurance is somehow a good substitute for robust cybersecurity measures is unrealistic and thinking that it will cover all costs is simply not likely. As has been shown in many cases of recent cyberattacks, the insurance payout is far, far less than the eventual loss to the company. This goes to show that having strong cybersecurity measures in the first place is the best way of reducing a company’s risk. This has also not been lost on cyber insurers.
Many cyber policies now require companies to fill in long questionnaires detailing what cybersecurity they already have in place before offering cover. And yet, as CSO magazine has noted, ‘insurance against cyber risk today is more art than science.’5 Insurance companies are already well-versed in the statistics of risk that apply to physical events such as natural disasters, fires, and damage to buildings. However, when it comes to cyber risk, there are too many, ever-changing parts to the equation, making it difficult to quantify the exact amount of risk a company will face as the attack surface is not only massive but sometimes even unknown to the parties involved.
The Problem of Ransomware
An example of this dilemma is ransomware. It is constantly evolving, and attacks are becoming more sophisticated. It seems that insurers are divided in how this particular type of malware should be handled. For example, there have been several instances of insurance companies encouraging companies hit by a ransomware attack to pay, despite the company having good backups of their data. Why? Theresa Payton, former White House CIO and CEO of cybersecurity company Fortalice Solutions explained the reasons in a speech at the Cloudsec 2019 conference in London:
‘They [the company hit by malware] called the insurance company to try to do the forensics to not pay [but] the insurance company said they’re experienced at negotiating with ransomware syndicates, getting the price down and it’s going to be a lot cheaper to pay.’6
So, it seems that some cyber insurers aim to take the path of least resistance, try to minimize costs, and get the company operational again quickly. But does it work? The answer is, not always. In Florida, Lake City paid the 42 Bitcoin ransom (around $500,000) but was not able to recover all of its files from the attackers.
Most interestingly, new research has found that paying a ransom to unlock files may cost a company more in the long run than if it had just restored its systems from backups. This is because, even after paying, some recovery work usually has to be done to fix the damage caused by the cyber-criminal. A survey of organizations who had suffered ransomware attacks found that the average total cost to those who had paid the ransom was close to $1.4 million. In contrast, those who ignored the demands saw costs of, on average, $732,000.7 This raises yet another question for insurance companies about whether they pay a ransom or not.
To Pay or Not Pay: Moral Hazard & Incentivizing Criminality
Paying Ransomware operators has other risks too. If a company has paid up once, it is likely to pay again if it gets hit for a second time. Not only that, but funding criminal organizations is not only going to incentivize them to stage more attacks, but it also gives them money to improve their malware and methods of attack. According to security firm Coveware, in the last three months of 2019, the average ransom payment doubled, with larger companies and organizations, seeing greater demands than smaller ones.8 And ransomware has now evolved again to steal data before it is encrypted. Which means, if a company refuses to give in, and instead uses its backups, the cybercriminals can also threaten to publish any sensitive data, thus upping the stakes and muddling the pay/don’t pay quandary.
During the past couple of months, insurance companies have also had to deal with another, unexpected risk. The COVID-19 pandemic has seen a huge rise in remote working, changing the threat landscape again as employees work from home on potentially unprotected devices and networks. Companies are now having to review their cyber-liability policies with their insurers, as well as implementing new remote cybersecurity working practices for their staff. In turn, insurers have to evaluate their level of risk in the face of unprecedented events. It is certain that they will introduce even stricter conditions on cover than previously – widening exclusions and insisting on more scrutiny of a company’s security arrangements. Some insurers are going even further by scanning ‘the public-facing elements of a prospective customer’s network, such as their website or email servers, looking for vulnerabilities.’9
While such measures may sound extreme, this kind of due diligence by insurers could benefit both parties. For the insurer, it helps evaluate their risk, and for the company, it pinpoints where they need to take further measures to boost their cybersecurity. Until the pandemic ends, the extent of its effects on cyber insurance claims will not be known. But there is a silver lining in all of this: many companies will have found that they need to take their cybersecurity more seriously than before. They will realize that while necessary and useful in an attack, cyber insurance is still just a band-aid on a wound and that they need to prevent the accident from happening in the first place. Insurers, too, will have even more data to work with to understand risks and determine pricing levels.
As for the future, some things seem inevitable:
- The market for cyber insurance will grow as more and more businesses realize that they are vulnerable to significant losses in the event of an attack.
- Strategic and risk management approach to cybersecurity
- Resilience is critical: cyber incidents will occur and the challenge is to reduce the risk all while ensuring coverage.
- Insurers will tighten conditions on cover and will raise premiums to offset any possible losses due to a rising number of cyberattacks.
- Insurers may employ cybersecurity experts to conduct due diligence on companies before insuring them. We anticipate new models that evaluate risk.
- More companies will demand tailor-made policies for their particular needs.
- Helene Fouquet and William Horobin, ‘Warning: Cyber Will Soon Cost Insurers More Than Natural Disasters,’ Insurance Journal, 05/12/2019, accessed at https://www.insurancejournal.com/news/international/2019/05/12/526164.htm
- Duncan Greatwood, ‘Developing Comprehensive Cyberinsurance for Tomorrow’s Cities – Today,’ Security Magazine, 01/09/2020, accessed at https://www.securitymagazine.com/articles/91514-developing-comprehensive-cyberinsurance-for-tomorrows-cities—today
- Dan Swinhoe, ‘What is the Cost of a Data Breach,’ CSO Online, 05/08/2020, accessed at https://www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html
- Adam Satariano and Nicole Perlroth, ‘Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong,’ The New York Times, 04/15/2019, accessed at https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
- JM Porup, ‘5 Things You Should Know About Cybersecurity Insurance,’ CSO Online, 02/17/2020, accessed at https://www.csoonline.com/article/3526974/5-things-you-should-know-about-cybersecurity-insurance.html
- Danny Palmer, ‘Ransomware: Cyber-Insurance Payouts are Adding to the Problem, Warn Security Experts, ZDNet, 09/17/2019, accessed at https://www.zdnet.com/article/ransomware-cyber-insurance-payouts-are-adding-to-the-problem-warn-security-experts/
- Danny Palmer, ‘Ransomware: Why Paying the Crooks Can Actually Cost You More in the Long Run,’ ZDNet, 05/12/2020, accessed at https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/
- ‘Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate, Coveware, 01/22/2020, accessed at https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
- Interview with Graeme Newman, chief innovation officer at CFC Underwriting Ltd., ‘Cyber Insurers Get Tough on Risk Assessments Amid Coronavirus Pandemic, The Wall Street Journal, 05/18/2020, accessed at https://www.wsj.com/articles/cyber-insurers-get-tough-on-risk-assessments-amid-coronavirus-pandemic-11589794201