The Lloyd’s of London insurance market prides itself on being able to put a price on anything — from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.
But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.
But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre, now at the Blavatnik School for Government. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”
The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions. Ransomware group Conti last year seemingly switched focus, declaring its support for the Russian government after the invasion of Ukraine. Attribution is fraught: governments point fingers for geopolitical reasons, not commercial ones. If the intention is to exclude rare, catastrophic events, better to have an independent body that declares and categorises cyber events, argues Graeme Newman, head of CFC Underwriting.
This focus on systemic risk is slightly odd. The cyber insurance world has been rocked not by cyberwarfare in recent years but by ransomware and cyber extortion attacks. Payments identified as received by ransomware attackers more than quadrupled in 2020 on the year before, according to Chainalysis, and stayed there in 2021. Cyber insurance pricing by the back end of 2021 had doubled compared to the previous year, according to broker Marsh, and was still up 50 per cent again in the third quarter of last year.
Payments fell last year, in part because the Ukraine conflict may have disrupted cybergangs in the region. Victims may also be less willing to pay up, given the vast costs of repairing or rebuilding systems required in the aftermath of an attack. But this may not last: already this year, the UK has suffered high-profile attacks on the Guardian newspaper, the Royal Mail and retailer JD Sports.
The spiralling cost of claims has meant more restrictions on coverage, according to the US Government Accountability Office: limits on how much can be claimed for cyber incidents dropped sharply in 2021. The risk is that boards, with limited expertise, may not be getting the cover they think, especially since advisers report carve outs for common threats like fraud from compromised business email accounts. Insurers, belatedly, also tightened up security requirements when underwriting.
The industry, tetchy about suggestions that cyber may prove uninsurable, concedes a lack of data about a threat that is, in any case, constantly changing. The Bank of England last month issued a warning about “immature” risk management. Limited take-up doesn’t help: Aviva found only a quarter of UK businesses have cover and that, if anything, cyber risk was slipping down the list of board priorities.
With both the US and UK considering a government backstop for systemic risks, the blurring of private and public responsibilities could force reform. Passing cyber risk to governments would have to mean tougher minimum standards for corporate resilience (which are probably merited anyway). Transparency about attacks and improved data-sharing could also help. Ultimately, countries need a national debate on cyber risk, of the type under way in Australia since last year’s Medibank breach seized the health data of nearly 10mn customers. Preferably without a major attack first.
The ambition is a reasonably priced, well-understood form of cyber insurance that also improves resilience and reduces costs for society. At the moment, it’s not obvious that we’re getting closer to that goal.