Lloyds of London has released a major market bulletin designed to ‘set out Lloyd’s requirements for state-backed cyber attack exclusions in standalone cyber attack policies’. It follows similar moves and sentiments expressed across industries and domains, including the Bank of England’s Prudential Regulation Authority, the Royal United Services Institute, and the US Department of Treasury’s Office of Foreign Assets Control (OFAC).
The decision comes as the cyber insurance industry finds itself unable to effectively and accurately measure the cybersecurity risk of its clients. The result? Being unable to payout on claims. This has made premiums skyrocket and coverage increasingly difficult to negotiate if you’ve suffered an attack previously.
This decision does not solve the problem
Businesses will find themselves unable to transfer a significant part of their cyber risk. Insurance providers will face an uphill climb to show value in risk sharing as an investment. There will be clear ripple effects, but the cyber insurance arena will still need to address the root cause: How do you assess and price cyber risk transparently, continuously, and appropriately?
In this blog, we explore your crucial questions:
- Does this exclusion reduce the effectiveness of cyber insurance for minimizing business risk?
- If attribution of an attack is unclear, what will these mean for insurance payouts?
- Can anything be done to ensure that insurance remains a viable, valuable, and effective method of sharing risk for your business?
Does the exclusion of catastrophic nation-state hacks reduce the effectiveness of cyber insurance for minimizing business risk?
Let us understand the motivation behind introducing any insurance clause: it protects insurance providers from catastrophic losses. With the interdependence of critical infrastructure sectors – electricity and communications with healthcare and financial services – a cyber attack on any sector would simultaneously create a knock-on effect on multiple industries and businesses, magnifying the impact and losses.
Insurance works on trust. One of the most pertinent questions a business leader will have is if an insurance policy keeps the business and its revenue intact during a cyber attack. Today, the cyber insurance sector cannot confidently answer this question. Underwriting cybersecurity insurance is tricky due to a lack of publicly available data.
This loss of customer confidence translates into an ever-growing fracture line between clients and the cyber insurance sector. From a customer's point of view, such a broad exclusion will prompt questions:
- How badly do we need this policy?
- Do we have to pay this premium?
- Should we self-insure?
- Can we just accept this risk?
If attribution of an attack is unclear, what will these mean for insurance payouts?
Many commentators have raised concerns that Lloyds of London has not been thorough enough in its definition of a state-backed attack or in how it will determine an unsuccessful claim.
While Lloyds has previously tried to calm overall concerns in the insurance industry, only time will tell how these new clauses are exercised. Early analysis points to longer claims processes and more litigation. Unless the industry can collectively fix how cyber insurance policies are understood, written, and priced – based on actual data – there is no end to the challenges and mistrust in cyber insurance.
Could insurers use the challenges of attribution to prolong the settlement process? Or even back out of significant claims for larger-scale attacks?
Attack attribution isn’t always black and white. A state-backed attack may not always be overtly evident (or admitted). Many threat actors and events have not been addressed: volunteer armies, hacktivists, and cyber criminal groups with suspected government connections - all of which may act in the name or perceived interest of a country, but not necessarily on behalf of one. Would such activities be considered state-backed attacks, and granted successful payouts, or not?
Without clarity on where thresholds are, no insurance policyholder is uncertain about what risk they are underwriting. The immediate impact of litigations related to cyber insurance claims will result in customers questioning the comprehensiveness and usefulness of cyber insurance policies.
What can be done to ensure insurance remains an effective means of sharing risk?
The solution to the industry’s challenges already exists within Cyber Risk Quantification (CRQ). Although not a new field, the advancement in automation and artificial intelligence has borne advanced Cyber Risk Quantification management platforms designed explicitly to measure, manage, and mitigate cybersecurity risk across complex environments.
Cybersecurity Risk is operational and increasingly considered a business risk. Both the owner and underwriter of the risk need to quantify it if they are to understand the degree of risk exposure. It’s this information that is crucial to any insurance coverage.
To quantify business risk, you must quantify the risk of your assets - both tangible (physical) and intangible (digital). Take S&P 500 companies as an example: more than 85% of their value rests in the digital assets they own and/or operate. Since all digital assets are exposed to some degree of cyber risk, a company’s attack surface will naturally expand.
Tangible vs. Intangible assets of S&P 500 companies, Ocean Tomo Market Value Study
If the cyber insurance industry is to sustain the explosive costs of securing organizations against cyber attacks, it must adopt cyber risk quantification.
How Cyber Risk Quantification and Management (CRQM) transforms Cyber Risk Management
CRQM platforms empower underwriters to understand the true, real-time risk posture of the company through continuous data-driven assessments. The SAFE CRQM platform measures, prioritizes, and enables proactive management of cybersecurity risk across people, processes, technology, and third parties. By making hidden or unrealized risk visible, business leaders and decision-makers gain essential information required to negotiate a fair, competitively-priced cyber insurance premium – based on hard data, not assumptions.
Here at Safe, we believe in our mission to create a safer digital future. That’s why we are providing a free cyber insurance assessment led by our specialists, with no obligation to buy.
- Find out how likely you are to be the victim of a cyber attack within the next 12 months - and why.
- Discover the Estimated Financial Impact of cyber attacks on your company - by vector.
- We’ll help you determine if you are overpaying for your cyber insurance and if you’re likely to have the right protection.
This article uses insights from Pankaj Goyal, Senior VP of Data Science and Cyber Insurance at Safe Security.
- Lloyds of London (2022): Market Bulletin - Y5381: State backed cyber-attack exclusions
- Dark Reading (2022): Cyber-Insurance Firms Limit Payouts, Risk Obsolescence
- Gallagher (2022): Exploring trends in the insurance marketplace
- The Register (2022): Cyber insurers may attribute nation state attacks in future
- Ocean Tomo (2022): Intangible Asset Market Value Study
- CPO Magazine (2022): Cyber Insurance Is a Perfect Storm: Risk Quantification Can Rescue It