Today, many companies are tightening budgets and laying off staff in the face of current economic headwinds and geopolitical uncertainty. Meanwhile, cyberattacks aren’t slowing down; if anything, attack rates and risk levels keep rising.

Despite these growing threats, many cyber insurance companies are also cutting corners by narrowing coverage. CISOs and business leaders face tough choices as a result. How should they allocate funds? Should they improve their security posture? Should they buy more cyber insurance? Or both?

A recent $100 million settlement between insurance giant Zurich and Mondelez International (maker of Oreos, Ritz crackers and dozens of other snack foods) sheds some light on the issue. In 2017, NotPetya malware led to an estimated $10 billion in damages worldwide, and Mondelez was one of the victims.

It’s likely that Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world. That’s what motivated Zurich to claim an act of war exemption. They refused to pay the claim until the case went to court. Was Mondelez a victim of an act of war — or was it a victim of “collateral damage” which should be covered by insurance?

Seismic shifts in cyber insurance

Even before the Zurich / Mondelez ruling, the cyber insurance industry underwent a major transition. In August 2022, Lloyd’s, the world’s largest insurance marketplace, asked all cyber insurers selling through its platform to rewrite their policies.

According to Market Bulletin Y5381, Lloyd’s now requires that all standalone cyberattack policies (as per certain codes and conditions) must include a suitable clause excluding liability for losses arising from any state-backed cyberattack.

This caused a dramatic ripple effect in the industry. Insurers must now contend with staying competitive despite narrowing coverage. The move could also embolden non-Lloyd’s carriers to exclude coverage for war-related cyber incidents.

Meanwhile, given the rising risk, cyberattack insurance is in heavy demand among corporate customers. The top 20 U.S. insurers took in over $3.9 billion in cybersecurity direct premiums in 2021. In addition, standalone cyber premiums jumped 95% in 2021.

Are cyber insurers losing?

According to Fitch Ratings, cyber insurers have experienced a 300% increase in losses between 2018 and 2021. Still, in 2021, earned premium growth exceeded the change in incurred losses, and the standalone cyber loss ratio improved to 65% from 72% a year earlier.

All of this was before the war in Ukraine broke out. Pressures on insurance companies are also occurring in the wake of big court decisions that favor plaintiffs. For example, a New Jersey court ruled in December 2021 that a Chubb insurance unit can’t deny coverage for Merck & Co.’s $1.4 billion losses from NotPetya. The court held that Chubb’s war exclusion only bars physical warfare, not cyberattacks. What’s more, the Merck ruling was based on a property insurance claim, not cyber-specific coverage.

Given all these factors, it’s evident that Lloyd’s felt it necessary to adjust how they cover cyberattack claims.

How cyber insurance was born

A recent Lawfare blog reviews Josephine Wolff’s new book, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022). Wolff is a professor of cybersecurity policy, computer science and engineering at Tufts University.

According to Wolff, before cyber insurance became popular, companies brought cyber claims under commercial general liability, property and other lines of traditional insurance. But court decisions frequently decided against policyholders. This allowed insurers to avoid paying legal fees for cyber-related class action suits. Eventually, this tendency drove the market to develop cyber insurance-specific products.

Cyber insurance reveals cybersecurity’s complexity

These days, all major brands in any industry are also tech brands. What happens when a company is a breach victim but also an enabler of cyber breaches? Wolff highlights how challenging it is to “untangle who was responsible for incidents that had multiple, often overlapping, layers of victims, enablers and potential defenders.”

For the insurance industry, an ongoing difficulty exists in modeling and pricing cyber risks, as per Wolff. For instance, how does an insurer factor in how computer networks and data are increasingly intertwined with each other and other coverage areas? Insurers repeatedly complain about the lack of good actuarial data, modeling and pricing criteria.

Wolff also points out that developing an insurance policy for cyber risk is quite different from insuring auto or fire risks. Unlike car and fire risk, it is virtually impossible to articulate all the ways cyber threats could cause harm.

Security pros understand the pain

The challenges facing cyber insurers reflect the everyday reality of cybersecurity teams. There’s no such thing as a perimeter anymore. Thousands of apps, devices, third parties and users ask to connect to your networks anytime. The interwoven nature of networks and endpoints requires that security adopt vastly different approaches — which may benefit the cyber insurance industry and vice versa.

For example, an extended detection and response (XDR) security approach works by gathering and correlating data across various network points such as servers, email, cloud workloads and IoT.

XDR-gathered data is then analyzed and correlated, giving it visibility and context. This enables the identification of advanced threats. Next, threats can be prioritized, analyzed and sorted to prevent security collapses and data exfiltration. XDR helps organizations to have a higher level of cyber awareness and enables security teams to identify and eliminate vulnerabilities.

Complimentary benefits between cybersecurity and insurance

All this data and insight could also improve the cyber insurance policy insight and development. By the same token, incident data sharing will enable more accurate risk assessment and pricing.

Cyber insurers are also seen as a type of de facto regulator. To qualify for cyber insurance (which many businesses strongly desire), certain standards must be met. Also, those with stronger security, such as XDR systems, could insist on lower premiums.

The cyber insurance industry will continue to evolve. If fluid collaboration happens between insurers, security firms and organizations, all parties should come out ahead.