April 10, 2023 By Jonathan Reed 4 min read

Today, many companies are tightening budgets and laying off staff in the face of current economic headwinds and geopolitical uncertainty. Meanwhile, cyberattacks aren’t slowing down; if anything, attack rates and risk levels keep rising.

Despite these growing threats, many cyber insurance companies are also cutting corners by narrowing coverage. CISOs and business leaders face tough choices as a result. How should they allocate funds? Should they improve their security posture? Should they buy more cyber insurance? Or both?

A recent $100 million settlement between insurance giant Zurich and Mondelez International (maker of Oreos, Ritz crackers and dozens of other snack foods) sheds some light on the issue. In 2017, NotPetya malware led to an estimated $10 billion in damages worldwide, and Mondelez was one of the victims.

It’s likely that Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world. That’s what motivated Zurich to claim an act of war exemption. They refused to pay the claim until the case went to court. Was Mondelez a victim of an act of war — or was it a victim of “collateral damage” which should be covered by insurance?

Seismic shifts in cyber insurance

Even before the Zurich / Mondelez ruling, the cyber insurance industry underwent a major transition. In August 2022, Lloyd’s, the world’s largest insurance marketplace, asked all cyber insurers selling through its platform to rewrite their policies.

According to Market Bulletin Y5381, Lloyd’s now requires that all standalone cyberattack policies (as per certain codes and conditions) must include a suitable clause excluding liability for losses arising from any state-backed cyberattack.

This caused a dramatic ripple effect in the industry. Insurers must now contend with staying competitive despite narrowing coverage. The move could also embolden non-Lloyd’s carriers to exclude coverage for war-related cyber incidents.

Meanwhile, given the rising risk, cyberattack insurance is in heavy demand among corporate customers. The top 20 U.S. insurers took in over $3.9 billion in cybersecurity direct premiums in 2021. In addition, standalone cyber premiums jumped 95% in 2021.

Are cyber insurers losing?

According to Fitch Ratings, cyber insurers have experienced a 300% increase in losses between 2018 and 2021. Still, in 2021, earned premium growth exceeded the change in incurred losses, and the standalone cyber loss ratio improved to 65% from 72% a year earlier.

All of this was before the war in Ukraine broke out. Pressures on insurance companies are also occurring in the wake of big court decisions that favor plaintiffs. For example, a New Jersey court ruled in December 2021 that a Chubb insurance unit can’t deny coverage for Merck & Co.’s $1.4 billion losses from NotPetya. The court held that Chubb’s war exclusion only bars physical warfare, not cyberattacks. What’s more, the Merck ruling was based on a property insurance claim, not cyber-specific coverage.

Given all these factors, it’s evident that Lloyd’s felt it necessary to adjust how they cover cyberattack claims.

How cyber insurance was born

A recent Lawfare blog reviews Josephine Wolff’s new book, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022). Wolff is a professor of cybersecurity policy, computer science and engineering at Tufts University.

According to Wolff, before cyber insurance became popular, companies brought cyber claims under commercial general liability, property and other lines of traditional insurance. But court decisions frequently decided against policyholders. This allowed insurers to avoid paying legal fees for cyber-related class action suits. Eventually, this tendency drove the market to develop cyber insurance-specific products.

Cyber insurance reveals cybersecurity’s complexity

These days, all major brands in any industry are also tech brands. What happens when a company is a breach victim but also an enabler of cyber breaches? Wolff highlights how challenging it is to “untangle who was responsible for incidents that had multiple, often overlapping, layers of victims, enablers and potential defenders.”

For the insurance industry, an ongoing difficulty exists in modeling and pricing cyber risks, as per Wolff. For instance, how does an insurer factor in how computer networks and data are increasingly intertwined with each other and other coverage areas? Insurers repeatedly complain about the lack of good actuarial data, modeling and pricing criteria.

Wolff also points out that developing an insurance policy for cyber risk is quite different from insuring auto or fire risks. Unlike car and fire risk, it is virtually impossible to articulate all the ways cyber threats could cause harm.

Security pros understand the pain

The challenges facing cyber insurers reflect the everyday reality of cybersecurity teams. There’s no such thing as a perimeter anymore. Thousands of apps, devices, third parties and users ask to connect to your networks anytime. The interwoven nature of networks and endpoints requires that security adopt vastly different approaches — which may benefit the cyber insurance industry and vice versa.

For example, an extended detection and response (XDR) security approach works by gathering and correlating data across various network points such as servers, email, cloud workloads and IoT.

XDR-gathered data is then analyzed and correlated, giving it visibility and context. This enables the identification of advanced threats. Next, threats can be prioritized, analyzed and sorted to prevent security collapses and data exfiltration. XDR helps organizations to have a higher level of cyber awareness and enables security teams to identify and eliminate vulnerabilities.

Complimentary benefits between cybersecurity and insurance

All this data and insight could also improve the cyber insurance policy insight and development. By the same token, incident data sharing will enable more accurate risk assessment and pricing.

Cyber insurers are also seen as a type of de facto regulator. To qualify for cyber insurance (which many businesses strongly desire), certain standards must be met. Also, those with stronger security, such as XDR systems, could insist on lower premiums.

The cyber insurance industry will continue to evolve. If fluid collaboration happens between insurers, security firms and organizations, all parties should come out ahead.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today