No policies for the cybersecurity sector. For companies that have IT systems that handle sensitive data, taking out an insurance policy against cyber attacks is a sine qua non

No policies for the cybersecurity sector

Unfortunately, it is becoming increasingly difficult to insure against cyber risks, due to the fact that the sector experiences an increase year on year in the damage caused by computer piracy.


In an interview with the Financial Times, Mario Greco, CEO of insurance group Zurich stressed that cybersecurity will soon become an uninsurable sector. He then added that he was very concerned about the exponential growth of ransomware attacks which, on the one hand, have exposed the vulnerability of companies and on the other, suggest a trend of increasing losses. He also worries that hackers can easily gain control of corporate and government IT infrastructures. 

In his view, it is not only about data losses and related damage, but also about the continuity of our civilization and our quality of life. He stressed how these organized gangs can cause serious disruption in our daily lives. 

Recently, insurance companies have become much more cautious, resulting in higher premiums and changing coverage options. 

n April, Zurich Insurance and Mondelez International reached a $100 million settlement of their dispute over Zurich's refusal to pay claims for the 2017 NotPetya virus attack that attacked businesses around the world. 

Mondelez's damages claims were denied by Zurich, which argued that the NotPetya cyberattack, which initially targeted Ukrainian entities, was a Russian state-sponsored operation and therefore protected by war damages exemptions . 

In September, Lloyd's of London took steps to reduce potential damage claims for cyber attacks, and announced that from 2023 all of their insurance groups will have to exclude "catastrophic" attacks from their cyber insurance policies. hostile acts sponsored by a state. 

A senior Lloyd's executive commented that he took the correct action because it was more rational to act rather than wait for "things to keep getting worse". 

However, the complexity of acknowledging perpetrators and their ties to a state makes such exceptions highly questionable and legally difficult. 

IT specialists have warned that rising costs and widening exceptions could dissuade businesses from buying any type of policy. 

Cyber ​​attacks treated like earthquakes

According to Greco, the private sector is somewhat limited in terms of the resources it can allocate to cover losses caused by cyber attacks. He suggests that governments establish public-private partnerships to manage cyber risks too complex to calculate, similar to those that exist in some nations for disasters such as earthquakes or terrorist attacks.

During the interview, Greco praised the US government's actions to limit ransom payments, saying, “Decreased ransom payments will result in fewer attacks. 

The US government has sought opinions on whether to create federal cyber security insurance as part of its public-private insurance program intended to cover terrorism-related issues. 

In June, the US Government Accountability Office released a report highlighting the potential for cyber incidents to impact other connected businesses.

One example cited as evidence that a single cyber incident can have catastrophic effects was the Colonial Pipeline hack, which caused a brief fuel shortage in the southeastern United States. This demonstrated how an attack can spread through vital infrastructure systems. Christian Mumenthaler, head of Swiss Re, one of the world's largest insurance and reinsurance companies, noted that cyberattacks of this level of complexity are “on the rise ” and that “critical infrastructure is a problem”.

What changes in the cybersecurity policy

The Russia-Ukraine war is the first war that is waged primarily with cyberattacks aimed at rendering the enemy's infrastructure ineffective. The intensification of attacks and the difficulty of attributing them makes both prevention and diplomatic protests or the imposition of any sanctions difficult.

Furthermore, the situation has been worsened by the creation of new business models by cyber criminals who, inspired by the forms of sale of traditional markets, have introduced an affiliation service for ransomware services. In this way they give the possibility of carrying out cyber attacks even on those who do not have the technical skills, thus multiplying the spread of this crime. attack. Criminal organizations advertise the sale of access to previously infected networks on the Dark Web.

Due to these circumstances, an increasing number of insurance companies have begun to take a more prudent stance on cybersecurity policies. First they changed the economic terms, increasing premiums and deductibles. Then they lowered the maximums insured and made a number of restrictions on the coverage of the insurance. In practice, in the event of an accident, it is very probable that the insured will never be compensated.

Only time will tell if the insurance, reinsurance and government industries can keep pace and form a front that can counter the growing array of cyber risks. In the meantime, however, companies in view of these premonitory signs must absolutely anticipate the times and contract industry experts to improve the know-how of the internal team and receive external advice to stay up to date.

error: Content is protected !!