“Cyber insurance is the hot hot hot area of the insurance world,” Nick Economidis observed to Josephine Wolff, a scholar of CyberSecurity policy at Tufts University. Economidis made this comment in 2018 when cyber insurance premiums were estimated to bring in more than $3 billion dollars to some 471 insurers in the US. By 2025, Allianz estimates that the cyber insurance marketplace will have grown to be worth more than $20 billion dollars. Clearly, more and more organizations around the country are interested in purchasing cyber insurance. But what exactly are they buying?
Generally speaking, in principle, cyber insurance provides three basic kinds of protections. First, it covers losses a company may incur if its IT infrastructure goes down in an attack. For example, Target filed a claim of roughly $74 million dollars with its insurer for expenses related to replacing payment card devices in the wake of its 2013 breach (although this was disputed by its insurer). Second, cyber insurance provides funds to customers who are victims to online extortion and ransom requests. For example, when Lake City, Florida fell victim to ransomware in 2019, city officials authorized a ransom payment of $460,000, of which all but $10,000 was paid out by its insurer. Third, cyber insurance covers the costs associated with data breaches, such as legal costs associated with class action lawsuits and providing identity theft protection to affected customers.
At this point, an interested party might ask themselves: why am I investing in cyber security at all? Perhaps it would be better to simply purchase a hefty cyber insurance policy!
Cyber insurance should not be thought of as an alternative to cyber security. On the contrary, cyber insurance is understood, in theory at least, to be a market-driven approach to cyber security. This means that in principle cyber insurance is meant to encourage better cyber security in organizations. The logic is that a rational actor will naturally want to minimize the risk burden associated with its IT, and so will turn to insurers for risk transfer; in turn, insurers will only offer to insure customers who satisfy a minimally robust security posture. It is a bit like car insurers refusing to cover individuals unless they enroll in driver education classes, and maintain good driving habits (do not rack up too many speeding tickets, are not in too many accidents, etc). Individuals who want to drive with peace-of-mind are therefore compelled by an ‘invisible hand’ to be safe drivers. The main takeaway is that cyber insurance is meant to complement cyber security; it can be an important element in an organization’s overall security policy.
This begs the question: what kind of security controls do insurers want to see in place before they offer to insure a customer?
The answer is that it depends. In a 2019 study of 34 unique, coded questionnaires presented to customers seeking to qualify for cyber insurance, analysts at the RAND Corporation identified 118 different topics assessed, ranging from the detailed - e.g., “Does the applicant deploy intrusion detection systems (IDS) or intrusion prevention systems (IPS)?” - to the very broad, e.g., asking about general “business information.” Nevertheless, the authors were able to parse these different topics into 14 subcategories, with 4 main themes: organization, technical, policies and procedures, legal, and compliance.
As a follow-up, customers might naturally wonder how their cyber insurance premiums would vary depending on the strength of their cyber security. Presumably, an organization that invests in more robust cyber security should expect to pay less for cyber insurance, in the same way that a safer driver pays less for car insurance than an unsafe driver pays.
Surprisingly, it does not appear to be the case that customers who invest in more robust cyber security can necessary expect to pay less for cyber insurance. In testimony at a Senate subcommittee hearing on Cyber Insurance in 2015, Ola Sage explained how after investing in new security controls at her organization - including implementing NIST’s Cybersecurity Framework, which was not even a requirement - her company’s premium actually increased by 12 percent! The explanation for this seeming discrepancy is that cyber insurers take many factors into account when pricing premiums, including, for instance, their competitors’ pricing. In Sage’s case, for example, the increase in price was primarily due to the fact that her company’s revenue grew in that year.
Sage’s experience is illustrative of the divergence between theory and practice in the cyber insurance industry. This is to say, it is increasingly clear that the cyber insurance market does not operate as the theory would suggest. The business model of insurance works by diversifying risk pools, so that an insurer should never have to pay out to its entire customer base all at once. An insurer who operates in Florida might reasonably expect that many of its customers might be affected by a hurricane; to hedge against this possibility, the same insurer might do business in a place like Montana, where natural disasters are much less likely. The fundamental problem that cyber insurance poses is that, due to the interconnectedness of computer systems on public and private networks, it might not be possible to rationally diversify risk pools.
Consider the NotPetya malware attack in 2017, which cost an estimated $10 billion dollars to recover from. In her book Cyberinsurance Policy, Josephine Wolff notes this malware, “took out 10 percent of all computers in Ukraine within twenty-four hours and paralyzed the operations of major companies across multiple industry sectors and countries, irreversibly encrypting their data and flashing error messages on hundreds of thousands of screens. The Danish firm Maersk, the largest container shipping company in the world, was hit. So, too, as was the British consumer goods manufacturer Reckitt Benckiser, which makes Durex condoms, Lysol, Clearasil, and Mead Johnson baby formula. The snack company Mondelez International, headquartered in Deerfield, Illinois—maker of Oreos, Trident gum, and Ritz crackers—suffered the same fate, unable to operate many of its computers and other devices because of strange and threatening messages in red and black text that refused to go away, some warning victims not to turn off their computers, others offering the alarming alert “oops, your important files are encrypted.”
The seeming randomness of the victims of NotPetya begs the question of whether or not it is possible in principle to hedge against such kinds of events, which presumably will only increase as the world becomes and more interconnected. At least one CEO thinks it is not possible. In 2021, Swiss RE CEO Christian Mumenthaler told Reinsurance News “The problem is so big it’s not insurable. It’s just too big. Because there are events that can happen at the same time everywhere.” The numbers seem to bear this out. According to Fitch Ratings, losses to cyber insurers increased 300% from 2018 to 2021.
Bloomberg reports that the growing awareness that large-scale attacks like NotPetya might be fundamentally uninsurable is leading insurers to cut back on their offerings. The leading US cyber insurer, Chubb, has plans for a widespread hack exclusion in its offerings. Beazley now has a catastrophic events exclusion. Lloyd’s will stop covering losses stemming from nation-state-backed hacks. At the same time as insurers are carving out exclusions, they are increasing the price of their offerings. According to AM Best, cyber insurance premiums increased by 95% in 2021 alone.
The shrinking of cyber insurance supply - while at the same, the accelerating demand for it - points to a malfunctioning marketplace. Insurers seem to believe that if cyber insurance has a future, it will require a government backstop, similar to the Terrorism Risk Insurance Act passed in the wake of the September 11 attacks. Regulators are considering it. In October 2022, the US Treasury Department’s Federal Insurance Office began seeking public comment on whether there is a need for government in this space.
While insurers might candidly admit that they don’t know what they are doing in writing cyber insurance policy - as Warren Buffet said in 2018 at a Berkshire Hathaway annual meeting - they nevertheless continue to sell cyber insurance to willing customers, albeit at higher prices, and with more exclusions than before. This is for the simple reason that it is the fastest-growing market within the industry, and until the marketplace explodes, it is unlikely that an insurance company will be willing to leave money on the table for their competitors to gobble up. As Charles Prince, the CEO of Citigroup, infamously quipped in 2007 about the company’s leveraged lending practices, that would precipitate the 2008 financial crises, “As long as the music is playing, you’ve got to get up and dance.”
Where does all of this leave customers who want to minimize their IT risk burden? It would not be unwise to consider including as much cyber insurance as you can afford in your overall security policy - assuming you can qualify for it. But as a DynTek representative aptly put it, “The sales team sells policy, but the claims team determines what they will pay for a claim.” The point of caution is that organizations cannot be too confident that their cyber insurance policy will kick in if they suffer an attack; an insurer may very likely reject their claim on a technicality. Consider the tale of Mondelez International, which suffered estimated losses of $188 million to get their systems back online after losing 1,700 servers and 24,000 laptops to the NotPetya attack in 2017. Mondelez had purchased insurance precisely to protect themselves against this possibility. According to court filings, their policy covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” And yet their insurer rejected their claim, on the grounds that NotPetya was a “hostile or warlike action,” which is a standard exception for insurance policies. This led to a lawsuit, which was settled just last month, although the terms of the settlement have not been disclosed.
The key takeaway for organizations seeking to minimize their IT risk burden is to not rely too much on transferring risk by means of cyber insurance. Rather, organizations should place most of their focus on mitigating risk by implementing robust cyber security.
If you are interested in building up your security posture to qualify for cyber insurance, schedule some time to speak with one of our experts.