There’s at least one part of the financial sector where hackers are good for business.
Direct cyber insurance premiums grew to $2 billion last year, up 26 percent since 2015, according to figures published July 25 by Moody’s Investors Service. That figure represents less than 1 percent of premium insurance revenue in the U.S., but it’s clear the increasing claims over the past three years are driven largely by concerns about data breaches, distributed denial-of-service attacks and, perhaps most notably, ransomware.
The problem, despite all the demand, is that some insurers are now re-thinking whether it’s in their best interest to keep offering the plans that help clients recover from devastating cyberattacks.
Swiss Re Americas, a reinsurer that primarily backs governments and other insurance companies, is reluctant to embrace the cyber insurance market because of unpredictable, and expensive, attacks like the 2017 NotPetya incident, which the White House said caused $10 billion in damages.
“Nobody saw this coming,” J. Eric Smith, president and CEO of Swiss Re Americas, said last week at the International Conference on Cybersecurity at Fordham University. NotPetya was enough for the $34 billion company to re-consider whether broadly offering cyber insurance was such a good idea.
“We used to think that we were right at the edge of it, and it was all going to happen,” he said. “Now we think we’re many, many years away, if it ever happens.”
Not just when and how, but who
The problem, as Smith put it, is that it’s just difficult to gather the information necessary to build the mathematical models that determine how to assign risk. Unlike health, automotive or even natural disaster insurance, there are too few data points around cyber exposure and the attacks that cause business interruption. It’s much easier to quantify the risk and cost of a car crash or a hurricane than the result of a zero-day attack carried out by state-sponsored hackers.
The uncertainty is epitomized in a lawsuit filed by food giant Mondelez International against Zurich Insurance. Mondelez sued Zurich for failing to meet claims after the NotPetya attack. Zurich has said it’s not responsible for those claims because NotPetya fell under the “war exclusion” of its policy, essentially categorizing Mondelez as collateral damage in an international conflict.
The pharmaceutical firm Merck has filed similar lawsuits against more than 20 insurers in connection with the same attack. The suits could take years to resolve.
“What covers us is the math … of diversification, where we spread the risk or manage risk,” Smith said. “What that means for us is that yes, we protect satellites and pandemics, but we do it all in a balanced way.”
Cyber insurance isn’t there yet. But clients are still scrambling to other insurers in search of a provider that will help mitigate their cyber risk, and the financial liability that comes with it.
The education, hospitality and retail industries have been the biggest adopters of cyber insurance in recent years, according to Moody’s. Other customers include lower levels of government. Events like the ransomware attack this month in La Porte, Indiana — when officials passed $100,000 of a $130,000 ransomware fee to their insurer — highlight the value that can come with such a plan.
What to do about fines?
Regulation also is driving adoption, as firms experience new scrutiny from the European Union’s General Data Protection Regulation, which threatens fines of up to 4 percent of annual revenue for the worst infractions. The New York Department of Financial Services cybersecurity regulation is also driving insurance adoption, Moody’s said, and breach notification laws are on the books in 48 different states.
“The proliferation of new rules around the globe has boosted demand for cyber insurance, but also has raised questions and uncertainty around the scope of insurance coverage,” the Moody’s report states. “[C]yber insurance policies generally cover losses related to data breaches, but it remains unclear whether they will be able to cover losses related to fines.”
In most jurisdictions, the Moody’s report goes on to explain, insurers are prohibited from indemnifying fines and regulatory penalties because doing so would undercut the spirit of the law.
In the meantime, insurers are trying to improve their understanding of which attacks are most likely, and how they can be stopped.
“It’s understanding what’s important to you as a business,” said Chris Hetner, a managing director of the cyber risk consulting practice at Marsh & McLennan. “What would really affect you: Is it a business interruption? The loss of personally identifiable information? Or is it the loss of intellectual property?”
“It’s not a single thing,” he said.