Plan of attack: the industry defines its cyber strategy – Analysis – Insurance News
The signs have been there for some time that cyber insurance is headed for trouble.
It is increasingly seen as a crucial product for businesses in the digital age, as ransomware attacks increase and global stability crumbles.
But for these same reasons, insurers are becoming more cautious about offering cover, with terms tightening and premiums soaring.
Today, the Insurance Council of Australia (ICA) warns that we could be at a major event in cyber insurance becoming “financially unsustainable”.
In a detailed working document, Cyber Insurance: Protecting Our Way of Life in a Digital Worldthe ICA outlines a series of steps to help create a sustainable market.
Here we highlight some of the main topics and recommendations.
acts of war
State-sponsored cyberattacks that stop before outright military conflict pose “a particular challenge” to insurers, the report says.
“Traditional policy exclusions for war or war-like incidents might not capture situations where nation states are suspected of being the source of an attack, or providing haven for pirates, particularly if the motives for the attack are unclear.
“Such attribution and characterization issues create significant contractual uncertainty for insurers, which has only exacerbated the recent tightening of cyberinsurance market conditions.”
Recommendation: The government should continue to consider expanding the current terrorism risk insurance pool to include extreme cyber incidents “to ensure the viability of a private cyber insurance market and build economic resilience.”
The industry should consider encouraging insurers to review current policy wording regarding acts of war and consider developing model wording to ensure cyber incidents are excluded where intended.
The report points out that it is difficult to use data to predict cyber risk because cybercrime is changing rapidly and current data is incomplete.
Current reporting requirements are based on “subjective judgment regarding materiality and specific criteria,” so they do not provide the full picture of the number and nature of cyberattacks that insurers need.
Recommendation: Further work is needed to increase cyber incident data sharing, both industry-to-government and government-to-industry.
The impact of an “accumulation event” is an underlying concern for many insurers, the document says.
“A major cyber event or a small series of successive connected attacks could render cyber insurance financially unviable.
“Unlike other events such as cyclones or floods, government and industry disaster modeling to estimate the losses that could be incurred due to a catastrophic cyber event in Australia is not well developed. “
Without such modelling, insurers could underestimate exposure, leading to “substantial negative financial impacts”.
Recommendation: Industry should work with government and relevant agencies to facilitate and create incentives for the development of cyber risk modeling.
The insurance market has evolved to cover ransomware, which continues to grow as a cybersecurity threat.
But the report clarifies that this coverage includes more than just compensation for ransoms paid.
“In many cases, the ransom payment, if paid by the victim, may represent only a minor part of the total loss that might be covered by insurers.”
The CIA admits that repayment of ransoms paid and proposals to ban such responses “are controversial public policy issues.” But he says “the case for banning compensation as part of the policies is weak.”
If indemnification were prohibited, criminals would simply use another metric to quantify ransom demands, he says, such as money in the bank or maximum overdraft.
The document refers to the government’s recent action plan against ransomware, which states that it does not condone ransom payments, but has not banned them, “instead of considering mandatory reporting, increasing capabilities and the provision of direct assistance such as measured policy approaches”.
Recommendation: The government should encourage cybervictims to disclose ransomware events and seek positive law enforcement assistance and reduce disincentives, such as punitive measures, that discourage disclosure.
Industry minimum underwriting standards
The paper says the insurance industry can help improve cybersecurity practices – on the premise that insurers are motivated to reduce claims and losses.
“This means that in theory there should be a ‘push factor’ from the insurance industry to raise standards and foster best practice,” he says.
“For example, the industry is well positioned to drive the adoption of reputable cybersecurity standards or frameworks.”
Insurers could reward better standards with greater coverage and/or lower premiums, which would incentivize organizations to improve standards.
Recommendation: Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for SMEs.
Click on here to read the full report.