Global insurers are racing to figure out how to avoid covering government-sponsored cyberattacks and catastrophic hacks, as large damages and some notable companies’ retrenching spook the market.
Ransomware attacks increased by 87% in 2022 from the year before. Global cyber premiums will exceed $23 billion by 2025, reinsurer Swiss Re AG has said. Fewer than 20% of businesses have policy limits higher than the median ransomware demand, it said.
As the leading carriers decide how to move forward, corporate customers are left to deal with a messy cyber market and contradictory contract terms, brokers and insurers say.
“At this point, nothing exists to the extent that satisfies customers, insurers, and brokers when dealing with systemic risk,” said Greg Eskins, cyber product leader at Marsh & McLennan, referring to catastrophic cyber attacks.
“On one hand, you’ve got a large number of insurers saying cyber war is unquantifiable and uninsurable. On the other hand, you have participants in the market looking to find a solution for it,” he said.
Lloyd’s of London, the biggest global insurance market, asked all carriers selling through its platform to stop covering state-backed hacks. But many insurers, including those fearing a backlash from US customers, are coming up with other ways to manage the risks.
“The market will likely get behind one or two approaches in 12 or 24 months,” said Chris Storer, head of Munich Re’s cyber centre of excellence.
All Over the Map
Lloyd’s shook up the market last year when it first proposed the cyber war exclusion.
Most major insurers—including those with a large footprint in the US—sell some coverage through Lloyd’s marketplace. While some carriers raced to follow Lloyd’s guidance, which took effect last month, others are taking a different tack.
“There’s no uniformity” in cyber insurance policies, said Elizabeth Geary, insurance solutions president at Liberty Mutual Group. “They vary greatly for each of the different coverages out there.”
Lloyd’s has said that state-backed cyberattacks causing a policyholder’s digital assets to suffer a “major detrimental impact” will not be covered. But the term is open to interpretation.
A policyholder can now face as many as five or six different kinds of war exclusions in a single standard policy, said Colin Daly, executive vice president of broker CAC Specialty. Cyber coverage is usually spread across multiple insurers.
Beazley has cut coverage for cyberattacks affecting critical infrastructure, which now includes attacks on stock exchanges and mobile networks, according to the insurer’s January update. Beazley also put a 50% coverage cap on cloud outages lasting more than 72 hours and malware attacks against companies with less than $100 million in revenue.
“There are a lot of systemic risks we take on. There are just a few things that are just too big,” said Paul Bantick, global head of cyber risks at Beazley.
Beazley is also developing a new cyber insurance product, set to launch by July 1, to cover attacks barred by Lloyd’s war exclusion, Bantick said. More than 20 other insurers have reached out to express interest, he added.
Insurers are moving with renewed urgency after a New Jersey appeals court ruled May 1 that a Chubb unit is on the hook for Merck & Co.'s $1.4 billion losses from an allegedly Russia-initiated malware hack. Chubb’s war exclusion in a 2017 policy with Merck only bars damages from physical warfare, not cyberattacks, the court said.
“Now the Merck case has been released, any insurer who chooses not to update their war language is running a material risk,” Storer said.
So far, insurers’ efforts haven’t led to a consistent approach.
“In many cases, insurers’ attempts to create clarity actually created more ambiguity and uncertainty because of the wide variation of interpretation of these new and novel clauses,” Eskins said.
He also raised doubts about the need for a new stand-alone cyber war policy. “Every new or evolving risk doesn’t demand a brand new product,” Eskins said.
Customer Pushback
Businesses that are frequent targets of cyberattacks, including financial, health-care, and utility companies, are concerned that Lloyd’s mandate gives insurers too much leeway to deny coverage for state-backed attacks, especially when it isn’t clear how much a foreign government was involved.
In some cases, corporate customers have favored insurers—especially those selling in the US market—that took a softer stance on cyber war and systemic risks.
It’s unfortunate that some policyholders are picking winners and losers as insurers attempts to clarify clauses that were never meant to cover cyber war or state-backed hacks, said Munich Re’s Storer.
But corporate policyholders are confused by the shifting landscape for cyber coverage, and some are skeptical that their policy will pay out for a big attack.
“A lot of customers feel beaten up,” said Michael Hamilton, head of cybersecurity firm Critical Insight.
Mark Lance, vice president at GuidePoint Security, said multiple businesses have told him they decided to pass on cyber insurance, opting instead to spend the money on internal security controls. “We’ve heard it from some large public companies and some private ones as well,” he added.
Some insurers, responding to customer pushback and a competitive market, are tweaking their cyber policies to entice businesses to stay.
Bantick says Beazley is asking policyholders fewer questions this year to allow for quicker underwriting. Liberty Mutual is increasing its average cyber coverage limit to $10 million, up from $5 million, Geary said.
Meanwhile, premiums on primary cyber policies dropped 15% in March compared with same time last year, said Christian Hoffman, global cyber leader at Aon Plc.
But any changes in a buyer-friendly market could also make it harder to enforce Lloyd’s cyber war restrictions, and many insurers are struggling to find the right balance.
Allianz SE “hasn’t picked a direction” on how to exclude cyber wars, said Tresa Stephens, the company’s North America cyber head.
“You don’t want to end up in a situation where you’re backpedaling, because you have a portfolio of insureds who are relying on you to make a good judgment call,” she said.
One priority for insurers is to make sure they aren’t on the hook when a cyberattack affects a business and its digital vendors at the same time. If a carrier insures a company as well as its cloud providers, cybersecurity contractors, and customers, they all could be filing insurance claims when a widespread attack hits one of the company’s networks.
”We’re trying to make sure that we’re not putting all of our eggs in one basket,” Stephens said.
To contact the reporter on this story:
To contact the editors responsible for this story: