The cyber landscape is evolving rapidly, with digitalisation expanding the range of threats and vulnerabilities, according to a new report by The Geneva Association.
According to the report, this process is amplified by shifts in working and business practices brought on by COVID-19, some of which are likely to persist beyond the pandemic. Ransomware and supply chain attacks in particular have become more prolific since the onset of the pandemic and with them wider recognition of the potential for large-scale economic disruption from malicious cyber incidents.
A dedicated market for cyber insurance has developed over time involving a progressive broadening in the class of risks covered, both first- and third-party losses. However, the recent sharp increase in loss ratios on standalone cyber insurance – i.e. dedicated affirmative cover – has prompted re/insurers to re-calibrate cyber risks, the Geneva Association says:
“Coupled with initiatives to remove unintentional cyber exposure from conventional property and casualty policies (non-affirmative or ‘silent’ cyber), market re/insurance capacity has become scarcer. In the face of continuing strong demand, this has triggered a sharp rerating in the cost of cyber insurance and a tightening in terms and conditions.”
Hostile cyber activity (HCA) and insurance
Recent, serious supply chain intrusions and ransomware incidents have underscored a long-standing issue for cyber insurers: how much protection can and should insurance provide when the perpetrators of such attacks are linked to nation states? Traditional policy exclusions for war or war-like incidents fail to adequately capture situations where nation states are suspected of being behind an attack or at least providing a safe harbour for the hackers, especially if the motives for the attack are unclear. Such issues of attribution and characterisation create significant contractual uncertainty for insurers, which has only added to the recent tightening in cyber insurance market conditions.
More granular classifications of cyber incidents – including HCA terminology, which provides for a lower burden of proof for state involvement than current, widely-used definitions – will help provide greater clarity for insurers and increase comfort levels with their exposure, according to the report. But market acceptance of tighter policy language over insured cyber incidents takes time and even then, will likely only go so far.
The latest cyber incidents highlight the residual challenges in creating clear-cut, definitive boundaries around what legitimately falls within HCA and what does not. Nation-state involvement varies widely, from reported tacit sponsorship, including fostering an environment for developing sophisticated yet easy-to-use malware (eg the attack on Colonial Pipeline), to alleged, outright supervision and resourcing of hacking campaigns by a sovereign government (eg SolarWinds).
In such circumstances, the Geneva Association says, some of the difficulties of direct attribution for HCA resurface, particularly if state actors linked to criminal gangs use false-flag tactics to hide their traces, blame others or otherwise undermine any international consensus about the ultimate source of the attack.
Quantifying cyber risks remains challenging
Advances in modelling and the quantification of cyber risks, as well as reinsurance availability and other mechanisms to share risks, will be key to encouraging both incumbent and prospective insurers to offer increased coverage for HCA and other malicious cyber activity, the report says:
“Unlike for natural catastrophe perils – for example, hurricanes or man-made disasters such as terrorist attacks – cyber perils have no geographical borders; the whole world is potentially one cyber catastrophe zone. Beyond issues of attribution and characterisation, assessing the frequency and severity of HCA, especially the potential for large accumulated losses, remains a particularly serious challenge.”
Deterministic scenario analysis suggests some malicious cyber incidents, such as a temporary disruption to cloud services, might trigger economic losses broadly comparable with some historical natural catastrophes. But more extreme and long-lasting cyberattacks, including a widespread IT or operational infrastructure outage or failure, could generate significantly larger expected losses, the report says, adding:
“Moreover, the uncertainty surrounding such estimates is very large, meaning that total potential losses could be significantly higher than these ‘guesstimates’, easily exhausting re/insurers’ risk-absorbing capacity. This is especially true of HCA incidents where ambiguity over hackers’ motives, tactics and threat vectors, as well as the possibility for relatively minor, isolated attacks to escalate towards full-out cyber warfare, only add to the complications of quantifying cyber risks.”
The role of a government backstop
Advances in gathering cyber threat intelligence, including collaboration across firms and governments, will boost risk awareness and preparedness, important elements in building cyber resilience, the report suggests:
“Such information will enable insurers to detect vulnerabilities and foster improvements in modelling cyber risks. Likewise, progress by law enforcement agencies in tracing and pursuing the perpetrators of an attack and recovering extorted funds may go some way to deterring cyber criminals and increasing insurers’ comfort levels in offering risk-absorbing capacity.”
Ultimately, however, it notes that the systemic characteristic of some cyber risks, in particular the potential for multiple losses from a single event or a campaign of attacks linked to HCA, mean that the scale of accumulated losses may exceed levels that can safely and sensibly be absorbed by the private re/insurance sector. There is often collateral damage surrounding a large-scale, malicious cyberattack; unintended targets also suffer loss. To some extent too, the latest spate of attacks can be seen as near-misses; if circumstances had transpired differently the losses could have been much worse.
“Echoing current debates over pandemic-related risks, consideration should thus be given to government-backed solutions to finance these tail cyber risks in order to boost economy-wide resilience. A well-designed public-private partnership (PPP) could increase protection capacity and still encourage cyber market innovations to extend cover for HCA risks. This should not simply be a fiscal solution but also seek, through collaboration with insurers, to promote the adoption of cybersecurity best practices – including taking out appropriate insurance – to reduce societal vulnerability to such risks.”
This is an abridged version of a report by the Geneva Association, Insuring Hostile Cyber Activity: In search of sustainable solutions. To access the full report, click here.