Insurance industry body the Lloyd’s Market Association (LMA), which represents underwriters, has taken steps to regulate the cyber insurance market through the drafting of four new cyber insurance clauses designed to protect insurance companies from excessive cost liability.
Cybersecurity experts say the wording of these clauses is vague and unclear, and requires clarification. However they welcomed the move towards greater regulation as a way of making companies take security seriously, and said action is needed to avoid insurers bearing a disproportionate amount of the burden for the cost of cybercrime.
What are the new LMA cyber insurance clauses?
The LMA has released four “cyber war and cyber operation clauses,” which its members can adopt as part of insurance policies. If implemented they exclude coverage of any damage caused by “war or a cyber operation that is carried out in the course of war” including “retaliatory cyber operations between any specified states”. These countries include China, Japan Russia, France, Germany, America and the UK. Where it is not possible to prove the reasons behind an attack or where the attack has come from, something which is common in cybercrime, “the insurer may rely upon an inference which is objectively reasonable” to judge if a customer is entitled to a payout.
Cybersecurity experts believe this wording is too vague. Ciaran Martin, the former head of the UK’s National Cyber Security Centre, tweeted that while it’s “welcome that [the LMA] has put something out… part of the document’s title is the problematic phrase ‘cyber war’ which it does not then try to define.” Other words such as “retaliatory” are highlighted by Martin as ambiguous, prompting the question “does this mean retaliation for a cyber operation, or anything?” Martin also questioned the definition of “war” within the clauses, adding: “Does paragraph 9.2 exclude cover for any state-sponsored hacking which happens all the time outside of war? If so, that’s huge, be clear about it.”
Other experts have praised the clauses as progressive within the field. John Hultquist, VP at Mandiant threat intelligence tweeted “especially interesting to see attribution worked into insurance language. Attribution burden is on the state where the targeted system is physically located. If the state fails to attribute, takes too long or says that it can’t, the burden falls on the insurer.”
Why are the new cyber insurance clauses needed?
With cybercrime on the rise, the landscape for insurers is getting increasingly risky when it comes to cyber policies. Data from the market intelligence firm S&P Global shows that the loss ratio from cyber insurance for underwriters in recent years has risen from 43 cents for every dollar in 2016 to 73 cents in 2020.
Payouts are on the rise due to an initial lack of understanding of the market, from insurers, says Chet Wisniewski, principal research scientist at Sophos. The LMA clauses are designed to redress this. “Initially insurers entered the market without enough knowledge as to why organisations were being victimised and without the historical data they typically use to determine rates," says Wisniewski. "While many have lost money, we also have more information than ever before to establish the root cause of the breach. This should influence how insurers price policies and create incentives to reduce the risks overall.”
It is also the fault of organisations for relying too heavily on cyber insurance as a substitution for shoring up their own cyber defences, argues Wisniewski. “Insurers seem to be strengthening their requirements, as well as some leaving the market entirely," he says. "Too many organisations have relied on insurance to cover their million-dollar ransom payments as well as restoring services impacted by ransomware criminals. The industry appears to be more selective in who and how they insure which hopefully will influence the behaviour of those who want to be insured to take security more seriously.”
Cost of cyber insurance could decimate the industry
Indeed, more restrictive cyber insurance policies may be required to convince organisations to take security seriously, says Steven Hope, CEO of Authlogics. “A sea change is needed to keep up with real-world threats," he says. "All too often companies lack the motivation to upgrade or enhance their cybersecurity systems as the incentive to do so is lacking."
Change is inevitable because the risk to insurance companies is so high it could collapse the entire industry, argues Tom Johansmeyer, head of insurance solutions at data analytics firm Verisk, in a report released by the Harvard Business Review. “With around 250 companies buying at least $200m in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium," he says. "And that’s only 2% of the companies in the market buying that much coverage.”
At the moment, the risk borne here by the insurance industry is far too high, said Johansmeyer. "That kind of loss would likely take decades for insurers to earn back such losses," he added.