View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 2, 2021updated 06 Oct 2022 9:35am

Underwriters are no longer willing to bear the heavy cost of cyber insurance

New clauses from industry body the Lloyds Market Association are designed to restrict the liability of underwriters for the high cost of cybercrime. Is this a positive step?

By Claudia Glover

Insurance industry body the Lloyd’s Market Association (LMA), which represents underwriters, has taken steps to regulate the cyber insurance market through the drafting of four new cyber insurance clauses designed to protect insurance companies from excessive cost liability.

The Lloyds Market Association, part of Lloyds of London, has introduced new clauses around cyber insurance (Photo by Nikolay Pandev/Shutterstock)

Cybersecurity experts say the wording of these clauses is vague and unclear, and requires clarification. However they welcomed the move towards greater regulation as a way of making companies take security seriously, and said action is needed to avoid insurers bearing a disproportionate amount of the burden for the cost of cybercrime.

What are the new LMA cyber insurance clauses?

The LMA has released four “cyber war and cyber operation clauses,” which its members can adopt as part of insurance policies. If implemented they exclude coverage of any damage caused by “war or a cyber operation that is carried out in the course of war” including “retaliatory cyber operations between any specified states”. These countries include China, Japan Russia, France, Germany, America and the UK. Where it is not possible to prove the reasons behind an attack or where the attack has come from, something which is common in cybercrime, “the insurer may rely upon an inference which is objectively reasonable” to judge if a customer is entitled to a payout.

Cybersecurity experts believe this wording is too vague. Ciaran Martin, the former head of the UK’s National Cyber Security Centre, tweeted that while it’s “welcome that [the LMA] has put something out… part of the document’s title is the problematic phrase ‘cyber war’ which it does not then try to define.” Other words such as “retaliatory” are highlighted by Martin as ambiguous, prompting the question “does this mean retaliation for a cyber operation, or anything?” Martin also questioned the definition of “war” within the clauses, adding: “Does paragraph 9.2 exclude cover for any state-sponsored hacking which happens all the time outside of war? If so, that’s huge, be clear about it.”

Other experts have praised the clauses as progressive within the field. John Hultquist, VP at Mandiant threat intelligence tweeted “especially interesting to see attribution worked into insurance language. Attribution burden is on the state where the targeted system is physically located. If the state fails to attribute, takes too long or says that it can’t, the burden falls on the insurer.”

Why are the new cyber insurance clauses needed?

With cybercrime on the rise, the landscape for insurers is getting increasingly risky when it comes to cyber policies. Data from the market intelligence firm S&P Global shows that the loss ratio from cyber insurance for underwriters in recent years has risen from 43 cents for every dollar in 2016 to 73 cents in 2020.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Payouts are on the rise due to an initial lack of understanding of the market, from insurers, says Chet Wisniewski, principal research scientist at Sophos. The LMA clauses are designed to redress this. “Initially insurers entered the market without enough knowledge as to why organisations were being victimised and without the historical data they typically use to determine rates," says Wisniewski. "While many have lost money, we also have more information than ever before to establish the root cause of the breach. This should influence how insurers price policies and create incentives to reduce the risks overall.”

It is also the fault of organisations for relying too heavily on cyber insurance as a substitution for shoring up their own cyber defences, argues Wisniewski. “Insurers seem to be strengthening their requirements, as well as some leaving the market entirely," he says. "Too many organisations have relied on insurance to cover their million-dollar ransom payments as well as restoring services impacted by ransomware criminals. The industry appears to be more selective in who and how they insure which hopefully will influence the behaviour of those who want to be insured to take security more seriously.”

Cost of cyber insurance could decimate the industry

Indeed, more restrictive cyber insurance policies may be required to convince organisations to take security seriously, says Steven Hope, CEO of Authlogics. “A sea change is needed to keep up with real-world threats," he says. "All too often companies lack the motivation to upgrade or enhance their cybersecurity systems as the incentive to do so is lacking."

Change is inevitable because the risk to insurance companies is so high it could collapse the entire industry, argues Tom Johansmeyer, head of insurance solutions at data analytics firm Verisk, in a report released by the Harvard Business Review. “With around 250 companies buying at least $200m in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium," he says. "And that’s only 2% of the companies in the market buying that much coverage.”

At the moment, the risk borne here by the insurance industry is far too high, said Johansmeyer. "That kind of loss would likely take decades for insurers to earn back such losses," he added.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.