Cyber insurance policies often flatly deny claims related to war and terrorism. That’s because reimbursing companies for the widespread devastation resulting from a cyberwar would put many insurers out of business. But some common forms of catastrophic risk now being denied as war related could soon become the government’s responsibility to mitigate.
In July, the U.S. Government Accountability Office (GAO) recommended that the departments of Homeland Security and the Treasury assess whether a federal “backstop” is needed—much as government insurance covers crop failure—for cyber insurance policies that protect against attacks on critical infrastructure. Private insurers have increasingly sought to offset ransomware and other cyber losses by classifying them as acts of war.
To insurers, cyberattacks against critical infrastructure feel like a form of warfare when nation-states sponsor and direct the mayhem.
“Insurers are not equipped to provide cover for acts of war,” says Sridhar Manyem, director of industry research and analytics at AM Best, a global rating agency focused on the insurance industry. “That’s why act-of-war exclusions have been standard for more than 100 years.” Warfare exclusions to insurance coverage arose in the 1930s in response to the Spanish Civil War.
For example, insurers have increasingly denied claims for cyberattacks that originate in Ukraine and Russia because the two nations are engaged in armed conflict. Attorneys for U.S. critical infrastructure organizations, however, point out that the United States is not technically at war with any nation, at least not in the traditional sense. As such, they argue, attacks coming from Russia should be viewed through the same lens as any other source of threat.
Legal battles shape exclusions
Insurers already depend on reimbursement from the federal Terrorism Risk Insurance Program (TRIP), which was established after 9/11 to underwrite acts of terrorism and cyberattacks that are “violent or coercive in nature.” The trouble with TRIP: Most cyberattacks do not qualify as acts of war or terrorism under the program, even if they result in catastrophic losses.
Insurers are not equipped to provide cover for acts of war.
A major disagreement over the interpretation of coverage limits spilled into court in 2017 when pharmaceutical giant Merck sued insurers over coverage for $1.4 billion in losses related to the NotPetya malware attack, which was attributed to Russian military hackers. In January 2022, Merck prevailed in the case when a New Jersey court ruled that war exclusion applied only to armed, as opposed to cyber, warfare. Merck had sought reimbursement for its cyberattack costs through an all-risk property insurance policy, as opposed to a stand-alone cyber policy.
The ruling is unlikely to be the last word in the story. As ransomware and business email compromise (BEC) have spiked, insurers have seen higher losses across both stand-alone cyber policies as well as those packaged with other types of insurance. For every dollar of coverage they offer, insurers now lose about 65 cents for stand-alone and packaged cyber insurance.
That’s more than double the so-called “loss ratios” seen in 2017, which stood at 27.5 cents for packaged and 35.4 cents for stand-alone policies, according to research from AM Best. Loss ratios of 65 cents on the dollar are far above the comfort level of most insurers.
“Insurance, as it’s currently practiced, is usually heads they win and tails they win, too,” says Eric Gyasi, a cybersecurity expert and attorney who leads incident response investigations on behalf of companies suffering large-scale cyberattacks and intrusions for Stroz Friedberg, an Aon company. “Cyber has upended that model quite a bit.”
The risk involved in cyber insurance has the disadvantage of not being as easily diversifiable as other coverage types. Consider flood insurance. If a major flood strikes one state, income generated in states without heavy flooding helps offset an insurer’s losses.
But cyberattacks are rarely confined to one place. When widespread attacks like NotPetya hit critical infrastructure, any organization with vulnerable hardware or software can be affected. Insurers can’t diversify themselves out of that kind of risk.
Cyber insurers pass along the pain
As a result of the dramatic rise in cybercrime, some insurers have been raising rates and deductibles while stiffening exclusions and reducing the types of businesses they’re willing to cover. Some insurers, including Lloyd’s of London, have announced they will no longer cover any cyberattack attributable to nation-states. Lloyd’s also reportedly began discouraging its 100 or so syndicate members from writing cyber business this year. Similarly, Chubb has gone public with a strategy of limiting coverage for widespread cybersecurity events.
Insurance, as it’s currently practiced, is usually heads they win and tails they win, too. Cyber has upended that model quite a bit.
Gyasi says that’s why he believes disputes over war and terrorism exclusions are likely to get worse before they get better. Cyber insurance is a fledgling form of coverage and, in a sense, insurers are flying blind. The actuarial models insurers use to predict risk are in flux. They also suffer from a lack of data, since many if not most corporate cyberattack victims avoid reporting incidents. Rules and requirements for the insured, in the meantime, continue to evolve.
At the same time, hacking attempts against critical infrastructure have become more sophisticated and frequent, according to the GAO. This became painfully evident when a ransomware attack against Colonial Pipeline interrupted the flow of oil to the East Coast in 2021.
Observers like Gyasi of Stroz Friedberg say such harrowing incidents explain why the federal government needs to design a system, much as the FDIC offers deposit insurance for banks, to guarantee that cyber insurance will cover attacks against critical infrastructure regardless of whether they are considered war related.
“If I’m right, the federal government is going to have to put in a backstop for some of these issues,” he asserts. “The broad and deep impact of a critical infrastructure failure calls for some sort of shared responsibility between government and the carriers.”
To do this, the fed will have to decide on how national critical infrastructure is defined: “The real issue is this space is changing so quickly,” says Gyasi. “It’s like trying to stick a post in the ground and discovering it’s quicksand.”