The growth of ransomware and cyberwar have highlighted the potential for fault lines in cyberinsurance. Over the last eighteen months, cyberinsurance has come under fire for not predicting the rapid rise in ransomware and its associated costs, as well as for not understanding the legal and practical differences between war and cyberwar. This has forced the industry to increase premiums, demand basic preconditions, and increase refusals on claims.
As a form of insurance, cyberinsurance is unique in that risks are constantly changing and evolving, making it difficult to predict the future. This makes it difficult for insurers to accurately assess the risk for a policyholder and the potential for unmanageable systemic risk.
Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, has provided insight into the cyberinsurance industry’s view of cyberinsurance. Storer acknowledges that cyberinsurance got its sums wrong, particularly in regards to ransomware, but emphasizes that it is not seeking to increase profit at the expense of the insured. Rather, the intent is to make the industry sustainable and to reduce the potential for unmanageable systemic risk.
In order to do this, the cyberinsurance industry has been forced to introduce new and specific cyberwar exclusion clauses. This has been done in order to clarify which aspects of cyberwar should be covered in a policy and which should not. It is important to note, however, that these exclusions are not intended to eliminate claim payouts, but rather to provide a clear definition of potential liabilities that everyone can understand.
The industry is also expanding its role from risk transfer to risk mitigation. This means that insurers are increasingly offering advice to policyholders on how to improve their security posture. This could result in lower premiums or refusal of cover, and ultimately reduces the potential for systemic risk payouts.
Finally, the cyberinsurance industry is exploring partnerships with technology firms, as well as the possibility of acquiring specialist cybersecurity vendors. It is also considering the development of a security standard that firms must meet before being offered cyberinsurance, similar to the PCI’s PCIDSS.
All of these changes are intended to provide stability and continuance for cyberinsurance, while reducing the potential for unmanageable systemic risk. Insurers are also seeking to improve risk mitigation for policyholders, which will ultimately benefit both sides.