Cyber Insurance: a fast-changing landscape

Focus on the evolving cyber insurance market in Europe for businesses, and the key factors that companies looking to buy cyber cover need to be aware of to make sure they secure the best deal 

By Ingo Trede, Branch Manager of Alta Signa

It has become increasingly difficult for companies to find affordable cyber insurance in recent months, as the willingness of insurers to provide capacity for this market shrinks in the face of increased risk, and intense scrutiny from governments and regulators paired with heightened uncertainty

Considering the scale of global inter-connectivity and on-going digitalisation, it’s not surprising that the number of opportunities and new methods of attacks opening up to cyber criminals is increasing. But even with the emergence of new techniques and approaches – such as the recent shift in attention towards pure destruction attacks – ransomware as a threat still remains a key concern.

This concern is so great that cyber attacks and data loss have been ranked as the most likely risk for a business in the global Directors Liability 2022 survey; and with the escalating war in Ukraine, such risks are unlikely to disappear off the top of peoples’ radars anytime soon.

Along with fears of state-sponsored cyber attacks on European supply chains, there are also growing concerns that Russian sanctions could in fact be creating fertile ground for attackers. The recent attack, for example, on Oil India’s field headquarters by the REvil hacker group, allegedly by Russian special forces, which saw computers locked out in a large-scale ransomware event – may be a hint as to how the cyber war frontier is developing.

Political focus

Although European governments are becoming more active in combating cybercrime – such as the shut-down of Hydra Market, one of the largest darknet market-places where ransomware and related services were traded – legal boundaries around the cybercrime scene are still largely ambiguous.

A growing number of US States and countries around the globe are discussing the prohibition of ransomware payments; as it stands, when it comes to cyber insurance, a ransomware payment itself is not deemed illegal, unless the payment is made to a sanctioned country, person, or group.

This approach has implications on both the current and future state of cyber insurance, particularly as cyber risk is expected to become more political. Attacks on state agencies – such as that seen in Finland for example – to the attempted disruption of financial systems, as seen in Ukraine, are instances of such political motives. Similar situations have also been witnessed in Israel, where websites hosting liberal news agencies were taken down in an attack.

The targeting of industrial control systems – such as that undertaken by Russia’s “sandworm” group on the Ukrainian electrical grid – and non-monetary driven attacks are also on the rise. This type of malicious software “bomb” is based on so-called “wiper” malware, and rather than holding files to ransom, the intent of the attack is to delete all files on an infected device and simply cause maximum dammage and interruption.

Insurance Industry response

This constant uptake of new tactics by cyber criminals means insurers have to constantly learn, understand and adapt to the changing cyber landscape – a move which ultimately makes way for new and updated regulations. The European Council Network and Information Security 2 (NIS2) Directive, which will require more types of companies to take stronger cybersecurity measures, is one such example of progressive governance in this field.

With cybercrime on the rise, quality cyber insurance is in demand across Europe; however, risk appetite is not, and some insurers have even stopped writing this line of business in certain market segments. The insurability of future attacks is also being brought into question, with ratings agency Moodys recently suggesting that if future attacks were to cause “widespread business interruption and economic disruption”, they could “represent an uninsurable event”.

The consequential paradox arises through hefty rate increases from the insurers to build reserves enabling them to sustain expected substantial losses that meet stringent budgets being even tightened due to the recessionary pressure.

The most effective and value-adding cyber policies are underwritten in line with core areas of the NIST cybersecurity framework. For those insurers who are in this marketplace, attention is being drawn towards wordings, exclusions and definitions, particularly in relation to the new non-monetary forms of attacks and the potential cumulative threat of spreading vendor attacks resulting in multiple insureds being affected as happened in the solarwind scenario. Policies try to control for  capacity limits while requiring high risk mitigation measures,

Such cyber security includes – but is not limited to – ones that focus on detection, containment of a suffered attack, and the restorative abilities of systems. Clients should also have endpoint and server detections and response capabilities in place, restrictions on access and administration controls, as well as two factor authentication for accessing key systems and hardware, not to mention continuous testing and vulnerability scanning.

In short, insurers expect their clients to take the job of protecting themselves seriously. Companies without basic risk mitigation  controls in place are likely to increasingly find that they are unable to secure insurance.

Finding the right coverage

As cyber security threats evolve, demand for expert insight and advice on coverage options will continue to increase, as will the type and availability of cyber insurance on offer. Cyber attacks represent a serious and growing operational and reputational risk to companies in Europe, and those corporations looking to secure effective cyber insurance in 2022 and beyond will need to understand their exposure to these risks and take active steps to improve their risk profile, working hand in hand with their insurance partner.

About the Author

Ingo Trede, Branch Manager at Alta Signa. Ingo started his career at Houston Casualty Company Global in Barcelona as a Financial Lines Underwriter at the German, Austrian & Swiss and Eastern European Desk. His main responsibilities were the development of the Swiss and Eastern European markets for both commercial and financial institutions accounts. His insurance product expertise includes all Financial Lines and Cyber for Financial Institutions. He further gained insights into Transaction Risk, Contingency and K&R Insurance through cross-selling initiatives in his former role at a leading specialty insurer. Ingo graduated from HEC Lausanne, Switzerland, in Economics (MSc) and further holds an LL.M. in Insurance law from University of Hamburg. He is fluent in French, Spanish, (Swiss-)German and English.

Ingo can be reached online at [email protected] and at our company website https://www.altasigna.com/