The cautionary warnings continue for insurers regarding the cyber risks that they underwrite. Although cybersure is seen as one of the major opportunities for the insurance industry, there are a number of risks including the increasing frequency of cyberattacks, the difficulty in pricing for the risks, and the fact that existing policies, including liability and property policies, may be invoked to pay claims which have never been priced for.
In May 2019, Beazley of London warned about the rising frequency and cost of ransomware attacks with potential exposures arising rapidly. The 2017 NotPetya cyberattack caused insured losses exceeding $3 billion. Many of these losses were written through property classes and not standalone cyber policies.
At the end of April 2019 a Bermudian re-insurer announced that it was reducing its cyber exposures in both the US and international markets on the basis that the very large cyber accounts were mispriced particularly for top-end programmes that cover hundreds of millions of dollars.
It is reported that a major insurance group is being sued for about $100 million in Illinois, US under a property policy relating to the NotPetya attack on Mondelez in the USA. The issue is whether the attack was ‘hostile or warlike action’ because some authorities attributed the event to the fallout from a cyberattack by Russia on Ukraine.
Technology which is growing in capacity, such as artificial intelligence, 3D printing, quantum computing and the internet of things, are creating major risk exposures which most people cannot keep up with because of the costs of doing so. Decisions have to be made whether to insure cyber risks to physical damage or intangible assets only. While developments such as self-driving cars, pilotless ships and computer-run buildings are exciting, they are also exciting for hackers.
Major London cyber insurers are discussing an amendment to the war exclusion wording that will cover state-backed cyberattacks below a certain threshold but will exclude attacks with major consequences for the economy, security or essential infrastructure. The problem is proving who was responsible for the attack and whether it was ‘hostile or warlike action’ as opposed to malicious hacking.
The International Underwriting Association has introduced a Cyber Loss Absolute Exclusion clause and a Cyber Loss Limited Exclusion clause to avoid cyber liabilities in traditional insurance policies which may unintentionally cover cyber risks.
It has also been reported that the ransomware attack affecting the entire global operation of Norsk Hydro in March 2019 could cost a consortium of insurers nearly $70 million under a cyber policy.