The CEO of Zurich Insurance, one of Europe’s largest insurance companies, has stated that cybercrime could soon become “uninsurable,” warning that the risks from cyberattacks surpassed both climate change and pandemics.
“What will become uninsurable is going to be cyber,” said Mario Greco while speaking to the Financial Times. “What if someone takes control of vital parts of our infrastructure, the consequences of that?”
The CEO further said this was not just a threat to the private sector but could have wider ramifications: “First off, we must understand that this is not just about data… this is about civilization. These people can severely disrupt our lives.”
Insurance Companies Struggling to Process Cybercrime Claims
Due to the high volume and variety of cyberattacks in recent years, insurers have been hard-pressed to pay insurance for cybercrime claims. And insurance companies now develop policies that accurately cover the many nuances of cybercrime. Cybercrime insurance is a new and evolving field and can be difficult to quote accurately.
Cybercrime insurers have taken losses in recent years, prompting underwriters to limit their exposure. They’ve pushed prices and customized policies to exempt themselves from insurance payments.
In 2019, Zurich declined to pay Mondelez $100 million against a cybersecurity claim, pointing out that its policy excluded coverage for “warlike action.” Presumably, Kremlin-backed actors led the attack. The Notpetya ransomware attack, as it’s known, cost Mondelez 1,700 servers and 24,000 laptops. The two companies later reached a settlement.
More commonly, cybersecurity insurers claim exemption when the party hit with an attack is negligent in maintaining adequate security protocols. Zurich could have easily rejected Mondelez’s claim on the grounds of negligence because the company was previously the subject of another cybercrime attack.
Rising US Premiums for Cybercrime Insurance
US firms face a similar dilemma. The US Government Accountability Office has documented the issues with cybercrime and how it affects insurance premiums. Between 2016 and 2019, US insurance companies doubled the cost of cybercrime insurance. During the same period, the percentage of clients who purchased cybercrime insurance went from 26% to 47%.
Historically, commercial property and casualty policies included some form of cyber coverage. This is no longer the case. Now, companies offer cybercrime insurance as a standalone package. Overall, this has resulted in higher premiums, more exemption clauses, and less coverage. Cybercrime insurers have also gotten much more selective about who gets coverage.
Federal entities, such as the Federal Insurance Office and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, are currently investigating whether a wide-scale cyberattack gets coverage or not.
In 2021, the Colonial Pipeline Ransomware Attack (which caused gas shortages in the southeast US) demonstrated the scale of financial damage possible from these wide-scale cybercrimes. The attack forced a regional emergency declaration in over 17 states.
What Cybercrime Insurance Companies Look For
Purchasing cybercrime insurance doesn’t give companies a free pass to ignore cybersecurity guidelines — far from it. Among other things, cyber insurance companies can look for the following protocols:
- Next-generation firewalls and high-quality antivirus software
- Mandatory enforcement of long, complex, and regularly changed passwords for all employees
- Multifactor authentication
- Automated and frequent software patching
- Employee awareness training (particularly in relation to social engineering)
- Continual monitoring of network traffic
A company with multiple unnoticed and unpatched breaches would be a big red flag for a cybercrime insurance provider. Given the sheer volume of daily attacks, ignoring known, detectable security vulnerabilities is irresponsible.
Firms should choose insurance policies carefully and according to their needs. For example, many cybercrime insurance companies don’t cover social engineering attacks. It’s important to read and understand the fine print, which is often deliberately written in an opaque style.
Systemic Effects of Cyber Attacks
Mario Greco said the real worry brought on by cybercrime wasn’t only the private sector losses but the systemic threat it posed. He called for the setting up of “private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.”
Such private-public partnerships can help eliminate vulnerabilities in supply chains and systems. Firms that integrate open-source software into their products expose all others, leading to rippling consequences. Malicious code injected into an open-source solution can easily spill out and affect all providers implementing the same packages.
Google recently warned of the threat in the software supply chain. A software compromised in its production cycle can affect all others down the line. A supply-chain vulnerability is all a cybercriminal can hope for because it allows for more impactful and damaging attacks.
Commercial and federal entities sometimes have to bear the brunt of a cyberattack simultaneously. For instance, the SolarWinds attack cost nine federal agencies and 100 private companies a total of $100 billion. With such astounding damages, alongside the scale and ingenuity of these crimes, insurance companies can’t keep passing the buck onto businesses.
A Solution to Rising Insurance Premiums?
With cyberattacks going off the charts, raising premiums makes perfect business sense. Yet, cybercrime could become uninsurable if the situation worsens, as Mario Greco of Zurich Insurance predicts. But despite the grim state of affairs, solutions to the issue do exist. Combatting cybercrime requires relying on proven security protocols and for public, private, and open-source entities to work as a united front.
Fortunately, this is happening: Github released free secret scanning and mandatory 2FA for code submissions; Google announced its OSV vulnerability scanner for open source developers; Apple is introducing end-to-end encryption or E2EE for cloud data; and regulatory authorities are cracking down hard on cybersecurity transgressors and violators.
These days, cybercrime looms large in the minds of regulators, developers, politicians, and business people. Cybercrimes continue to exert themselves as the biggest threats to wide-scale infrastructures and the economy.