Are cyber attacks set to become ‘uninsurable’?

Are cyber attacks set to become ‘uninsurable’? Assured Data Protection’s CTOs Give their Predictions


In a recent interview, Zurich’s CEO claimed that cyber attacks are set to become uninsurable. With a single data breach now costing an average globally of $4.35M (and a whopping $9.44M in the US) according to IBM, the insurance industry is understandably concerned about the growing disruption from hacks.


The Financial times reported: “Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.


But Mario Greco, chief executive at insurer Zurich, said that cyber was the risk to watch. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives.


Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. Some cyber experts have warned that rising prices and bigger exceptions could put off people buying any protection.


Greco said there was a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks. He called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks”.


Greco also praised the US government’s steps to discourage ransom payments. “If you curb the payment of ransoms, there will be fewer attacks.”


But what does this mean for businesses and their data?


We asked our Chief Technology Officers in the Americas & EMEA what the implications of cyber attacks becoming uninsurable would be.


Andrew Eva, CTO (Americas) at Assured Data Protection said:


We see customers being denied or priced out of cyber insurance already. Insurance companies are taking a hard stance about data protection and resiliency polices that you either follow or be denied coverage. I expect we'll begin to see the insurance market begin to band together to specifically call out ransomware payments as a line item not to exceed.


The cost of insurance will drive most smaller businesses out of hosting their own and into third parties either in the cloud or as service providers. I would encourage all businesses interacting with a third party to demand to see their proof of coverage as part of doing business, as this will be a strong litmus to their data security posture.


Stew Parkin, CTO (EMEA) at Assured Data Protection said:


This is a very tricky area for insurance companies, as the technology and landscape is moving so quickly it is almost impossible for them to maintain policies and procedures that keep up with the advancements and changing attack vectors. Similarly, for them to be confident that their customers have taken enough precautions to protect themselves fully from every type of attack can be a cumbersome and ever-changing task.


However, it isn’t an impossible task, and their focus should really start at the last line of defence: the backup. Having a useable copy of data to recover from in the event of an attack is absolutely crucial, which is why so very often the attackers’ first port of call is to infect the backup systems. Organisations can defend themselves from this by using an immutable backup system, but if that repository is in the cloud or off site, they will need to make provisions for the speed of recovery.


I don’t think cyber recovery will become truly ‘uninsurable’, but I fully agree that at the moment the processes and checks that surround policies available are not fit for purpose and leave the insurance companies widely exposed to incidents where the technology that was supposed to be protecting organisations, fails.


IBM report:


FT article:

Subscribe to industry and product news here