Is cyber risk really "uninsurable"?
“Insurance requires us to define perils… our policies, all of them were built in the last century, and we’re almost 25 years into the new century and we haven’t adjusted for the new digital liabilities.
“We can do it, we are in the business of putting assets at risk for a profit, we can adjust the definitions of what is it defined peril and what we will cover, and more importantly, what we will exclude – and we’re not there yet, we’re getting there.”
While Greco has opened up an important conversation, the uninsurability question requires “more drill down”, Kennedy said.
For Julia O’Toole, MyCena CEO, cyber “is entangled into every part of a company”, and to call cyber risk uninsurable could have knock on consequences.
“When you say that cyber is insurable, what are you actually defining?” she said. “Because today, one leaked credential can [result in an infiltration] and within a few hours, your whole network can be taken over and you can have a worldwide ransomware or espionage over the next two years of every single [piece of] confidential information that has been shared with your company.
“So where does it start? And where does it stop? Where’s the perimeter? Saying that it’s uninsurable could almost mean that nothing is insurable.”
Both Kennedy and O’Toole spoke during an interview with Insurance Business.
Insurers under the microscope on cyber hygiene
Greco’s December comments to the Financial Times that cyberattacks could be become “uninsurable”, and his calls for governments to look to public-private partnerships, were followed by the insurer itself facing up to a data breach in Asia.
In January, Zurich confirmed to news outlets that hackers had accessed email addresses, automobile names, and customer IDs of up to 757,463 Japanese customers. The insurer isn’t alone – big name insurance companies to have been hit by cyberattacks since 2020 include Chubb, Tokio Marine, and AXA.
Kennedy has told the US Federal Office of Insurance that, in his view and at present, “the risk is too great” for a federal backstop, and a Terrorism Risk Insurance Act (TRIA) (which established a government funded backstop for terrorism claims in the wake of 911) approach should not be taken – at least until insurers have their own houses in order and legislators are prepared to take a global view of the threat.
“It almost has to be done at a scale that has never done for a global event, it has to be done a really big level, because our business and cyber don’t have borders – you’re dealing with sovereignty exclusions, war exclusions, and all these other things,” Kennedy said.
“Granted, the insurance industry will be forced to respond, but what they need to do is start with the fact that their own hygiene has to be tightened up.
“There’s been major insurance companies hacked the people’s information out on the internet, so what are you going to do? The taxpayer is going to pick up the losses that the insurance carriers can be complicit in?”
For Kennedy, the answer to those questions is a firm “no”.
The “ubiquity” of cyber risk and that cyberattacks will remain a pervasive problem also pour doubt on a backstop model, according to O’Toole.
“Let’s say you put a backstop in today and the federal government pays, how about tomorrow? How about the next day?” she said.
“All you do is keep fuelling the cybercrime; it’s an unsustainable model, so unless you actually fix the root of the problem and clean up the mess, not just patch it with a backstop, it’s not going to do anything.”
Are cyber hygiene tax credits a better solution than federal cyber backstops?
While the experts were underwhelmed by federal cyber backstops as an option, Kennedy mooted an alternative in the form of tax credits for firms that do a good job of baking in cyber hygiene.
Giving an example of how this could work in the US system, Kennedy said: “Wouldn’t it be smarter than to have the federal government … go over to Congress and say, why don’t we give tax credits for people to get to [a better level of] security – taking a pre-law strategy as opposed to a post-law strategy?
“[They could say] we want to incentivise you to [have] better cyber hygiene; prove it to me, and you’ll get a tax deduction.”
“It cannot go the TRIA route where we’re just going to throw money at it and are not solving the problem,” Kennedy said.
“The insurance industry has already done that, and it’s called paying ransoms. Did we catch anybody? No, we just funded the losses.”
Have something to say about this story? Let us know in the comments below.