Major Cyber Insurance Overhaul Begins Now [Government Technology]
Apr. 9—One thing is clear about cyber insurance in the spring of 2023: The status quo is not sustainable.
And now,
"Exclusions for acts of war have long been a staple of policies ranging from property to motor, shielding insurers from the potentially crippling claims that a physical conflict generates. But Lloyd's, a powerhouse in the global industry, believes war exclusions need updating for the Internet age, when cyber warfare can be government sponsored even in the absence of conventional conflict. Failure to exclude significant state-backed attacks from policies would leave insurers exposed to 'systemic risk,' Lloyd's said when it first announced the plan last summer."
The article goes on to point out that Fitch Ratings forecasts the total spend on cybersecurity policies globally could reach
According to Tech Monitor,
"The requirements set out here take effect from
WHO TO BLAME?
There are several excellent articles on the challenges of attribution regarding cyber attacks, and these new cyber insurance clauses leave many questions unanswered that may ultimately be decided by the courts.
At the heart of this matter are questions that we have been debating for many years such as:
* How do you define "cyber war"?
* How can attribution be truly known for cyber attacks?
* Who will be the deciding organization when disagreements arise?
I like this article at Marsh.com on moving toward clarity on some of these topics. Here's an excerpt:
"In the spirit of transparency, we share here a high-level summary of themes explored through our work with
* The endorsement should not serve as a catastrophic risk catchall.
* The endorsement should clarify the scope of coverage provided resulting from state-backed cyber attacks.
* The endorsement should bring clarity to what constitutes war, and avoid conflation with the concept of a cyber operation.
* The introduction of new concepts like 'cyber operations,' 'major detrimental impact,' 'impacted state,' and 'essential services' should be as clear and unambiguous as possible in order to avoid or minimize disputes as to the meaning of the wording.
* The inclusion of references to attribution of cyber operations should not change the legal burden of proof, nor should it alter how the policy responds. Attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage.
* The endorsement should clearly delineate between cyber attacks that constitute or are deployed as part of an ongoing war — and thus are beyond the scope of coverage — and cyber attacks that are not related to a war and so should not be inadvertently excluded."
I also like this cyber insurance case law history article and analysis at
"The relevant provisions of the policy must be scrutinized by the insured so as to assure that the policy will provide the broadest protection against a fraudster's creative and ingenious schemes that may befuddle the staff of the insured and may lead to significant fraudulent transfers and losses."
NEW
And if you think this topic can get no more complex, think again. As I identified in a recent blog on the new National Cybersecurity Strategy, cyber insurance is a major topic of discussion in the
This Forbes article (contributed by
"Cyber insurance is one component of a multilayered cybersecurity and risk management strategy. Today's environment of systemic risks stemming from global events, geopolitical threats and third-party risk events has a cascading impact on and across organizations — and the cyber insurance market. The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies."
Many are calling for the federal government to become the insurer of last resort for cyber insurance; however, that would require an act of
WHAT CAN ORGANIZATIONS DO NOW?
In an Eversheds-Sutherland Legal Alert, the following advice was given to cybersecurity policyholders in the current environment:
"It remains to be seen the extent to which Lloyd's decision to exclude state-backed cyber attacks from standard cyber insurance policies will be mimicked by other insurance providers. However,
"But, in this new environment, organizations may want to:
1. Pay particular attention to how terms like 'cyber operation' are defined, and how attribution will be determined in cases of suspected state-backed cyber attacks;
2. Scour definitions integral to policy coverage, such 'software systems,' 'networks' and 'equipment,' to ensure appropriate coverage, including when attacks impact third-party applications, vendors, virtual networks and cloud services;
3. Verify the extent to which insurance company pre-approval is required, including in the heat of a crippling attack; and
4. Confirm they have robust and tested breach response plans in place, aligned with insurers, and that insurers have pre-approved the companies' preferred outside counsel (not just panel counsel), forensic providers and crisis communicators."
"In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.
1. First, regularly scan and warn all clients about critical vulnerabilities being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly "contagious" vulnerability, we will ensure we are a part of the immune system response.
2. Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients and capital placement follow the most up-to-date guidance on cyber hygiene.
3. Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic-level losses."
FINAL THOUGHTS
When I posted the FT.com article that I began this blog with on my LinkedIn page on
If your read those comments and feedback on cyber insurance, you will see that perspectives are all over the map. But to sum up a widely held view, look at this comment from
"Expected. There are so many companies already insured that should have never gotten one because of lacking investments and emphasis on cybersecurity. Also, recent court case decisions on liability have not been favorable to insurers. It was a matter of time, but the key question is: Where will they draw the line between state-sponsored and non-state sponsored because in case of
___
(c)2023 Government Technology
Visit Government Technology at www.govtech.com
Distributed by Tribune Content Agency, LLC.
Pocket Insurance on Bajaj Markets: Beat the Summer Heat with Home Inverter Insurance [Business Wire India]
Charlie Javice Charged with Defrauding JPMorgan Chase of Millions
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News