According to the World Economic Forum’s 2020 Global Risk Report, cybersecurity assaults are one of the world’s top risks in terms of probability and severity. The report projects a 75% rise in cyber thefts, along with a 76.1% increase in the risk of cyberattacks on IT infrastructures for this year. The increased threat in risks makes cybersecurity insurance more appealing than ever before, and it’s no surprise that businesses are eager to protect themselves against digital assaults. Will businesses really benefit from cyber insurance? Recent events seem to suggest otherwise.
In late November 2021, Lloyd’s, a London-based insurance juggernaut, announced that it won’t pay for ‘acts of cyber war’ or nation-state retaliation attacks. This was a side effect of the NotPetya malware attacks in 2017, which inundated websites belonging to Ukrainian organizations across Europe and similar assaults on businesses in the United Kingdom, Russia, Poland, the United States, and Australia. NotPetya affected several firms, but there are certain instances in which insurance companies have denied payment.
Mondolez, a food manufacturing firm, was hit with a $100 million loss due to NotPetya. Unfortunately, their cyber insurance claims were rejected by Zurich American Insurance because the policy covered only “all risks of physical loss or damage” to property, not including “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” The insurance provider added that their insurance doesn’t cover hostile and ‘warlike cyberattacks. NotPetya, according to Zurich American Insurance, is a warlike action by a “government or sovereign power.”
Where does that leave businesses?
The technical aspects of cybersecurity are changing rapidly, and that is not the only reason why insurance companies are hesitant to pay for cybersecurity claims.
Why do insurance companies avoid covering cybersecurity risks?
- Increased Cases
With the start of the COVID-19 pandemic, most enterprises embraced a remote work culture transformation, which has accelerated over time. Although this may have been practical for businesses, it puts them in the firing line of cybersecurity attacks. The WEF states that cyberattacks are the second most hazardous factor for conducting business worldwide in the next ten years. Obviously, these statistics are worrisome to an insurance firm. High-profile cyber attacks typically cost businesses millions of dollars which is too hazardous to insure.
- Cyber Insurance is Still a Luxury
Many businesses are still struggling with the economic stress caused by the worldwide pandemic’s devastating waves and cyber insurance is a luxury that cannot be afforded. The growing number of cyber threats has also led to a surge in insurance costs beyond what businesses can afford.
- The Idea of Cyber Insurance Remains in Its Infancy
Unlike other risks related to workplace liability like safety, property damage – the parameters of cybersecurity attacks are constantly changing. The cyberattacks that occurred in 2021 were much more severe and unique than those in 2017. As a result, insurance companies find it difficult to constantly renew their clauses and parameters to match the expectations around rapidly evolving cyber insurance coverage. It opens the door for more grey areas, which allows for more opportunities for loopholes.
- Less Money in the Market
Most businesses and insurers cannot find a correlation between the exposure and the cost of signing up for cyber insurance. Usually, these two parameters must be proportionate so that insurers can cover an attack while collecting premiums from others. However, a recent report from Harvard Business Review suggests that around 250 companies are covered for cyber insurance worth $200 million, while the global cyber insurance premium is only roughly $1.1 billion. This implies that about five losses insured can wipe out an entire year’s premium.
Imagine how much time the insurers would take to make up for these payments.
What Should Businesses Do?
Having vehicle insurance doesn’t mean you can drive as you please; you still have to watch your driving. The same goes for cybersecurity; companies covered by cyber insurance get a support system when an attack happens. However, that doesn’t mean they can take the coverage for granted.
In this case, depending on a professional cybersecurity firm may make all the difference since they frequently defend organizations from cyberattacks and incidents. It’s always advisable for businesses to conduct a cybersecurity maturity assessment to keep up with the ever-changing cybersecurity environment. They can also perform penetration testing regularly, in which a certified cybersecurity team attacks the system to identify and repair any vulnerabilities.
There is a common misconception that cybersecurity risks are already covered in business liability insurance. The ever-changing nature of cybersecurity dangers and attacks makes it tough for insurance companies to put them into conventional insurance coverage packages. Whether or not a business has cyber insurance is irrelevant; we must all work to avoid future cyberattacks, and penetration testing for prevention should be considered.