How to make cyberattacks more insurable

Improving coverage for virtual threats such as ransomware and supply chain attacks is one of the most pressing and thorny issues facing the insurance industry today. It has become even more urgent since the onset of the COVID-19 pandemic because the resulting changes in the way the world works and does business mean such incidents have become more frequent and varied in character. The costs of their potential harm have also grown exponentially, with the worst-case scenarios estimated to generate economic disruption running into billions of dollars. Re/insurance companies would not be able to absorb such losses on their own.

The Geneva Association is at the forefront of research that aims to improve the insurability of what it calls ‘Hostile Cyber Activity’ (HCA). These are malicious incidents that fall in the grey area between cyber terrorism and cyber warfare. 

This lack of language precision was highlighted in December 2021, when a court in New Jersey, USA ruled that the insurers of Merck & Co. Inc could not rely on the standard ‘hostile/warlike action’ exclusion to avoid paying out on a USD 1.4 billion property damage claim resulting from the NotPetya cyberattack, which was widely blamed on Russia. The New Jersey ruling said the exclusion in Merck’s policy only applied to ‘traditional warfare'.

The industry recognises that one essential step forward lies in making the language used in contracts to describe cyberattacks and to attribute responsibility much clearer. This will hopefully help avoid future disputes over the extent of insurance coverage.

 

Terminological ambiguity

"Traditional wordings and concepts [are seen as] inadequate, and we need innovation and experimentation to kind of freshen up the concepts in cyber insurance language," Jon Bateman, a fellow of the Carnegie Endowment’s Cyber Policy Initiative, said during a February webinar entitled ‘Cyber Terror and Cyber War: Strengthening insurability through clarity and partnerships’, organised by The Geneva Association.

Darren Pain, the Association’s Director of Cyber and Evolving Liability, highlightedto note that several recent cyberattacks “don't neatly fit into well-recognised definitions of cyber war or cyber terrorism.” 

"We’ve seen incidents where nation-states are suspected of being behind an attack, or at least providing a safe harbour for the hackers, but not part of outright military conflict. Nor have those attacks been linked to political, ideological, or religious goals that are usually associated with terrorism, so there’s a little bit of a definitional gap that has opened up," he added.

The Geneva Association is promoting the term ‘HCA’ precisely to help bridge that gap and enhance insurance coverage of cyberattacks.

The Geneva Association’s HCA term "is not only advantageous to an individual carrier, but it also creates some international, industry-wide certainty in terms of the actual terminology that we are currently using," Rachel Anne Carter, Managing Director of Carter Insurance Innovations, explained during the webinar.

For Bateman, "it makes sense to think about how a collection of exclusions could work together, rather than trying to place all the weight on a war exclusion." He went on to propose a "trigger-agnostic, impact-based cyber catastrophe exclusion."

 

Spreading the risk

Given the potentially immense losses caused by future cyberattacks on infrastructure such as power grids, another top priority for re/insurers is devising ways to share the burden of billion- or even trillion-dollar claims through private-public partnerships. 

"There is limited cover available in the market for these peak losses," noted Christopher Wallace, CEO of the Australian Reinsurance Pool Cooperation and President of the International Forum of Terrorism Risk (Re)Insurance Pools, during the webinar.

"Governments look at this issue differently to the insurance industry," Wallace added, explaining that various departments "all have different accountabilities and different objectives and I think that’s part of the challenge in how to get consensus on how to solve the problem."

With cyberattacks here to stay, cross-sector collaboration to solve this challenge will be key to providing sustainable solutions and increasing resilience to this growing threat.