Cyber insurers cautioned about state-sponsored cyberattacks

State-sponsored cyberattacks may present challenges for cyber insurers, a DBRS Morningstar report warns, because courts may not agree with insurers that state actors are responsible, thus triggering cyber policy war exclusions.

“Cyber insurance demand is…being fueled by rising geopolitical tensions and the proliferation of state-proxy attacks that can be misidentified as common criminal activity and covered under existing policies,” the report says. “Cyber can potentially become a catastrophic loss for the insurance industry, given how criminal and state-sponsored attackers can exploit vulnerabilities across global networks.

The report cites the example of the 2017 NotPetya attack. At that time, suspected Russian agents deployed a destructive malware that wiped thousands of computers and servers around the world, causing total losses of more than $10 billion, per U.S. government estimates.

“Some of the losses were insured, and many claims ended up in costly litigation because of the suspected participation of state-sponsored agents, which insurance companies argued constituted an act of war, typically excluded from cyber insurance policies,” the reports says.

In other news: Are home insurers properly overseeing independent adjusters? FSRA report

However, state actors typically do not acknowledge involvement in or responsibility for cyberattacks, making it complicated to prove their influence in courts.

“Even in cases where a state actor is strongly suspected of having caused a cyber incident, legal courts might not side with insurers,” DBRS Morningstar says.

“The worst-case scenario for the insurance industry is a sophisticated cyber-attack that compromises the digital infrastructure of several sectors at the same time. In such a situation, cyber-insured losses can accumulate quickly across several insurers and reinsurers, weakening their financial strength.”

Since the NotPetya attack, the report says, insurers and reinsurers, including Lloyd’s of London, have tightened their policies to better exclude cyber losses resulting from war — whether declared or not — or hostile acts, particularly in the wake of increasing geopolitical tensions. And some insurers will cap their cyber exposure at a percentage of their available capacity.

Regulators around the world are concerned about the damage caused by cyberattacks, and are stepping up their requirements that businesses defend themselves. The cost required to protect their systems is causing companies to increase their cyber insurance spend.

Which is why DBRS Morningstar sees global cyber premiums and sales increasing exponentially over the next six years.

“The global cyber insurance market will increase to around $29 billion in gross premiums written by 2027,” the report says. “We expect premiums to reach almost $40 billion by the end of the decade.”

Feature image courtesy of iStock.com/WhataWin