Cyber-Attacks Set To Become ‘Uninsurable’, Warns Insurance Boss

The days of organisations relying on insurance policies to pay out after suffering a cyber-attack, may be coming to an end.

This is the stark assessment from Mario Greco, chief executive at insurer Zurich, one of Europe’s biggest insurance companies, speaking to the Financial Times.

Amid growing concern among industry executives about large-scale cyber-attacks, Greco warned that cyber-attacks, rather than natural catastrophes, will become “uninsurable”.

Uninsurable cyber-attacks

There is no doubt that the cyber threat landscape continues to grow, as insurance executives fret about the risks from pandemics and climate change, which test the insurance sector’s ability to provide suitable coverage.

For the second year in a row, natural catastrophe-related claims are expected to top $100bn, the FT reported.

But Zurich’s Mario Greco told the Financial Times that cyber was the risk to watch.

“What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?”

Focusing on the privacy risk to individuals from cyber-attacks was missing the bigger picture, Greco reportedly added: “First off, there must be a perception that this is not just data . . . this is about civilisation.”

“These people can severely disrupt our lives,” Greco reportedly said.

According to the FT, spiralling cyber losses in recent years have prompted emergency measures by the insurance sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients bear more of the losses.

There are exemptions written into policies for certain types of attacks, the Financial Times noted. In 2019 for example, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled.

Lloyd’s of London also defended its recent move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for nation-state cyber-attacks.

The Financial Times reported Greco as saying there was a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks.

He called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks”.

Don’t pay hackers!

Cyber-attacks have continued to plague multiple industries in recent years, some of whom are doing little to prevent future attacks, when they opt to pay hackers and criminal gangs (against all security professional advice) to unlock their ransomware crippled systems or call off DDoS attacks.

Zurich’s Mario Greco praised the US government’s steps to discourage ransom payments. “If you curb the payment of ransoms, there will be fewer attacks,” he told the Financial Times.

The US in September called for views on whether a federal insurance response to cyber was warranted, which could be part of, or outside, its current public-private insurance programme for acts of terrorism.

Before the Ukraine war, and after a number of high profile cyber-attacks against US targets by Russian-linked hackers, President Joe Biden personally raised the cyber-attack issue with Vladimir Putin in June 2021, and warned him that certain critical US infrastructure was “off-limits” to cyber-attacks.

Indeed, President Biden warned Putin of ‘retaliation’ and an ‘aggressive response’ if Russia attacks a list of 16 ‘critical’ industries in America.

Then in July 2021 President Biden underscored how serious the US was taking cyber-attacks, when he admitted they could cause a ‘real shooting war’ with a ‘major power’.

Ever since 2011 the United States said it reserved the right to retaliate with military force against a cyber-attack from a hostile state.