1/24/24, 3:55 PM
The corporate world is losing its grip on cyber risk
Keep reading the FT for free
Register now and enjoy any 3 articles for free
every month.
REGISTER FOR
FREE
Opinion Cyber Security
The corporate world is losing its grip on cyber risk
Reasonably priced cyber insurance that also improves resilience seems still
beyond our reach
HELEN THOMAS
4:10
Already this year, the UK has suffered attacks on the Royal Mail, the Guardian newspaper and retailer JD Sports © Tolga
Akmen/EPA-EFE
Helen Thomas FEBRUARY 1 2023
Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Enter your email address
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
Sign up
1/4
1/24/24, 3:55 PM
The corporate world is losing its grip on cyber risk
The Lloyd's of London insurance market prides itself on being able to put a price on
anything — from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk
that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s
for capturing the Loch Ness monster.
But from the end of March, there will be something it won’t price: systemic cyber
risk, or the type of major, catastrophic disruption caused by state-backed cyber
warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts
of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed
cyber assaults can surpass traditional definitions of armed conflict and overspill
their sovereign target to hit global businesses. It caused an estimated $10bn in
damages and years of wrangling between companies like pharma group Merck and
snack maker Mondelez and their insurers.
4:10
But the move is prompting broader questions about the growing pains in this
corner of the insurance world. “Cyber insurance isn’t working anywhere at the
moment as a public good for society,” says Ciaran Martin, former head of the UK
National Cyber Security Centre, now at the Blavatnik School for Government. “It
has a huge role to play in improving defences in a market-based economy and it
has been a huge disappointment in that sense so far.”
The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage.
Whether it succeeds is another matter: this is a murky world, where cyber crime
groups operate with impunity in certain jurisdictions. Ransomware group Conti
last year seemingly switched focus, declaring its support for the Russian
government after the invasion of Ukraine. Attribution is fraught: governments
point fingers for geopolitical reasons, not commercial ones. If the intention is to
exclude rare, catastrophic events, better to have an independent body that declares
and categorises cyber events, argues Graeme Newman, head of CFC Underwriting.
This focus on systemic risk is slightly odd. The cyber insurance world has been
rocked not by cyberwarfare in recent years but by ransomware and cyber extortion
attacks. Payments identified as received by ransomware attackers more than
quadrupled in 2020 on the year before, according to Chainalysis, and stayed there
in 2021. Cyber insurance pricing by the back end of 2021 had doubled compared to
the previous year, according to broker Marsh, and was still up 50 per cent again in
the third quarter of last year.
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
2/4
1/24/24, 3:55 PM
The corporate world is losing its grip on cyber risk
Payments fell last year, in part because the Ukraine conflict may have disrupted
cybergangs in the region. Victims may also be less willing to pay up, given the vast
costs of repairing or rebuilding systems required in the aftermath of an attack. But
this may not last: already this year, the UK has suffered high-profile attacks on the
Guardian newspaper, the Royal Mail and retailer JD Sports.
The spiralling cost of claims has meant more restrictions on coverage, according to
the US Government Accountability Office: limits on how much can be claimed for
cyber incidents dropped sharply in 2021. The risk is that boards, with limited
expertise, may not be getting the cover they think, especially since advisers report
carve outs for common threats like fraud from compromised business email
accounts. Insurers, belatedly, also tightened up security requirements when
underwriting.
4:10
The industry, tetchy about suggestions that cyber may prove uninsurable, concedes
a lack of data about a threat that is, in any case, constantly changing. The Bank of
England last month issued a warning about “immature” risk management. Limited
take-up doesn’t help: Aviva found only a quarter of UK businesses have cover and
that, if anything, cyber risk was slipping down the list of board priorities.
With both the US and UK considering a government backstop for systemic risks,
the blurring of private and public responsibilities could force reform. Passing cyber
risk to governments would have to mean tougher minimum standards for
corporate resilience (which are probably merited anyway). Transparency about
attacks and improved data-sharing could also help. Ultimately, countries need a
national debate on cyber risk, of the type under way in Australia since last year’s
Medibank breach seized the health data of nearly 10mn customers. Preferably
without a major attack first.
The ambition is a reasonably priced, well-understood form of cyber insurance that
also improves resilience and reduces costs for society. At the moment, it’s not
obvious that we’re getting closer to that goal.
helen.thomas@ft.com
Copyright The Financial Times Limited 2024. All rights reserved.
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
3/4
1/24/24, 3:55 PM
The corporate world is losing its grip on cyber risk
4:10
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
4/4