Speaking to the Financial Times on December 26, 2022, Mario Greco, CEO of Zurich Insurance, warned that, just like natural catastrophes, cyber attacks will become uninsurable due to the multiplying and amplifying disruption from successful cyber attacks.
The warning is dire and justified, but all too easy for businesses to misinterpret – to their peril.
The challenge of systemic events
At the root of Greco’s warning is the potentially cataclysmic nature of systemic events. In a cybersecurity context, a systemic event is a successful attack or system failure that creates widespread, cascading issues in business, financial, and/or political worlds. For example, if AWS were ever to be hacked and everything breached, or held for ransom, or taken offline, the damage would be incalculable, catastrophic for many businesses, and a severe strain that many institutions would be hard-pressed to absorb.
Fortunately, so far a takedown of AWS is hypothetical. However, very real systemic or cybersecurity events, on smaller scales, are constantly impacting hospitals, supply chains, governments, energy pipelines, power grids, banks, and other businesses, institutions, and organizations that function crucial components or even as nexuses of widespread systems that are critically important for everyday life.
As cyberattacks and the failures that can precipitate them continue to occur, their effects will become uninsurable. In Greco’s view, adverse systemic cybersecurity events could bring even greater danger to insurers than pandemics and climate change.
One reason that’s plausible is the lightning speed at which cyberattacks can sideline or even destroy key players or entire systems. With pandemics and climate change, we have more time to act on a developing systemic event. With a cybersecurity systemic event, the lights could go out system-wide, literally or figuratively, in an instant.
Another factor that can make cybersecurity events so catastrophic is our dependence on IT infrastructure for monitoring, collaborating on, understanding, and responding to any adverse systemic event. When those very systems are breached and potentially rendered unusable, our capacity for response can plummet.
“First off,” Greco said, “there must be a perception that this is not just data … this is about civilization,” he said.
There’s clearly a limit to what the private sector can insure when underwriting losses from cyberattacks. It’s not a question of willingness or profitability. The potential losses are simply so great that it’s impossible for underwriters to construct ways of successfully distributing the risk or absorbing it.
What it means for your business
The insurance industry is struggling with these issues because insurers don’t yet know well enough how to define and parse risks in a way that is both as comprehensive as realistically possible while at the same time letting businesses understand what they’re covered for and what isn’t covered.
The context of ubiquitous cyberattacks will continue to highlight the consequences of underestimating, overlooking, or failing to adequately define and parse cyber risks. Insurers must find ways to better define, understand, and prepare for these risks. Part of this preparation will inevitably mean excluding systemic events from coverage or, as Chubb and Beazley are beginning to do, creating separate cover for systemic events.
But a “smaller” kind of cybersecurity risk can bring consequences to businesses that are just as catastrophic as a system-wide event – foregoing insurance on the mistaken idea that “nothing is really covered,” or “they’ll just find a way to exclude an event.”
The fact is that only about ¼ of small businesses are insured against cyber events. And up to ⅓ of mid-sized businesses are without cyber insurance. Notwithstanding the sensible nature of Greco’s comments with respect to the uninsurability of systemic cyber events, it’s a message that can be easily misinterpreted by business owners who have not yet focused on the extreme cyber risks they’re exposed to, or on the coverage that is available to them.
Businesses who are still largely uninsured, and largely vulnerable from a cybersecurity standpoint, should understand that while systemic events may be uninsurable, most other adverse cyber events are insurable, and at an affordable cost if they follow best practices and put in place relevant safeguards that your insurance provider can help you understand. The insurance industry needs to spend as much time giving a view of cyber insurance’s importance and effectiveness as it does talking about its limitations and challenges.
Strategic, forward-looking risk reduction for businesses
Cyber security insurance is a crucial component in most businesses’ insurance coverage. Just because systemic cyber events may be uninsurable does not of course mean all cyber events are uninsurable. As you monitor and solidify your cyber practices and defenses, you put yourself in a position to afford highly protective cyber security insurance at an affordable price.