Cyber Insurers Turn Attention to Catastrophic Hacks

Recent significant hacks yielded valuable data allowing carriers to determine what to demand from policyholders about their minimum defenses against hackers, and informed insurers on how to price the risk they cover, insurers and analysts said.

Still, the biggest risk hasn’t yet materialized: a cyberattack against a company or information services system so important to an economy, or to society as a whole, that it reaches systemic levels. One so big, perhaps, it might take down carriers.

“I think it’s important we stress that the insurance industry has not had a catastrophic event,” said John Coletti, head of cyber reinsurance at Swiss Re.

Major incidents such as the NotPetya virus in 2017, attacks against critical infrastructure providers including Colonial Pipeline Co. in 2021, and vulnerabilities in commonly used software such as Microsoft Corp.’s Exchange product have raised alarms and tested coverage limits, Mr. Coletti said. But none have metastasized into an existential threat.

Insurers model such attacks for their potential contagion. An attack against a large logistics supplier, for instance, may have a significant but confined impact, such as system outages that disrupt some supply chains or temporarily halt services to customers. That happened during a cyberattack on managed services provider Kaseya Ltd. in 2021 that left hundreds of clients suffering outages or infected by ransomware. 

An attack on a key part of the financial system’s plumbing, however, or against a major cloud provider that powers critical infrastructure operators, could trigger financially devastating claims.

Such scenarios have insurers concerned and some are beginning to limit coverage as a result.

“We’re seeing them go so far as to name specific cloud providers, and stating that they’re not going to fully cover an event if there is a partial or full interruption of that cloud provider’s services,” said John Farley, managing director of the cyber liability practice at Arthur J. Gallagher & Co.’s U.S. insurance brokerage business. 

In August, global insurance marketplace Lloyd’s of London Ltd. directed its syndicates to adopt policy language excluding catastrophic cyberattacks by nation-states. Patrick Tiernan, chief of markets at Lloyd’s, said coverage restrictions are natural in relatively immature insurance classes such as cyber, as the industry develops an understanding of its risks. 

By contrast, older forms of insurance, such as for shipping, have more extensive options because insurers have significant experience with potential problems and the size of claims they can expect.

“We have hundreds of years of history of understanding that risk,” Mr. Tiernan said. 

Part of the challenge for modeling cyber catastrophes is that historical data simply doesn’t exist to produce accurate models, Mr. Tiernan said. That forces Lloyd’s and insurers to estimate damage by resorting to simpler methods, such as adding up policy limits that would come into play in a specific scenario.

The use of simple models can lead to problems. For example, insurers could be forced to hold capital in reserve for worst-case scenarios, or they might cover only very specific cyber risks, requiring companies to take out multiple, expensive policies.

Although most major carriers are starting to tackle catastrophic cyber scenarios—Lloyd’s has, for instance, considered an outage at a major cloud provider, Mr. Tiernan said—the risk models they employ differ, and there is no industry standard to use as a benchmark. 

The variance extends even to basics such as whether insurers are examining ultrarare events, such as those that might happen every 500 years, or more regular ones, said Swiss Re’s Mr. Coletti. 

“These models are really important, and they do hold a lot of weight when it comes to the amount of capital that companies are willing to deploy,” he said. “We probably need to pay a little more attention to the assumptions that underpin them.” 

Write to James Rundle at [email protected]