How the industry’s lack of appetite to cover terrorism or nation state cyber warfare risks is hindering market growth
Russia’s invasion of Ukraine in February 2022 has highlighted the increasingly online aspect of modern conflicts, with wars now being fought in cyberspace as much as they are with boots on the ground.
The use of cyber warfare has come to the attention of terrorist groups too, leaving insurers facing a coverage gap that is not easy to fill.
Russian tanks rumbling into Ukraine were accompanied by a series of concerted cyber attacks designed to cripple the Ukrainian armed forces’ ability to communicate. State media outlets were also targeted.
In the days that followed, hacktivist group Anonymous declared cyberwar on Russia and launched its own cyber attacks, including one that brought the Belarusian rail network to a standstill.
The first days of the conflict have provided clear evidence of the rising cyber threat posed by terrorist or nation state groups.
For insurers, the issue is impossibly complex.
A problem too far?
Steve Coates, chief underwriting officer at Pool Re, said the insurance industry has long struggled with war risks.
“The fact remains that the damage to property that can be caused by nation states is of a scale that the insurance industry simply could not insure given the potential exposures,” he explained.
“The same can be said should a nation state provide a level of weaponry that would provide terrorist groups [with the ability] to cause the same level of damage.”
Pool Re provides cover for a terrorist cyber attack, but only for physical damage which has been caused remotely. It excludes ransomware attacks.
Coates added that the lack of understanding as to the scope of potential exposures in this field was making the industry reluctant to cover the wider costs of cyber terrorism.
That is not to say that the industry is not examining how it can structure future products, however.
Defining cyber risk
The biggest issue around cyber risks is defining exactly what this term covers - this problem is also applicable for definitions around the perpetrators of cyber attacks.
In January 2022, insurance industry think tank the Geneva Association produced a report on potential insurance solutions for what it termed hostile cyber activity (HCA).
The association said HCA sits somewhere between the existing notions of cyber terrorism and cyber war, as understood within an insurance context.
The intent of HCA, according to the Geneva Association, is to cause serious damage in or to another state, regardless of publicity or the possibility of causing terror. As such, it is different from cyber terrorism.
“Even though it tends to be perpetrated by, on behalf of, or with the financial or moral support or encouragement of nation states, HCA cannot be classed as an act of war as it is currently defined,” the report stated.
“On that basis, the term might help to distinguish between what is clearly insurable and what is not.”
Filling the gaps
The association’s report warned that there are real insurance gaps that need to be filled.
It read: “Recent, serious supply chain intrusions and ransomware incidents have underscored a long-standing issue for cyber insurers - how much protection can and should insurance provide when the perpetrators of such attacks are linked to nation states?
“Traditional policy exclusions for war or warlike incidents fail to adequately capture situations where nation states are suspected of being behind an attack, or at least providing a safe harbour for the hackers, especially if the motives for the attack are unclear.”
Issues of attribution and characterisation create significant contractual uncertainty for insurers too, noted the Geneva Association, which has only added to the recent tightening in cyber insurance market conditions.
Jamil Elbahou, chief executive and chief underwriting officer of MGA Connect Underwriting and founder and chairman of the Worldwide Broker Network, which has members in 140 countries, said the grey area is around intangible risks.
“The physical cyber risks are not a problem, although the limits remain quite small,” he said.
“For the wider cyber risks, one of the issues is that the current political violence and terrorism policies would need to be completely reworded if you were to look to wrap the non-physical cyber risks around or into the product.”
He believes it is likely that these types of extensions or policies will be provided in future, however, adding that these may well arrive “quicker than we expect”.
He continued: “There are significant levels of capacity in the market and that might see some underwriters looking at new areas of cover.
“However, it would be interesting to see what effect a softening of the market would have.”
Based on his experience as a political violence and terrorism underwriter, Elbahou said brokers and their clients do look for cyber coverage for terrorism risks, but at present, this is predominantly to cover physical damage to buildings or machinery.
David Heeney, terrorism underwriter at MGA Fiducia, added that there is still too much uncertainty around cyber risks.
“Cyber cover is not an issue where there is a clear approach,” he explained.
“There are Lloyd’s markets which are examining how they can look to include cyber cover in their terrorism products, but it is a complex problem and one where there are no easy answers.
“We have talked with our capacity providers about extensions around cyber attack from terrorist organisations.”
He added there was a desire, from some, to look at cyber extensions in an effort to differentiate their products from those of their rivals - but limitations remained.
Understanding the exposure
Coates said the problem for insurers was an inability to accurately understand the potential exposures that writing cyber cover for terrorism could create.
“At present, while nation states have the capabilities to launch major cyber attacks [that] have the potential to interfere with power grids or other infrastructure, we do not believe that capability has [also] been obtained by terrorist groups,” he explained.
“This sort of capability cannot be sourced from the dark web and, while terror groups may be increasingly looking at areas such as ransomware attacks, we do not see the potential for [the same] level of attack that can be carried out by nation states.
“For cyber risk involving terrorism, there needs to be an understanding of not only the scope of the policy, but how many of those policies will be affected and how they are connected.”
Charlie Hanbury, chief executive of MGA Samphire Risk, added that the insurance market has not been successful in filling gaps that technology has created in areas such as terrorism, kidnap and ransom.
“Technology has changed so many of what we would term the human risks,” he explained.
“We have seen a huge rise in cyber extortion rather than the traditional kidnap and ransom (K&R) and it is the same with what we would term stalking - it is now online rather than the perpetrator hiding in hedges.
“In the K&R market, insurers had been covering cyber by default suffered some heavy losses and then excluded the risks.
“Cyber has created large gaps in coverage for a range of risks, including terrorism, and the industry has not been good enough at creating the coverage to fill those gaps.”
Mind the gap
Hanbury said that the industry has the capability to respond to demand, but that there needed to be a new approach, which will require a move away from the traditional way policies are constructed.
The Geneva Association has hope that the insurance industry can find solutions to the rising threat of cyber terrorism – but it cannot do so alone.
“The insurance industry has come a long way in its understanding of cyber terrorism, HCA and cyber war and assessing how to insure such risk,” it said.
“To expand the limits of insurability, insurers need to be proactive in assessing feasible options for sharing cyber risks.
“Such collaborative efforts between insurers and governments will enable cyber protection gaps to be narrowed and ensure the full societal benefits of cyberspace can be realised.”