Insurance Market Lloyd’s of London has said it will ask its insurance groups to rule out ‘catastrophic’ cyberattacks by nation states from cyber insurance policies from March 31, 2023.
According to the wall street journalwho first reported the story, the change is meant to ensure the scope of cyber insurance policies is clear to buyers, and is being made because Lloyd’s believes the impact of state-sponsored attacks is a “systemic risk”.
The cited newspaper a notice of August 16 written by underwriting manager Tony Chaudhry. Chaudhry said Lloyd’s remained strongly supportive of cyber insurance, but such policies needed to be managed appropriately given the rapidly changing nature of the threat landscape.
Chaudhry said that in particular, the ability of nation-state-backed threat actors to spread their attacks quickly and easily and the critical dependencies that corporations now have on digital infrastructure meant that the losses that could occur ” have the potential to far exceed what the insurance market is capable of absorbing”.
Lloyd’s decision reflects a growing trend among cyber insurers to tighten the terms and conditions of their policies. Speaking to Computer Weekly earlier in 2022, Heidi Shey, principal analyst at Forrester, described a “hardening of the market” which has seen, among others, insurer AXA France suspend refunds for ransomware payments.
In the same article, Simon Gilbert of insurance brokerage Elmore commented: “The major trend we’ve seen over the last 12 months is a reduction in the limit of indemnity – the maximum amount an insurer will pay out under a policy – and an increase in the cost of cyber insurance due to ransomware losses affecting the cyber insurance portfolio of almost all insurers.
The changes lend further weight to concerns that organizations are finding it increasingly difficult to secure appropriate cyber insurance cover, as recent research produced by a risk management specialist has shown. Hunter Safety show.
Company CEO Peter Woollacott said there were a number of factors at play, including tighter regulatory controls, rising premiums, increasingly stringent underwriting, capacity constraints and coverage limits such as those offered by Lloyd’s.
He warned that the number of organizations that would be unable to afford cyber insurance, end up with insufficient coverage, or be denied coverage outright, could double by the end of 2023.
“With this reduced access to insurance, alongside increasing cyber threats and tougher regulations, many organizations are losing cyber insurance as an important risk management tool,” Woollacott said. “Even those who can still get insurance pay a prohibitive cost.”
For these reasons, security leaders need to be clear that cyber insurance is only one of many levers they can pull and should not be used to replace controls that should already be in place, a said Tom Venables, practice director for applications and cybersecurity. at Turnkey consulting.
“Someone could insure their car, but still obey the speed limit, wear a seatbelt and avoid drunk driving,” he said. “In other words, although they are insured, they take extra preventive measures to ensure that the risk to the car is kept to a minimum.
“In applying this principle to cyber insurance, security professionals should focus on understanding the risk to the organization. They need to know what information assets need to be protected, how those assets may be vulnerable, and what controls are needed to reduce the risk.
“Databases may all have up-to-date patches, but if one supports a business-critical application, such as controlling a production line, it may be more critical in the event of an attack. by ransomware.”