Cybersecurity insurance policies have been seen by CISOs as a last-resort safety net, but by 2023 that safety will almost entirely be gone. Historically, losses incurred from downtime are reimbursed if tech executives agree to a set of compliance standards and pay the monthly premium. The recent Lloyd’s of London decision, however, removes far more protection than tech execs realize.
Lloyd’s of London decision nearly ends cybersecurity insurance
The cost of a cyber attack is recouped partially or in-full through compensation dictated by cyber insurance policies. Depending on the policy, it can cover expenses related to restoring brand reputation, data recovery, or even experts that negotiate ransom payments.
When Lloyd’s of London Ltd. announced it will require its global network of insurer groups to exclude catastrophic state-backed attacks, tech executives missed the big story. CISOs have yet to fully understand this decision will impact almost all of their existing policies, leaving them vulnerable for almost all remediation costs.
Act-of-war exclusions have existed for many years within the insurance industry—this is nothing new. But this is now being applied to cybersecurity due to the changing landscape of war, and one very important aspect: loss ratios.
Loss ratios are the ultimate decision maker in this change because insurance companies are aware the majority of truly-damaging attacks are at the nation state level. By excluding nation-state threat actors from cybersecurity policies, insurance companies are significantly lowering their risk.
Incident Response (IR) companies, brought in by insurers, determine who pays for the loss. They will ask a few key questions: did the insured party follow the requirements? Are they compliant? Where did it happen? And the kicker, who was at fault? Sometimes this is knowable, but many times it isn’t. Proving who is responsible is the most difficult part.
How can anyone prove an attack wasn’t nation-state based?
In a tweet, Rob Joyce, Director of Cybersecurity from the NSA sums it up, “how can the NSA really be sure of the attribution? I mean anyone can throw Russian Malware!” It’s a funny meme-tweet, but a legitimate concern. Hackers impersonate each other frequently. This is a known issue in the cyber community and even if a nation state threat actor wasn’t involved, it could take years to investigate.
Insurance companies understand cybersecurity companies can’t fully guarantee their work. Therefore, they may feel as though they are viewed as the primary security remediation tool. But insurance companies aren’t security companies—and now they’re positioning themselves accordingly.
The end of cybersecurity insurance as we know it.
The insurance and reinsurance marketplace, comprised of 50+ leading insurance companies, 200 registered Lloyd brokers, and a global network of 4,000 local coverholders that bring business to the Lloyd’s market will be impacted. This will likely result in the end of cybersecurity insurance policies as we know them.
“In general, Lloyds of London not covering nation-state actors will introduce the possibility that anything from other countries will be classified as a nation-state attack due to their use of proxies to conduct operations.” said Craig Bowman, Sr. Director, Federal at VMware “That will make the majority of attacks coming from outside of the US uninsurable, making cyber insurance pointless.”
Jacob Friedman is a Strategic Account Director at 3 Tree Tech in Portland. He enjoys researching new disruptive tech across the full stack and introducing it to tech execs across the United States. Message him right here.
For Leaders, By Leaders (FLBL)
We are leaders that enjoy networking leaders with other leaders. Do you want to talk one of our Insights authors, a speaker, or be plugged into one of many communities that we are partnered with across the country? Time to call in the cavalry! We’re saddled up and ready to ride to your rescue.