This article is more than 1 year old
Cover for 'cyber' attacks is risky, complex and people don't trust us, moan insurers
Tried not suing your customers when they make claims?
FIC 2020 EU companies aren't taking out insurance against attacks on online assets because the companies selling coverage aren't organised enough – while Brits are more likely to pay off ransomware crooks than others.
Insurance that pays out if your company gets hit by an online attack is a tricky subject. While it is an obvious business area for the insurance industry to move into, a panel discussion at France's Forum international de la cybersécurité last week heard there's not enough public information on the risks to insurers of offering cyberattack policies.
Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?
READ MOREEdward Samsom of the European Insurance and Occupational Pensions Authority, an EU body set up by a so-called "committee of wise men"* to regulate insurance companies across the political bloc, observed that even dipping a toe into the world of ransomware and hackers was a risk in itself.
He said: "There is an operational risk from the insurer's perspective. From the security side, itself, an insurer is one of the most vulnerable companies, maybe, in the market when it comes to cybersecurity."
Speaking alongside Samsom was Frederic Rousseau of the French arm of insurance firm Hiscox, who, through a translator, bemoaned his industry's early "lack of consistency" revealing that "five or six years ago" potential customers "were faced with a market which didn't speak with one same voice". Potential customers, he argued, were less likely to pay for insurance products unless the EU market was able to explain precisely what it would and wouldn't pay out on.
Avoiding payouts through lawsuits
The "what is covered" argument was sharply highlighted by a number of high-profile court cases brought by insurance companies against their own customers, in efforts to evade paying out in the aftermath of cyber incidents.
Pascal Steichen of Luxembourg trade association Security Made in Luxembourg agreed: "I think that people are aware that this market is immature." But said insurers lashing out against their own customers was putting off clients: "I don't think they're afraid of the [sort of] clause that says 'in any case the insurance will not pay'" after a cyber attack.
Part of that nervousness about honouring insurance policies is because insurers offering these products aren't sure how large their losses will be if they're claimed against. Christophe Madec of French insurance broker Besse said, in translation: "In liability insurance damages, we know the price of a liability [for] car insurance. For cyber, it's a little bit more vague."
Samsom nodded, chipping in to say that one of "the most important goals" for insurers ought to be having "a prudent calculation of the premium" as well as "prudent reserves" for large payouts: "I can imagine there might be some risks that are very hard to cover."
Other insurers have pondered whether they can squirm out of paying on policies by invoking clauses intended to rule out coverage if a war starts.
Later on, Rousseau observed: "British people would say it's more [important] to pay the ransom because you've got to pick your cause. If you can't deal with the subject in time, you won't be able to provide the sanctions which would be strong enough to counteract the benefit of insurance. Some other parts of the market would say 'No you should not pay the ransom'. Insurers have got different approaches."
Madec closed the discussion by shrugging: "It's true for any insurance matter; we've got to get more knowledgeable." ®
Bootnote
* A somewhat dated term for ad hoc expert groups in policy-making, as seen on the EIOPA website's about page: "The European Insurance and Occupational Pensions Authority (EIOPA) was established in consequence of the reforms to the structure of supervision of the financial sector in the European Union. The reform was initiated by the European Commission, following the recommendations of a committee of wise men, chaired by Mr [Jacques] de Larosière, and supported by the European Council and Parliament."
We imagine beards, robes and knobbly sticks played a large part in this process.