In times of strongly increasing attacks on the IT infrastructure of companies as well as public institutions and even private users from the internet, many experts recommend that companies make sure to sign sufficient insurance protection against cyber threats in good time.
However, their implementation is not that easy, as the insurance companies' hunger for risk, i.e. their willingness to accept new customers into their insurance coverage, has recently decreased considerably. The combination of several years in which insurance companies sold their policies virtually without any upstream risk analysis and a drastic increase in the number of attacks and threat scenarios has led to the insurance industry sounding the alarm and seeing itself exposed to risks in the cyber insurance segment that threaten its very own existence.
How are insurers responding to current cyberwar and state-sponsored hacking attacks?
The insurance industry is responding to this situation with new model clauses designed to significantly limit the scope of insured risks.
At the end of 2021, Lloyds of London presented four new model clauses recommended to insurers for inclusion in their cyber insurance policies, in particular to exclude losses from cyberwar activities from liability risk (LMA21-042-PD (lmalloyds.com). Many of the "war clauses" used until then still dated back to the time before the Second World War and were particularly geared towards warlike situations involving the use of physical force.
In the USA, the New Jersey Superior Court has just ruled in December 2021 that the usual exceptions to war should not apply to digital attacks (Cyber Risks and Business Interruption Insurance - Merck and International Indemnity v ACE (et al.) - The 36 Group). However, the example of Ukraine currently shows that in today's cyber reality, attackers can paralyse an entire state apparatus, at least digitally, without a single soldier having to enter foreign territory. Microsoft has found that the viruses used there encrypt the attacked hard disks like classic ransomware, but that they lack the mechanism for ransomware, which in turn speaks for sabotage and against commercial attacks (Malware attacks targeting Ukraine government - Microsoft On the Issues).
The insurance industry's argument for an exclusion of liability in the case of warlike or state aggression is that such cumulative losses, in which individual loss events can add up to enormous sums due to their accumulation, are not sustainable for the private insurance industry (cf. Risk from cyber attacks: "Losses that a private insurer cannot bear" - DER SPIEGEL).
What do the new model clauses for cyber insurance contain?
The four new model clauses for cyber insurance are designed to integrate modern cyberwar activities into the exclusion of liability for warlike activities.
The four model clauses differ in the severity with which they formulate the insurer's exclusion of liability. Common to all clauses is the assumption that not only warlike activities, but any state-sponsored or state protected attack on IT infrastructures as a so-called cyber operation will lead to the exclusion of the insurer's liability.
Apart from cases such as the current one in Ukraine, in which the attacked government officially confirms that it has become the target of foreign state cyber operations, according to the model clauses the insurers would be entitled to establish that there are objective indications of a state attack. The insurers are even to be given the right to suspend compensation payments as long as the allegedly attacked government has not yet designated the act of attack as an act of war, but the insurer has objective evidence of a state sponsored background to the attack. Depending on the severity of the clause, the corresponding attack does not need to target critical infrastructure in the target country in order to nevertheless entitle the insurance to withhold compensation payments as an act of belligerent cyberoperation.
How are the model clause variants to be evaluated in practice?
However when the rather customer-friendly model clause variants will be applied, it will probably be difficult in practice for the insurer to achieve the exclusion criteria formulated there, according to which either state involvement or significant effects on the critical infrastructure in the target country must be proven. Even in the case of the largest known attacks of recent years, such as "Solarwinds" or "wannacry", these criteria would probably not have been met.
What can be excluded from cyber insurance cover?
Not only the exclusion of liability for state or warlike cyber activities makes it difficult for companies to obtain reassuring insurance cover, but also the fact that more and more insurance companies are moving to exclude compensation for paid ransom demands from their insurance cover (e.g. Axa and Generali France, cf. https://www.inside-it.ch/kriminelle-verkaufen-kundenlisten-von-cyberversicherungen). Even if all experts advise companies against paying ransom sums in order not to make themselves vulnerable to further blackmail, and weighty voices in the literature even assume that paying ransom sums constitutes criminal support for criminal activities, many companies still want to keep this option open without wanting to forego corresponding insurance cover.
In additions to this, cyber insurances often exclude form the cover at least partly the sometimes considerable damages when the attacked company fails with its necessary supply to the supply chain of its customers. In particular, when the attack was obviously aimed at a certain state or state institutions, but other states and software users are also affected as bystanders. In any case, many insurance companies exclude the so-called recovery costs in their policies from the scope of their liability to pay compensation. This applies to costs which do not only apply to the mere defence against the attack, such as the cost of cleaning and reinstalling backups of data or rebooting the infrastructure.
What should companies look out for when taking out cyber insurance?
When discussing cyber insurance, well-advised companies not only make sure to accept as few of the above-mentioned exclusion clauses as possible, but also try to increase their chances to receive not only any offer for cyber insurance at all but also at attractive conditions by taking active measures to reduce cyber damage risk.
In some cases, the insurance companies also make it a condition for concluding an insurance contract to answer extensive questionnaires to determine the respective existing risk potential. These questionnaires are so extensive and geared towards preventing any recognisable risk that medium-sized companies in particular reach their limits when answering them without external technical and legal expertise. The technical certifications required by the insurance companies, such as ISO 27010, are suitable for confirming the current state of security technology at the companies, but they are also only achievable with considerable financial and time resources.
Our practice tip
Companies that are seeking cyber insurance cover despite the decreasing willingness of insurance companies to sign such cover should therefore definitely do their homework in the area of data and IT security and bring their infrastructure up to the state of the art even before looking for an insurance policy.
With further documented preventive measures for improved crisis management, such as the establishment of a crisis manual or the regular implementation of emergency drills, insurance premiums can also often be significantly reduced.
If an insurance contract is concluded, it is important from the company's point of view to pay attention to fair clauses in the policies to cover damage in the supply chain or compensation for recovery costs as well as full compensation for recovery costs and ransom payments and, if necessary, to avoid liability exclusions in the insurance conditions (see also Red Alert for Microsoft Exchange Servers - Acute Need for Action - SKW Schwarz).