I wasn't expecting to write about cyber insurance so soon… but over Christmas 2022, headlines started appearing like "Cyber attacks set to become 'uninsurable', says Zurich chief".
Is this real?
Before we dive in and start looking at what was said - it's essential to add some context.
Zurich Had a Rough End of 2022
Zurich's US business had two costly losses at the end of 2022.
Back in 2015, Experian's network was hacked, and a large quantity of T-Mobile's customer data was stolen. As a result, T-Mobile incurred $17.3M in losses from class actions and regulatory probes.
Experian paid T-Mobile $10.75M towards the loss. And T-Mobile then attempted to claim the remaining $7.3M loss from Zurich's US insurance business. But Zurich refused to pay.
Zurich claimed the payment from Experian meant the loss was only $7.3M and below the $10M deductible on the cyber insurance policy.
In late November 2022, the Washington appeals court disagreed with Zurich's argument and required Zurich to settle the cyber insurance claim.
In 2017, a new variant of the Petya and NotPetya encrypting malware was released using the leaked NSA EternalBlue exploit. While the primary target appeared to be Ukraine, NotPetya had a global impact, including the snack maker Mondelez. Mondelez is the company behind snack brands like Oreo, Cadbury, and Milka - among many more.
Zurich refused to settle the claim, arguing the attack fell under the "act of war" exclusion. Mondelez sued for $100M, and the case was settled in November 2022 with confidential terms. While we don't know the exact details, this case almost certainly cost Zurich's US business significantly.
Cyber Insurance Contracts
At their heart, an insurance policy is simply a contract. An agreement to pay based on an event within the agreed terms. As with all losses, insurers learn from their mistakes, and future Zurich insurance policies will certainly prevent these types of losses.
Similarly, in September 2022 - I wrote about the Director of Underwriting at Lloyds of London instructing syndicates on cyber insurance policies. Specifically, all cyber insurance policies must include "a suitable clause excluding liability for losses arising from any state-backed cyberattack".
This is part of the same issue.
So What Did the Zurich Chief Actually Say?
The original conversation was with and reported by the Financial Times. It's always worth returning to the source to get the most accurate information.
Some of the key quotes from the FT article include:
"What if someone takes control of vital parts of our infrastructure, the consequences of that?"
So... this isn't about people and businesses. It's about cyber insurance for infrastructure.
Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: "First off, there must be a perception that this is not just data… this is about civilisation. These people can severely disrupt our lives."
What is clear is this story isn't about the vast majority of businesses. It's about nation-states and strategic infrastructure.
As strategic national infrastructure has become private - cyber insurers have struggled to manage the risk.
One solution proposed by the Zurich chief is to share the risk with governments.
"[S]et up private-public schemes to handle systemic cyber risks that can't be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks".
So what has this got to do with everyday cyber inurance?
Erm... not much.
Assuming your business doesn't own and operate strategically essential parts of the national infrastructure, the fear-mongering headlines are... clickbait.
What's clear - however - is that actively managing the risk posed by cyber insurance policies is of central focus to the largest insurers. This is another signal that elevated premiums, larger deductibles, and more frequent exclusions are the new normal.
But it's always worth remembering that an insurance policy is a contract. If you can find someone to underwrite it, almost anything is insurable. Legs... teeth... even beards being stolen.
So, someone will always be willing to underwrite something as mundane as cybersecurity.