Cyber ​​insurance becomes a risk

Just a few years ago, cyber insurance was considered the next big megatrend that was supposed to flush billions in premium income into insurers’ coffers. At the latest with the Ukraine war, the supposedly lucrative business has turned into an incalculable risk – for the corporations and their customers. Industrial insurer AGCS recently identified cyber incidents as the biggest business risk for companies worldwide this year for the first time. Nowhere else is the risk of business interruption greater.

Hacker attacks are now the most feared cause of business interruption for companies, brokers, trade associations and experts. According to a survey by the insurer Axa, risk experts rank cyber attacks as one of the biggest risk factors for the next five to ten years, alongside climate change. The threat situation has intensified again due to the war in Ukraine.

The Federal Office for Information Security has been warning for weeks of an abstractly higher level of danger and specifically of attacks on critical infrastructure. The rating agency Fitch fears that there will be increased hacker attacks, which could also affect companies and authorities that are not normally among the primary targets of cyber attacks. And the rating agency Moody’s assumes that similar to earlier attacks with malware, organizations could also be affected that were not the actual target. This could lead to high claims for damages from cyber insurers.

losses for insurers

A number of insurers had already had to cope with losses in the cyber business when, with the outbreak of the corona crisis two years ago, the employees of many companies switched to home office and the digital infrastructure suddenly revealed weaknesses. “Some insurers have had claims ratios of over 100 percent in the cyber area in recent years,” says Johannes Behrends of insurance broker Marsh. This means that the payments made by the corporations to compensate for damage exceeded the premium income.

The consequences for customers were massive increases in premiums and high deductibles. Provided they still have insurance coverage at all. Behrends observes that medium-sized companies in particular often no longer receive suitable offers because of their information security, which is in need of improvement. More protection is urgently needed here. According to a Gothaer survey, just 16 percent of medium-sized companies have cyber insurance.

Experts have been observing cyber damage at record levels since the beginning of the year. This drives up the cost of insurance even further. Behrends gives the following rule of thumb for standard cover, which usually amounts to 25 million euros: “A few years ago, a medium-sized company with a turnover of around one billion euros could buy such cover for a premium of around 125,000 euros. Today, companies pay up to 500,000 euros a year.”

A trend that is likely to intensify with the outbreak of the Ukraine conflict. Last year, prices in Germany rose by an average of 40 percent. In the upper middle class, there were even isolated premium increases of 300 percent in 2021. “This year, too, we expect premium increases of a similar magnitude,” says Behrends.

Incalculable risks

One problem that makes it so difficult for insurers to calculate cyber risks is known in the industry as “silent cyber”. The expensive consequences of hacker attacks can also be covered by conventional property or liability policies, because many policies were taken out when major damage from hacker attacks was not to be expected. If, for example, a cooling system fails due to a cyber attack and this causes a fire, the insurer could have to pay for the damage because the fire is covered by classic building protection insurance.

For the insurers, this means that the premiums do not reflect the impending high costs of hacker attacks. For this reason, the corporations have to review the existing contracts with each new risk situation to see whether the conditions cover newly emerging risks. Otherwise, rework must be done to avoid disputes. “This process is complex and expensive for the industry, and an adjustment to the policy usually leads to higher premiums for customers,” says expert Behrends.

Are war damages insured?

In addition, unlike the hacker attacks at the beginning of the corona pandemic in the Ukraine crisis, the question arises as to whether damage caused by Russian hackers is insured at all. Because the cyber policies usually contain clauses that exclude compensation for damage caused by war or war-like events.

However, the formulations in the insurance conditions are very different. It is also questionable whether these exclusions apply to insured persons outside the actual war zone in Ukraine. After all, Germany is not at war with Russia. “The question of possible compensation cannot be answered in one direction,” says Edgar Puls, head of the industrial division at insurer Talanx.

Controversies between insurers and customers therefore appear inevitable. Because the simple equation according to which every hacker attack from Russia is linked to the war doesn’t work. Marcel Straub, claims expert at Insurtech Finlex, emphasizes that an exclusion from war primarily refers to physical acts of war.

Insurers, on the other hand, are likely to view the Ukraine conflict as a hybrid war in which cyber attacks are just as much part of the war as physical attacks. According to the industry, some insurers are therefore checking whether the war exclusion clause applies in the Ukraine conflict. With such an interpretation, an attack by Russian hackers on German companies would not be insured.

Officially, the insurers practice diplomacy. The memories of legal disputes over business closure insurance during the pandemic are too fresh. Because there was a dispute between the groups and their customers, especially in the catering industry, about whether the closure of restaurants and hotels during the lockdown was covered by the policies or not, public court proceedings arose.

The industry wants to avoid this when it comes to cyber insurance. “With standard policies, there is already historical experience of what should be excluded and what was respected,” explains Michael Pickel, head of the German Hannover Re subsidiary E+S.

Paying ransoms could be difficult

Another problem is identifying the hackers. How can you tell if a cyberattack is state-directed or perpetrated by criminals who are primarily concerned with financial gain? In the second case, from a legal point of view, there is no targeted action by an attacking state. A hacker attack would therefore be treated as in peacetime, and the war exclusion clauses would not apply. Hackers generally don’t reveal their clients, Finlex expert Dennis Wrana points out. This usually makes it impossible to locate the actual origin of the attack.

The payment of ransoms could also cause disputes. Hacker groups often target companies and encrypt their data or systems. These are only released again after payment of a large sum. Cyber ​​policies with a ransom payment component are widespread in the market. However, there are signs of change here too. In Germany, ransom demands are generally still insurable, but in France individual insurers have already turned their backs on it.

Should Russian hacker groups attack German companies, Finlex expert Wrana expects that insurers will not pay ransoms. Because before that they have to carry out a so-called sanctions and compliance check. If an insurer pays even though the attacker or the ultimate beneficiary of the ransom is on a Western sanctions list, the group and the insured company run the risk of being put on the sanctions list themselves.

More: Hacker attacks become an incalculable risk – insurers call for the state