Global Insurers Worry About Cyber Crime Exposure

By Leo Lewis in Tokyo & Don Weinland, Hong Kong

Loosely written policies and the relentless growth of digital crime and cyber-disasters mean insurers could already be covering significant volumes of cyber risk without realizing it, according to senior industry figures.

The warning, from a top executive at one of Japan’s “big three” non-life insurers, is echoed worldwide by others across the industry and reflects fears that years of punishing competition in the property and casualty market have produced an unknown – but potentially huge – vulnerability.

In response to soft business conditions, said Nigel Frudd, the chief strategy officer at Sompo International, insurers have relaxed the wordings on their policies, offering clients greater coverage without taking additional premiums.

Insurers are now worried that the relaxed terms could be interpreted to cover Internet attacks, such as the loss of data, or data held for ransom by hackers. Insurers’ exposure could be vast – about 80 percent of large companies suffer a cyber breach every year, estimates for the total annual damage from cybercrime to the global economy range upwards of $400bn.

“Probably a lot of companies have written cyber risk within their existing terms and conditions without knowing it,” he said. AP Moller-Maersk, WPP, Reckitt Benckiser and FedEx stated that they were struggling to restore normal operations after the ransomware attack last week compromised hundreds of thousands of computers, industrial equipment, and other technology.

The industry is meanwhile awaiting definitive legal tests of how much cyber coverage has been inadvertently written. One illustration of the problem, say, Sompo executives, would be where an insurer had sold coverage on materials stored in a warehouse whose control systems were connected to the internet and suffered an attack that resulted in a fire.

A potentially wide range of tests could emerge from WannaCry, a virulent strain of ransomware that has infected computers in more than 150 countries. Executives at global insurance groups expect a wave of cases connected to the cyber attack to test kidnap, ransom and extortion policies, most of which were not written to cover Internet attacks.

A handful of early decisions from courts in the US has sent mixed signals to insurers. In one case, Travelers Indemnity, an insurance company, asked a federal court in 2014 to rule that a general liability policy it sold to PF Chang did not cover a breach of customer data at the US Chinese restaurant chain.

It won that case but lost another similar suit. In response to this uncertainty – and a signal that some have now acknowledged how exposed they may be, many companies are responding to the problem and have started to write exclusion clauses into policies noting that cyber attacks and other related risks are not covered.

“One of the key issues for businesses today is the gaps in traditional insurance cover that can leave companies exposed to the impact of cyber threats. There’s an urgent need for insurers to properly redefine terms of cover to meet the rapidly changing cyber threat environment,” said Jason Kelly, AIG’s head of liabilities and financial lines for greater China and Australasia.

Cyber insurance, which first emerged two decades ago, is a $2bn-plus market and forecast by insurance credit ratings and information service AM Best to expand to $7.5bn by 2020. Having grown globally at 20-25 percent annually over the past three years, cyber insurance has been embraced by an industry ravenous for sources of growth.

Despite that eagerness cyber insurance remains, say Sompo and others, under-developed as a market. Insurers have 100 years of data on automobile accidents, and more than that on many crimes, say experts on cyber security, but most incidents go unreported, and insurers lack data on the likelihood of a breach.

Growth may also be limited by questions including whether attacks that are proven to emanate from government-sponsored hackers count as acts of war and are therefore exempt from many policies.

Bryce Boland, chief technology officer for Apac at the cyber security group FireEye said that the insurance industry, along with the rest of the business world, was seeing the results of a global cyber arms race in which dozens of countries have the ability to carry out advanced cyber attacks.

“Cyber insurance policies often include exclusions for incidents that are acts of war. This makes the attribution of cyber attacks extremely critical. Who decides who is behind these attacks?” said Mr Boland.

Published on Jul 09,2017 [ Vol 18 ,No 898]



With a reformist administration in charge of the executive, there has b...


The new electricity tariffs that became effective on December 1, 2018,...


Who it is that midwifed the rapprochement between E...


Ethiopia’s economy is at a crossroads. The same old advice will not s...


A recent photo between Prime Minister Abiy Ahmed (PhD) and George Soros...


The future is bleak. Millennials and younger generations who will inher...

View From Arada

There is heated debate on the propriety, decency and morality of breast...

Business Indicators


Editors Pick