Global Insurers Worry About Cyber Crime Exposure

By Leo Lewis in Tokyo & Don Weinland, Hong Kong

Loosely written policies and the relentless growth of digital crime and cyber-disasters mean insurers could already be covering significant volumes of cyber risk without realizing it, according to senior industry figures.

The warning, from a top executive at one of Japan’s “big three” non-life insurers, is echoed worldwide by others across the industry and reflects fears that years of punishing competition in the property and casualty market have produced an unknown – but potentially huge – vulnerability.

In response to soft business conditions, said Nigel Frudd, the chief strategy officer at Sompo International, insurers have relaxed the wordings on their policies, offering clients greater coverage without taking additional premiums.

Insurers are now worried that the relaxed terms could be interpreted to cover Internet attacks, such as the loss of data, or data held for ransom by hackers. Insurers’ exposure could be vast – about 80 percent of large companies suffer a cyber breach every year, estimates for the total annual damage from cybercrime to the global economy range upwards of $400bn.

“Probably a lot of companies have written cyber risk within their existing terms and conditions without knowing it,” he said. AP Moller-Maersk, WPP, Reckitt Benckiser and FedEx stated that they were struggling to restore normal operations after the ransomware attack last week compromised hundreds of thousands of computers, industrial equipment, and other technology.

The industry is meanwhile awaiting definitive legal tests of how much cyber coverage has been inadvertently written. One illustration of the problem, say, Sompo executives, would be where an insurer had sold coverage on materials stored in a warehouse whose control systems were connected to the internet and suffered an attack that resulted in a fire.

A potentially wide range of tests could emerge from WannaCry, a virulent strain of ransomware that has infected computers in more than 150 countries. Executives at global insurance groups expect a wave of cases connected to the cyber attack to test kidnap, ransom and extortion policies, most of which were not written to cover Internet attacks.

A handful of early decisions from courts in the US has sent mixed signals to insurers. In one case, Travelers Indemnity, an insurance company, asked a federal court in 2014 to rule that a general liability policy it sold to PF Chang did not cover a breach of customer data at the US Chinese restaurant chain.

It won that case but lost another similar suit. In response to this uncertainty – and a signal that some have now acknowledged how exposed they may be, many companies are responding to the problem and have started to write exclusion clauses into policies noting that cyber attacks and other related risks are not covered.

“One of the key issues for businesses today is the gaps in traditional insurance cover that can leave companies exposed to the impact of cyber threats. There’s an urgent need for insurers to properly redefine terms of cover to meet the rapidly changing cyber threat environment,” said Jason Kelly, AIG’s head of liabilities and financial lines for greater China and Australasia.

Cyber insurance, which first emerged two decades ago, is a $2bn-plus market and forecast by insurance credit ratings and information service AM Best to expand to $7.5bn by 2020. Having grown globally at 20-25 percent annually over the past three years, cyber insurance has been embraced by an industry ravenous for sources of growth.

Despite that eagerness cyber insurance remains, say Sompo and others, under-developed as a market. Insurers have 100 years of data on automobile accidents, and more than that on many crimes, say experts on cyber security, but most incidents go unreported, and insurers lack data on the likelihood of a breach.

Growth may also be limited by questions including whether attacks that are proven to emanate from government-sponsored hackers count as acts of war and are therefore exempt from many policies.

Bryce Boland, chief technology officer for Apac at the cyber security group FireEye said that the insurance industry, along with the rest of the business world, was seeing the results of a global cyber arms race in which dozens of countries have the ability to carry out advanced cyber attacks.

“Cyber insurance policies often include exclusions for incidents that are acts of war. This makes the attribution of cyber attacks extremely critical. Who decides who is behind these attacks?” said Mr Boland.

Published on Jul 09,2017 [ Vol 18 ,No 898]



Political transformation is unavoidably rocky, if not delicate. It invo...


Oil transporters are up in arms over tariffs set by the Ministry of Tra...


The cosiness between the Ethiopian authorities and...


The National Bank of Ethiopia has recently made available its fourth-qu...


One hundred years ago today, at the 11th hour of the 11th day of the 11...


The Addis Abeba Transport Authority and Ride, a popular and an up-and-c...

View From Arada

The private sector is more efficient and customer-oriented than governm...


Editors Pick