London’s insurance market Lloyds has indicated it will move to require its insurance groups to exclude “devastating” nation state cyber attacks from cyber insurance policies from 31 March 2023.
according to wall street journalAs previously reported by the story, the change is believed to have made the scope of cyber insurance policies clearer to buyers, and is being done because Lloyd believes state-backed attacks The effect of this is a “systemic risk”.
The newspaper cited the August 16 notice written by Underwriting Director Tony Chowdhury. Chowdhary said Lloyd’s has been a strong supporter of cyber insurance, but such policies need to be managed appropriately, given the rapidly evolving nature of the threat landscape.
In particular, the ability of nation-backed threat actors to spread their attacks quickly and easily, and the significant reliance it now has on digital infrastructure, means the damage that can happen is “insured,” Chowdhury said. It has the potential to be much higher than the “market is able to absorb”.
Lloyd’s move reflects a growing trend among cyber insurers to tighten the terms and conditions of their policies. Speaking to Computer Weekly in early 2022, Heidi Shay, a principal analyst at Forrester, described a “market hardening” that saw insurer AXA France suspend reimbursement for ransomware payments, among other things. gives.
In the same article, Simon Gilbert of insurance brokerage Elmore commented: “The major trend we have observed over the past 12 months is the reduction in the extent of indemnity – the maximum amount an insurer can pay under a policy – and the increasing Cyber insurance affects the cyber insurance portfolio of almost every insurer due to the loss of ransomware.
As recent research by risk management specialist Huntsman Security revealed, these changes further accentuate concerns that organizations are finding it difficult to obtain appropriate cyber insurance coverage.
The firm’s CEO, Peter Woolcott, said there were several factors at play, including tighter regulatory controls, rising premiums, increasingly stringent underwriting, capacity constraints and coverage limits proposed by Lloyds.
He warned that by the end of 2023 the number of organizations that would not be able to afford cyber insurance, would end up with insufficient coverage, or be denied coverage altogether, could double.
“With this low insurance penetration coupled with cyber threats and tighter regulations, many organizations are losing out on cyber insurance as an important risk management tool,” Woolcott said. “Even those who can still get insurance are paying a prohibitively high cost.”
For these reasons, security leaders need to be clear that cyber insurance is only one of many levers they can pull, and should not be used to replace controls that should already be in place. And said Tom Venables, practice director for cybersecurity, on turnkey consulting.
“One can insure their car, but still follow the speed limit, wear a seatbelt and avoid drinking and driving,” he said. “In other words, despite being insured, they take additional preventive measures to ensure that the risk to the car is kept to a minimum.
“Applying this principle to cyber insurance, security professionals need to focus on understanding the risk to the organization. They need to know the information assets that need protection, how those assets can be vulnerable. , and what controls are needed to reduce risk.
“The database may all have up-to-date patching, but if one supports a business-critical application, such as controlling a production line, that may be more important in the event of a ransomware attack.”