© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Should the government contribute to the costs of cyber insurance? Experts are conflicted

The rising cost of incidents is pushing up the price of cyber insurance – and many organizations can no longer afford it. Some are proposing that governments should play a part.

Cybercrime is big business - indeed, according to Cybersecurity Ventures, if it were measured as a country, it would be the world’s third-largest economy after the US and China.

The security firm predicts that the cost of incidents globally will grow by 15% per year over the next three years, reaching $10.5 trillion USD annually by 2025 - more than three times as much as in 2015.

These costs include the damage and destruction of data, the theft of money, intellectual property and data, lost productivity, and post-attack disruption to the normal course of business, along with forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

And, says IBM, the average cost of a breach in the organizations it studied is now at an all-time high of $4.35 million, up 13% over the last two years.

As a result, the cost of cyber insurance premiums has rocketed too. According to broker Marsh, the price of cover in the US grew by 130% in the fourth quarter of 2021, and by 92% in the UK.

Current policies may be unsustainable

Many insurers are already placing restrictions on the sort of incidents they'll cover. Lloyd's of London, for example, recently announced that its policies would no longer cover losses from certain nation-state cyberattacks and those taking place during wars, whether declared or not.

Similarly, the US' largest insurer, Chubb, has proposed a broad hacking exclusion and Beazley now excludes catastrophic events.

Meanwhile, Mario Greco, chief executive at one of Europe’s biggest insurance companies, Zurich, recently told the FT that cyberattacks could become impossible to insure against.

"What will become uninsurable is going to be cyber. What if someone takes control of vital parts of our infrastructure, the consequences of that?" he said.

"There must be a perception that this is not just data... this is about civilization. These people can severely disrupt our lives."

The private insurance sector, he suggested, simply can't underwrite all the losses coming from cyberattacks. Instead, he said, governments should 'set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks'.

Similarly, John Coletti, head of cyber reinsurance at Swiss Re, recently told The Register that public-private collaboration would be needed to fund the cyber-insurance gap.

US proposals

It's an idea that's now being taken seriously in the US, where the Treasury Department recently embarked on an investigation into whether the government should be helping out the insurance industry by paying for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.

The assessment will examine 'the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response'.

There are, of course, dangers with this idea. The US Government Accountability Office (GAO) has warned that a federal cyber insurance program could create incentives for insurers or policyholders to take undue risks.

Such a program could also inhibit insurers from offering certain flexible policies, and there are also questions about what exactly would count as critical infrastructure.

However, it could also have advantages beyond the financial benefits to the organizations concerned. A national cyber insurance program could include certain security requirements - multifactor authentication, endpoint detection and response, identity and access management, ongoing training and the like. This would help raise the game for all organizations and make attacks less likely to occur in the first place.

More from Cybernews:

How hackers might be exploiting ChatGPT

ChatGPT blocked in NYC schools over cheating concerns

Russian threat group using other crooks’ malware to target Ukraine, says watchdog

Latest phishing campaign hits Zoom users with malware

WhatsApp enables messaging during internet shutdowns

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked