The rising cost of incidents is pushing up the price of cyber insurance – and many organizations can no longer afford it. Some are proposing that governments should play a part.
Cybercrime is big business - indeed, according to Cybersecurity Ventures, if it were measured as a country, it would be the world’s third-largest economy after the US and China.
The security firm predicts that the cost of incidents globally will grow by 15% per year over the next three years, reaching $10.5 trillion USD annually by 2025 - more than three times as much as in 2015.
These costs include the damage and destruction of data, the theft of money, intellectual property and data, lost productivity, and post-attack disruption to the normal course of business, along with forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
And, says IBM, the average cost of a breach in the organizations it studied is now at an all-time high of $4.35 million, up 13% over the last two years.
As a result, the cost of cyber insurance premiums has rocketed too. According to broker Marsh, the price of cover in the US grew by 130% in the fourth quarter of 2021, and by 92% in the UK.
Current policies may be unsustainable
Many insurers are already placing restrictions on the sort of incidents they'll cover. Lloyd's of London, for example, recently announced that its policies would no longer cover losses from certain nation-state cyberattacks and those taking place during wars, whether declared or not.
Similarly, the US' largest insurer, Chubb, has proposed a broad hacking exclusion and Beazley now excludes catastrophic events.
Meanwhile, Mario Greco, chief executive at one of Europe’s biggest insurance companies, Zurich, recently told the FT that cyberattacks could become impossible to insure against.
"What will become uninsurable is going to be cyber. What if someone takes control of vital parts of our infrastructure, the consequences of that?" he said.
"There must be a perception that this is not just data... this is about civilization. These people can severely disrupt our lives."
The private insurance sector, he suggested, simply can't underwrite all the losses coming from cyberattacks. Instead, he said, governments should 'set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks'.
Similarly, John Coletti, head of cyber reinsurance at Swiss Re, recently told The Register that public-private collaboration would be needed to fund the cyber-insurance gap.
It's an idea that's now being taken seriously in the US, where the Treasury Department recently embarked on an investigation into whether the government should be helping out the insurance industry by paying for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.
The assessment will examine 'the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response'.
There are, of course, dangers with this idea. The US Government Accountability Office (GAO) has warned that a federal cyber insurance program could create incentives for insurers or policyholders to take undue risks.
Such a program could also inhibit insurers from offering certain flexible policies, and there are also questions about what exactly would count as critical infrastructure.
However, it could also have advantages beyond the financial benefits to the organizations concerned. A national cyber insurance program could include certain security requirements - multifactor authentication, endpoint detection and response, identity and access management, ongoing training and the like. This would help raise the game for all organizations and make attacks less likely to occur in the first place.
More from Cybernews:
Subscribe to our newsletter