Insurance is complicated, to put it mildly. As new risks develop, insurance companies create coverage to protect businesses from those risks.
Data is incredibly important to insurance companies - they are, after all, in the business of being profitable (just like any for-profit company). They want to offer enough coverage at a low enough premium that business owners and individuals are tempted to buy it, but not so much coverage or such low premiums that they end up losing money. To know what works and what doesn’t, they need to acquire data from claims - and that means that new forms of coverage are subject to changing very quickly.
Cybercrime insurance is a very new form of insurance. As such, some insurers have been modifying their policies to reflect what they’ve learned since beginning to offer cybercrime insurance. We’re going to look into some of those changes - and why they’ve occurred.
How Lloyd’s of London has changed their cybercrime insurance
Lloyd’s of London is an esteemed insurance institution that, through its various underwriters, handles billions of dollars worth of insurance. When the various underwriters at Lloyd’s make changes to their coverage, other insurers pay attention.
The main changes that Lloyd’s has encouraged its underwriters to take are twofold: the first is to limit the coverage offered by cybercrime insurance through the use of the war exclusion, and the second is to discourage its underwriters from providing cybercrime insurance at all.
The second point is easy enough to understand - Lloyd’s isn’t an insurance company, but rather a collective of insurers. The Lloyd’s collective is advising many of its members to stop offering cybercrime insurance coverage.
The first point can give us insight into why cybercrime coverage is risky for insurers. Lloyd’s has slashed coverage on state-sponsored attacks.
Coverage for acts of war is limited or non-existent under almost all insurance policies. War, after all, almost always leads to widespread, catastrophic damage - the type of damage that could quickly render an insurance company insolvent, and incapable of paying off claims.
State-sponsored attacks could, under some policy definitions, be considered “acts of war”. With that simple idea, policy owners can find themselves in the muck very quickly. Many cyberattacks are assumed to be linked to certain states, with Russia being a common antagonist. But the very nature of cyber attacks makes them incredibly difficult to trace, and it can be next to impossible to parse out which attacks are state-sponsored, which attacks are not, and which fall in a grey area between the two.
How bad are cyber attacks?
In the article we linked above, a security and risk analyst speculates that the changes are about reducing losses for Lloyd’s underwriters. The title of the article itself reflects the reality of the situation: insurers are being bombarded with cybercrime insurance claims.
These attacks happen in Canada, too - Canadian construction companies and trucking companies have recently been victims of cyber attacks. And the Canadian government takes privacy leaks extremely seriously, with failure to report privacy breaches leading to fines of up to $100,000.
All in all, cyber attacks and their consequences can be extremely serious, and it’s imperative that businesses of all stripes protect themselves.
How companies should respond to changes in cybercrime insurance
If you have cybercrime insurance, or you’re interested in getting cybercrime insurance, your first step should be to speak with your prospective insurer about the coverage. Ask what happens if the cybercriminals who attack your business are suspected to be linked with state actors. Get as clear a definition as you can about what they consider an act of war, and in which circumstances a cyber attack would not be covered.
Further, you should find ways to mitigate your risk of being targeted by a cyber attack, in addition to finding ways to reduce harm should a cyber attack occur. Insurers may even offer you a discount if you have security measures in place, as it reduces their risk of having to pay out a claim.
These strategies can include the use of two-factor authentication (2FA), managed detection and response (MDR), employee training, regular software updates, and robust security for your cloud services.
The strategies listed above, when used in conjunction, deter potential cybercriminals in much the same way that locked doors and burglar alarms deter would-be burglars. These solutions, and many others, are offered by our business.
We’re Constant C Technology Group. Contact us today; we’ll protect your business and your clients from cyber attacks.