In an interview with the Financial Times, Zurich CEO, Mario Greco, has warned that cyber attacks will become “uninsurable” as the disruption from hacks burgeon.
“What will become uninsurable is going to be cyber,” Greco said, “What if someone takes control of vital parts of our infrastructure, the consequences of that? There must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
In recent years, cyber losses have prompted underwriters to limit their exposure, with some insurers raising prices and tweaking policies.
Last month, Zurich reached a settlement with multinational food and beverage company Mondelez International to close a $100 million lawsuit against the insurer for refusing to pay out on cyber claims related to the 2017 NotPetya attack.
Zurich had denied claims from Mondelez on the grounds that the NotPetya attack, which initially targeted Ukrainian organisations, had been a state-sponsored attack by Russia and therefore fell under its act of war exemptions.
In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.
At the time, a senior Lloyd’s executive said the move was “responsible” and preferable to waiting until “after everything has gone wrong.”
However, the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally arduous.
Cyber experts have also warned that rising prices and bigger exceptions could put off people buying any protection.
Greco states that there is a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks. He called on governments to set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.
In the interview, Greco also praised the US government’s steps to discourage ransom payments, stating, “If you curb the payment of ransoms, there will be fewer attacks.”
The US government recently called for views on whether a federal insurance response to cyber was warranted, which could be part of its current public-private insurance programme for acts of terrorism.
A report from the US Government Accountability Office in June highlighted the potential of cyber incidents to “spill over” to other linked firms.
It said examples such as the Colonial Pipeline hack, which created temporary gasoline shortages in the south-east US, demonstrated “the possibility that a single cyber incident could ripple across the critical infrastructure with catastrophic consequences”.
At the time, Christian Mumenthaler, Swiss Re CEO, noted that these kinds of sophisticated cyber attacks are “increasing constantly,” adding that “critical infrastructure is a problem.”
As the cyber risk pool continues to expand, only time will tell whether the re/insurance industry and the governments can can keep up.