In recent months, cyber insurance has found itself in the headlines for arguably the wrong reasons. Lloyd’s of London reportedly discouraged certain syndicates from offering cyber insurance because of mounting losses, and then later published contractual language that can be used to exclude coverage for cyber war and even “cyber operations.” Many information security (InfoSec) practitioners interpret these news stories as the death of an industry. They argue that finance professionals waded into a technical problem that they did not understand and got burnt by the reality of cybersecurity, therefore it was inevitable that insurers would either stop offering coverage or invoke exclusions to avoid paying out on any claims.
This story has elements of truth, but also belies a folkish and naive understanding of the cyber insurance market. I argue that the industry’s pain is evidence of the fundamental value of insurance—it pays out when policyholders suffer harm—and that, over time, this dynamic will push the ignorant cyber insurers out of the market. But to understand how so many insurers offered cyber coverage without understanding the underlying risk, it is important to go back to the beginnings.
Various forms of technology insurance existed going back to the 1970s. However, it is illustrative to turn to a cyber insurance policy offered by AIG in 2000, long before cyber-attacks dominated headlines. Without any historical loss data, the underwriters made assumptions about how business interruptions caused by Distributed Denial of Service (DDoS) attacks compared to well understood disruptions caused by fire. The Chief Operating Officer later admitted on a podcast that the risk model was “a complete guess.” Here, we saw the trope of greedy financiers wading into a technical problem they did not understand.
Nevertheless, the company made $100 million of sales and paid out around 10% of that in claims, a wild success. The product changed over time, shifting towards covering litigation and response costs resulting from data breaches, but generally it remained a niche, profitable line of insurance. Specialist underwriters assessed cyber risk using more art than science, many operating out of the Lloyd’s market—the infamous market where David Beckham insured his foot.
This success was ultimately the market’s demise. Non-specialists took note and began offering cyber coverage. This resulted in cyber insurance prices falling in real terms from 2008 to 2018. Regulatory filings in the US reveal many insurers copied pricing plans from competitors. The influx of pretenders reduced the cyber insurance industry’s understanding of the underlying risk.
This led to a situation in which the main methods of risk assessment would have been familiar to insurers from before the IT revolution. Applicants were asked to fill out paper questionnaires about network security practices. Critics would often say questions such as “[d]o you have a firewall?” abstracted away from the daily grind of configuring and maintaining corporate networks. A practitioner I know described these applications forms as an exercise in “how to lie the least.”
The other option was to conduct underwriting calls in which multiple insurers would ask questions like “where and how do you store customer personal data,” to which board members would whisper to each other and say they’ll get back to the insurers on that one. Many questions went unanswered unless an employee with technical expertise was on the call. If an underwriter sensed a problem, brokers would simply find an insurer asking less questions.
Some insurers became uncomfortable with the situation. As the growth line of insurance, cyber attracted the most ambitious professionals, many of whom studied part-time for masters or InfoSec certifications. But insurers who developed a feel for effective security controls faced a problem. They either offered coverage based on less-than-perfect risk information or saw that premium go to a competitor asking less questions. Market conditions meant that even informed insurers could neither collect the relevant underwriting information, nor require that policyholders put controls in place.
The status-quo held while data breach litigation was the main cost driver, but then a ransomware epidemic began. Ransomware gangs brought businesses to their knees demanding payment. While critics of the industry contend that insurers were too willing to pay and this caused ransom inflation, insurers counter that paying ransoms saved businesses from going out of business. Either way, the ransomware gangs re-invested revenues, expanded capacity, and began demanding higher ransoms, one ransomware negotiator reports 1000% year-on-year growth in the mean ransom payment.
This brings us to the present, in which Lloyd’s of London reportedly recommend that certain syndicates do not offer cyber insurance coverage. So far, the InfoSec narrative of greedy financiers seems to hold. However, the narratives fail to appreciate how insurance markets create evolutionary incentives. Over time, the cyber insurance market will mature and improve, with early evidence that this is already occurring.
We should re-frame the ransomware epidemic as a force that disproportionately punishes insurers who do not understand the risk. In 2020, some insurers paid out more in claims than they received as premium—that’s before operational costs are even counted. Many of these insurers are restricting coverage and even leaving the market. This creates space for insurers who built expertise and technology that helps with assessing and pricing cyber risk. Informed insurers can now ask as many questions as they want because the brokers cannot find an alternative insurer asking fewer questions. Some insurers are even nudging policyholders towards better security.
In this way, the market aligns incentives: the most informed insurers survive and the gamblers count their losses. This can be seen in emerging reports about policyholders facing deeper assessments and stricter requirements in order to renew cyber insurance coverage. Thus, the problems facing cyber insurance are signs of a healthy market and that the product does what it promises, namely it pays out when policyholders suffer cyber-attacks.
This brings us to another myth. Many people believe that cyber insurers ruthlessly avoid paying claims by using exclusions found in the small print. This perception is driven by the media’s reporting bias towards disputes like Zurich’s court case, in which the insurer claims a war clause was triggered by the NotPetya attack. The media largely ignores the less high-profile claims that are paid and that collectively hurt the industry. To be clear, the loss ratios are signs that insurers are indeed paying claims.
Insurers deal in promises. Invoking exclusions undermines trust in insurance products, which undermines sales in the future. Thus, insurers are playing an iterated game in which they must protect their own reputation among policyholders and also peers. For example, many within the industry were frustrated that Zurich excluded the NotPetya attack given other insurers had paid out on cases like the Sony hack, which was attributed to North Korea by the FBI.
But more importantly, most cyber insurance is sold via an intermediary, the insurance broker, who controls whether the underwriters get any business. To illustrate why this matters, I will recount a story from my time interning at a broker. A colleague took a call from a policyholder whose claim had been excluded. The broker immediately called the underwriter and within minutes the claim paid. Why? Because brokers essentially adjudicate the reasonableness of exclusions, avoiding costly court cases. The enforcement power of brokers can be seen in an anecdote from an Australian cyber insurance firm who received an influx of business because a broker was moving all their policyholders away from an underwriter because of an exclusion dispute. Thus, even if cyber insurance policies include exclusions that would apply in a strict legal sense, in many cases the insurer will not invoke the exclusion in order to protect their reputation and relationship with the broker.
Nevertheless, it is worth asking if it could ever be justified for cyber insurers to exclude a claim. Economic theory suggests not doing so creates perverse incentives, by dulling the incentive for firms to secure their networks. This creates a Goldilocks problem as insurers should not seek to exclude all claims, nor should they exclude no claims. Insurers need to find the balance and pursue just the right number of exclusions. Chubb introduced a Neglected Software Exploit clause in which the policyholder takes on “progressively more of the risk if the vulnerability is not patched at the 46-, 90-, 180-, and 365-day points”. This means that rather than a brittle yes-no decision on whether the policyholder implemented reasonable security, which inevitably leads to costly court battles, the insureds who take longer to apply security patches also pay a higher proportion of claims, which seems reasonable.
For the first two decades, the cyber insurance market rewarded entrepreneurial insurers who embraced uncertainty (or ignorance) while offering innovative insurance products. The market was flooded by pretenders who drove down underwriting standards and the price, preventing informed insurers from applying their expertise. Ransomware shattered this equilibrium, creating space for the insurers—both traditional and upstart—who can accurately price risk and nudge policyholders towards better security. People should be wary about reading too much into exclusions—even if the exclusion applies in a strict legal sense, it often cannot be invoked for business reasons.
In spite of my enthusiasm about the evolutionary promise of cyber insurance, I am concerned by the feedback mechanism by which insurers learn from policyholder’s failure. An ongoing study that I am part of finds that the claims process is controlled by lawyers who prioritise preventing litigation risk, which often means investigative findings are not written down or shared. Over time, this impedes the ability of insurers and policyholders to extract lessons from cyber incidents, which in turn undermines the evolutionary promise of cyber insurance. Such considerations motivate moving discussions about the cyber insurance market beyond folk understandings of insurance.
Daniel Woods is a Postdoctoral Researcher at the University of Innsbruck. Daniel received his PhD entitled “The Economics of Cyber Risk Transfer” from the University of Oxford. He has published on cyber insurance at venues including the The Geneva Papers on Risk and Insurance-Issues and Practice, Workshop on the Economics of Information Security, IEEE Security & Privacy, and Computers & Security.
The views expressed in this post are those of the author and do not represent the views of the Global Financial Markets Center or Duke Law.
