Monday, January 30, 2023
  • Advertise With Us
  • Write For Us
  • Contact Us
  • About Us
  • Editorial Calendar
Download Free Magazine
The Cyber Express
Ransomware 2023 Report
  • Magazine
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacks
    • Ransomware
    • Vulnerabilities
    Westmont Hospitality

    ALPHV/BlackCat Ransomware Gang Attacks Westmont Hospitality Group

    cybersecurity

    ‘You are Essentially Funding Cybercriminals When You Pay Ransom’

    Dr Pepper Russian Branch

    Data Breach at Dr Pepper Russian Branch, Mystery Hacker Steals Confidential Info

    Amadey Botnet

    Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites

    Verizon

    Verizon Customer Data for Sale on Dark Web, New Data Breach Suspected

    GoTo Confirms User Data Stolen With Encryption Key

    GoTo Confirms User Data Stolen With Encryption Key

    HIVE Ransomware

    Hive Ransomware Servers Taken Down in FBI-led Global Law Enforcement Action

    porsche nft

    Porsche NFT Hits Pit Stop, Fake NFT Sale On With Malvertising and Fraud Domains

    Hilton Hotels

    Hilton Hotels Loyalty Program Data Breached, Customer Info for Sale

  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    TRAI

    TRAI Asked to Involve MoD in Drafting Big Data Regulations & Policies

    cybersecurity

    Cybersecurity incidents may soon be ‘uninsurable’

    Australia

    Australia Ropes in Tech Veterans to Set Up Cyber Action Plan

    Active Directory

    Prevent Ransomware: Save the Active Directory

    Privacy Penalty Bill

    Privacy Penalty Bill: Australian Parliament Approves Heavy Fines

    Zero Trust Strategy

    US Department of Defense to Embrace Zero Trust Strategy

    browser hijackers

    Researchers Find Browser Hijackers on Google Chrome Web Store

    DORA proposal

    DORA Proposal for Cybersecurity Awaits Full Approval by Council and ESAs

    Privacy penalty bill

    Australia Privacy Penalty Bill 2022: Pay a $50 Million Fine for Data Breaches

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business News
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Webinars
    • World CyberCon Middle East 2023
    • Endorsed Events
  • Advertise
No Result
View All Result
The Cyber Express
  • Magazine
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacks
    • Ransomware
    • Vulnerabilities
    Westmont Hospitality

    ALPHV/BlackCat Ransomware Gang Attacks Westmont Hospitality Group

    cybersecurity

    ‘You are Essentially Funding Cybercriminals When You Pay Ransom’

    Dr Pepper Russian Branch

    Data Breach at Dr Pepper Russian Branch, Mystery Hacker Steals Confidential Info

    Amadey Botnet

    Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites

    Verizon

    Verizon Customer Data for Sale on Dark Web, New Data Breach Suspected

    GoTo Confirms User Data Stolen With Encryption Key

    GoTo Confirms User Data Stolen With Encryption Key

    HIVE Ransomware

    Hive Ransomware Servers Taken Down in FBI-led Global Law Enforcement Action

    porsche nft

    Porsche NFT Hits Pit Stop, Fake NFT Sale On With Malvertising and Fraud Domains

    Hilton Hotels

    Hilton Hotels Loyalty Program Data Breached, Customer Info for Sale

  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    TRAI

    TRAI Asked to Involve MoD in Drafting Big Data Regulations & Policies

    cybersecurity

    Cybersecurity incidents may soon be ‘uninsurable’

    Australia

    Australia Ropes in Tech Veterans to Set Up Cyber Action Plan

    Active Directory

    Prevent Ransomware: Save the Active Directory

    Privacy Penalty Bill

    Privacy Penalty Bill: Australian Parliament Approves Heavy Fines

    Zero Trust Strategy

    US Department of Defense to Embrace Zero Trust Strategy

    browser hijackers

    Researchers Find Browser Hijackers on Google Chrome Web Store

    DORA proposal

    DORA Proposal for Cybersecurity Awaits Full Approval by Council and ESAs

    Privacy penalty bill

    Australia Privacy Penalty Bill 2022: Pay a $50 Million Fine for Data Breaches

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business News
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Webinars
    • World CyberCon Middle East 2023
    • Endorsed Events
  • Advertise
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Cyber Essentials Compliance

Cybersecurity incidents may soon be ‘uninsurable’

The cyber insurance industry to face fundamental changes as insurers turn reluctant due to their increasing disruption caused by cyber-attacks, notes Zurich insurer CEO

Chandu Gopalakrishnan by Chandu Gopalakrishnan
December 27, 2022
in Compliance, Features
0
cybersecurity
593
SHARES
3.3k
VIEWS
Share on LinkedInShare on Twitter
Listen to this story

Cyber-attacks are becoming “uninsurable” due to their increasing disruption, Mario Greco, the CEO of insurer Zurich, told the Financial Times. A closer look at the cyber insurance events that unfurled in the past twelve months shows that Zurich is not the first insurer to adopt that stand. And certainly, not the last.

Insurance executives have been increasingly concerned about risks such as pandemics and climate change, which have caused natural catastrophe-related claims to be expected to surpass $100 billion for the second year in a row.

You might also like

SOCs to Face Greater Challenges from Cybercriminals Targeting Govt. and Media in 2023

Revitalize Your iPhone 5s and Beyond: Apple Unleashes New Updates

Malware-as-a-Service on the Rise, Ransomware Rotates Away from Bitcoin

However, Greco argued that the bigger risk to watch is cyber-attacks, which have the potential to disrupt vital infrastructure and disrupt society.

Russia, Ukraine, and the cybersecurity landscape

In recent years, rising cyber losses have led insurers to take emergency measures, such as raising prices and altering policies to have clients retain more losses, in order to limit their exposure.

Zurich American Insurance last month settled with Cadbury’s owner Mondelez International over the insurer’s refusal to cover the US-based company’s $100-million-plus loss following the 2017 NotPetya outbreak. German pharmaceutical business Merck in January won a lawsuit the company filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack.

While Merck was hailed as a landmark case, Mondelez is likely to become the last of the million-dollar cyber insurance lawsuits. In between these two verdicts, a major event happened that changed the landscape of cyber insurance: the Russian invasion of Ukraine.

Merck and NotPetya

Data on more than 40,000 Merck systems was lost as a result of the NotPetya event, which occurred in June 2017 and affected hundreds of businesses worldwide. Merck assessed the loss at $1.4 billion, which included a loss from lost production, expenses for hiring IT specialists, and expenses for purchasing new equipment to replace all impacted systems.

A $1.75 billion “all-risk” insurance policy that included software-related data loss incidents was in place at the time for the corporation. However, insurer Ace American argued that the NotPetya assault was a component of Russian hostilities against Ukraine and, as such, was covered by the typical “Acts of War” exclusion provision that is contained in most insurance contracts.

Merck sued Ace American in November 2019, claiming that the Acts of War clause should not apply since the attack was not “an official state action”. The exclusion provision, according to Merck’s legal team, should not apply to their client since it contained language that restricted the Acts of War to legitimate government organisations and did not expressly identify cyber-related incidents.

The Wired magazine, which analysed the malware and its path in detail, declared that “​​the release of NotPetya was an act of cyberwar by almost any definition,” adding fuel to the insurer’s claim.

Judge Thomas J. Walsh of the New Jersey Superior Court ruled on January 13 that Merck’s insurers cannot rely on the war exclusion since its language is intended to apply to armed conflict. Despite a pattern of assaults by nations like Russia against private sector corporations, the ruling observed that insurers didn’t amend the war wording to “put on notice” companies like Merck that cyberattacks wouldn’t be covered.

Meanwhile, in Ukraine

Two months later, Russia invaded Ukraine. In the first global conflict where the internet became a battleground, Russia intensified its long-standing campaign of cyberattacks against Ukraine to unforeseen levels. In retaliation, the West and an army of volunteers boosted the Ukrainian cyberattack capabilities.

Russian state-sponsored threat groups began to target the critical infrastructure of Ukraine’s allies. Take the case of Italy. While cyberattacks were common in that country, the scores were nowhere near that of the US or its European peers Germany and the UK. The numbers spiked after Italy extended its support to Ukraine in the ongoing war against Russia.

“The ever-increasing threat landscape due to the Russia-Ukraine conflict has fundamentally transformed the attack surface due to frequently disclosed vulnerabilities and exposures. Meanwhile, the increasing complexity of tools and techniques adopted by the threat actors has revealed the gaps in the cybersecurity infrastructure of Italian organizations and entities,” said a Cyble advisory about cyber-attacks on Italy.

Italy’s foreign minister disclosed in September that the cyber-attacks on western European companies, and Italy in particular, have risen following the Russian invasion of Ukraine. The statement came after state-sponsored hackers started targeting energy companies in Italy that month.

Attacks mounted, and so did the moves to claim insurance for cyberattacks. Insurers, on the other hand, began preparation to minimise cyber insurance coverage.

Insurance and hospital gowns…

What’s common in insurance and hospital gowns? They never cover you fully! This business joke is a harsh reality when it comes to cyber insurance. In August, Lloyd’s of London announced that all standalone cyber insurance policies underwritten by members of Lloyd’s marketplace from March 2023, “must exclude liability for losses arising from any state-backed cyberattack”.

Cyberattack coverage “if not managed properly… has the potential to expose the market to systemic risks that syndicates could struggle to manage,” the corporate body told its members.

Lloyd’s of London, generally known simply as Lloyd’s, is an insurance and reinsurance market located in London, England. Unlike most of its competitors in the industry, it is not an insurance company; rather, Lloyd’s is a corporate umbrella body of insurers.

Lloyds members are spread across 50 leading insurance companies, over 350 registered brokers and a global network of over 4,000 cover holder offices. They pay out close to £60,000 in claims per minute.

On the other hand, attack surface was growing as global organizations rolled out more applications, wrote more code, hired more remote workers, and connected more physical systems to networks.

Warren Buffett was the first business leader to warn about the potential, big-ticket harm for the insurance industry.

“Cyber is uncharted territory. It’s going to get worse, not better,” he said at the Berkshire Hathaway 2018 Annual Shareholders Meeting. “There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”

Buffett stated that he doesn’t want Berkshire’s insurance operations to have a lot of underwriting exposure to cybersecurity issues. He pointed out that while the corporation does a “pretty good idea” of estimating the likelihood of earthquakes in California and hurricanes in Florida, it does not do so for dangers from computer hacking. No insurance provider can evaluate the risk of cybersecurity-related incidents accurately, he added.

With the unprecedented hike in cyberattacks post COVID, the risk for insurers was becoming larger.

Mondelez and NotPetya

Meanwhile, the Mondelez lawsuit was going on in the US. The global food and confectionery business sued Zurich insurance in 2018 after it refused to cover the NotPetya damages. By then, governments including the US, the UK, Canada, and Australia had issued coordinated statements attributing NotPetya to the Russian government.

“It was perhaps the most extensively and authoritatively attributed cyberattack ever, especially in the context of breaches which often give rise to disagreements about attribution and how definitively it can be performed,” said an analysis of the Mondelez case by The Brookings Institution, a US-based non-profit public policy organization.

However, the general consensus was that most cyber intrusions and breaches are perpetrated by governments, and if all of those are viewed as being beyond the purview of cyber insurance coverage then cyber insurance could become largely useless for many policyholders dealing with a wide range of incidents from espionage to ransomware.

“If Mondelez wins that means insurers will either have to cover a much broader range of cyberattacks or rewrite their coverage to exclude new categories of damages that go beyond warlike actions,” the Broking report continued.

“On the other hand, if Zurich wins the case, then policyholders may decide that there’s little point in purchasing cyber insurance, forcing insurers to craft new language for their policies to reassure customers that at least some government-sponsored cyberattacks will still be covered.”

Mondelez argued vigorously that its cybersecurity policy covered all sorts of events. NotPetya damaged 1,700 of its servers and 24,000 laptops, leaving staff unable to use systems, applications, and data.

As a result of the damage caused both to its hardware and operational software systems, MDLZ incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000,” according to court documents filed by Mondelez.

Is there no respite?

When insurance businesses started offering cybersecurity coverage, the scale of damage perceived was negligible and the premiums were cheap. NotPetya was an eye-opener, and the Russian invasion gave a taste of what cyberwarfare can cause.

If global cyber insurers follow Lloyd’s nation-state exclusion’s governments will have to step in and offer some kind of cyber insurance scheme. There is also a possibility of mass consumer movement which might bring changes to insurance policies and cyber attribution.

The US Treasury published a request for comment on questions related to cyber insurance and cyber incidents. “Cyber insurance is a significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency,” said the announcement.

The fact remains that even the governing bodies fall under huge cyber risks. The Cyber Express found out in November that the Insurance Regulatory Authority of India (IRDAI) faced a ransomware attack, in which crucial data of insurance companies were accessed by threat actors.

It is a given that there will be at least one catastrophic cyber incident that would cause insurance firms to go bankrupt. Perhaps before that, either a government reform or a consumer revolt will happen.

Share this:

  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • More
  • Click to email a link to a friend (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

Related

Tags: cyber insurancecybersecurityInsurance Regulatory Development Authority of IndiaNotPetyaRussiaUkraine
Previous Post

The Six Ransomware Upstarts of 2022

Next Post

“The sooner you introduce security, the earlier you spot risks”

Chandu Gopalakrishnan

Chandu Gopalakrishnan

Executive Editor, The Cyber Express

Related Posts

SOCs
Features

SOCs to Face Greater Challenges from Cybercriminals Targeting Govt. and Media in 2023

by Editorial
January 28, 2023
Apple Unleashes New Updates
Features

Revitalize Your iPhone 5s and Beyond: Apple Unleashes New Updates

by Ashish Khaitan
January 24, 2023
Malware-as-a-Service
Features

Malware-as-a-Service on the Rise, Ransomware Rotates Away from Bitcoin

by Editorial
January 21, 2023
Russia-Ukraine Conflict
Cyber Warfare

Russia-Ukraine Conflict: Anonymous Affiliates Target Routers Across Russia

by Chandu Gopalakrishnan
January 18, 2023
Biometric Security
Features

Biometric Security Vital in Post-Quantum Future

by Editorial
January 16, 2023
Next Post
Security

"The sooner you introduce security, the earlier you spot risks"

Latest Issue is Out. Subscribe Now

Cybersecurity Person of The Year 2023
Download Now

Sign Up For Newsletter

Name*

Recommended

US Ransomware

US Traces Record Ransomware Payments, Interpol Report Confirms Trend

November 2, 2022
LockBit 3.0 Claims to Have Stolen Thales’ Data

LockBit Ransomware Gang Claims to Have Stolen Thales’ Data

November 2, 2022

Categories

  • Appointments
  • Budgets
  • Business News
  • Compliance
  • Cyber Essentials
  • Cyber Warfare
  • Cybersecurity News
  • Dark Web News
  • Data Breach News
  • DDoS Attacks
  • Espionage
  • Features
  • Firewall Daily
  • Gitex2022
  • Governance
  • Hacks
  • How to
  • Interviews
  • Learning & Development
  • Main Story
  • Malware News
  • Mergers & Aquisitions
  • Partnerships
  • Podcast
  • Policy Updates
  • Press Release
  • Ransomware
  • Regulations
  • Research
  • Resources
  • Sponsored Content
  • Startups
  • Vulnerabilities
  • Workforce

Don't miss it

Cyber Security for Water Treatment Plants
Sponsored Content

The Threat is Real: Cyber Security for Water Treatment Plants Demands Attention

January 29, 2023
Westmont Hospitality
Cybersecurity News

ALPHV/BlackCat Ransomware Gang Attacks Westmont Hospitality Group

January 28, 2023
SOCs
Features

SOCs to Face Greater Challenges from Cybercriminals Targeting Govt. and Media in 2023

January 28, 2023
cybersecurity
Firewall Daily

‘You are Essentially Funding Cybercriminals When You Pay Ransom’

January 28, 2023
Dr Pepper Russian Branch
Data Breach News

Data Breach at Dr Pepper Russian Branch, Mystery Hacker Steals Confidential Info

January 27, 2023
How to protect and recover your Facebook and Instagram accounts – a complete guide
Resources

How to protect and recover your Facebook and Instagram accounts – a complete guide

January 27, 2023

About

The Cyber Express

Cybersecurity News and Magazine

The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

Follow The Cyber Express

Contact

For editorial queries: [email protected]

For marketing, PR & media partnerships: [email protected]

For media kit and digitals sales: [email protected]

For Sponsorship/Event Partnership: [email protected]

For Conferences related information: [email protected]

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
555 North Point Center E
Alpharetta, GA 30022, USA.

Tel: (678) 578-8838

Subscribe to Our Feed

RSS Feeds

© 2022 The Cyber Express | By Cyble Inc.

No Result
View All Result
  • Firewall Daily
  • Business News
  • Cyber Essentials
  • Features
  • Cybersecurity Magazine
  • Events
    • World CyberCon Middle East 2023
    • Webinars

© 2022 The Cyber Express | By Cyble Inc.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.