The chief executive of one of Europe’s largest insurance companies has warned that cyberattacks, rather than natural disasters, will become “uninsurable” as disruption from hacks continues to rise.
Insurance executives have increasingly spoken out in recent years about systemic risks, such as pandemics and climate change, which are testing the sector’s ability to provide insurance protection. For the second year in a row, natural catastrophe-related losses are expected to exceed US$100 billion.
But Mario Greco, chief executive officer of insurer Zurich, told the Financial Times cyber is the risk to watch.
“What’s going to be uninsurable is going to be cyber,” he said. “If someone takes control of vital parts of our infrastructure, what will the consequences be?”
Recent attacks that have disrupted hospitals, shut down pipelines and targeted government agencies have all raised concern among industry executives about this growing risk.
Greco added that focusing on the privacy risk for individuals missed the bigger picture: “First, there has to be a perception that it’s not just about data. . . This is about civilization. These people can seriously disrupt our lives.”
Rising cyber losses in recent years have prompted sector underwriters to take immediate action to limit their exposure. Some insurers have not only ratcheted up prices, but have adjusted their policies to allow customers to retain more losses.
Exceptions are written into the policies for certain types of attacks. In 2019, Zurich initially denied a $100 million claim from food company Mondelez stemming from the NotPetya attack on the grounds that the policy precluded “belligerent action.” The two sides later reached an agreement.
In September, Lloyd’s of London defended a move to limit systemic risk from cyberattacks by demanding that insurance policies issued in the market have an exemption for state-sponsored attacks.
At the time, a senior Lloyd’s executive said the move was “responsible” and better than waiting until “everything went wrong”. But the difficulty of identifying the backers and their connections makes such exceptions legally vulnerable, and cyber experts have warned that rising prices and bigger exceptions could discourage people from buying protection.
Greco said there is a limit to how much the private sector can absorb to absorb any losses from cyberattacks. He called on governments to “put in place private-public systems to manage systemic cyber risks that cannot be quantified, similar to those that exist in some jurisdictions for earthquakes or terrorist attacks.”
In September, the US government requested comment on the merits of a federal insurance response to cyberattacks, which could be part of or outside of its current public-private insurance program for terrorist attacks.
A June report by the US Government Accountability Office highlighted the potential for cyber incidents to “spill over” to other related companies. Examples such as the Colonial Pipeline hack, which caused temporary gas shortages in the US Southeast, highlighted “the possibility that a single cyber incident could engulf critical infrastructure with catastrophic consequences.”
Greco also praised the US government’s steps to prevent ransom payments. “If you curb the payment of ransoms, there will be fewer attacks.”