The European cyber market has transformed in the last five years as coverage understanding and regulation have matured in line with the evolving risk landscape. 2022 is set to be a year of exceptional demand, says Alta Signa Branch Manager Ingo Trede.
Cybersecurity threats are on the rise across Europe, with attacks increasing in the region in 2020 and 2021 - both in terms of frequency and sophistication. From ransomware to denial of service attacks, data theft and app-based attacks, the overall impact of the cyber threat on individuals and businesses is increasingly significant and systemic.
In response, EU policymakers are rolling out new cyber defence rules this year - in particular the European Council Network and Information Security 2 (NIS2) Directive which will revamp the current EU-wide framework for cybersecurity. This new directive will require more types of companies to take stronger cybersecurity measures, with increasingly stringent requirements in areas such as encryption and governance.
The war in Ukraine adds significantly to that threat landscape. The previous substantial NotPetya cyber attacks against the country were initially targeting Ukrainian governmental institutions, from where the attack spread far beyond the geographical border of Ukraine. The CIA attributed the attack to Russian military hackers attempting to disrupt the Ukrainian financial system. Given this substantial previous attack, it is likely that similar nation state cyber attacks will form a secondary front in Russia’s current war.
Due to the cat-and-mouse nature of the threat - whereby there is a constant drive to catch up with the latest methods used by cyber criminals - the cyber threat landscape is constantly changing. While the past two to three years have seen predominantly “ransom as a service” attacks, the brute destruction with no monetary target may become an important second loss driver in Europe which, as a consequence, will bring attention to wordings, exclusions and definitions - the first to be thought of certainly being war exclusion and its language.
A boardroom topic
All of this means that cyber security has been a boardroom topic in every industry for some time. But securing cost-effective cyber insurance is more challenging now than when the first cyber policies were developed. This is due to a mixture of cold feet and heavy loss experience leading to the current hard market conditions for European cyber insurance.
Insurers are now typically much more conservative with their limits, retentions, triggers and the structure of underwriting policies, while many stopped writing the line of business in certain market segments and/or industries.
Despite this contraction in risk appetite, demand for quality cyber insurance is very strong across Europe. The most effective and value-add cyber policies are underwritten in line with core areas of the NIST cybersecurity framework, which is a widely accepted standard, with a emphasis on the different lines of defence against an attack - but focusing with the same importance on detection, containment of a suffered attack and the restoration abilities of systems to facilitate the continuity of the business and the back-to-normal operation after a suffered attack.
Risk mitigation is essential
Effective cyber insurance now goes hand-in-hand with a strong emphasis on continuous tracking and detecting a hack or breach, and the preparedness to react and recover quickly. It is now essential that all businesses looking to secure effective cyber insurance can evidence robust business continuity and incident response plans.
We expect clients to have a mature cyber security level and to take the job of protecting themselves seriously before transferring the remaining unforeseeable risk to the insurance carrier.
Potential cyber policyholders should, for instance, have in place cutting edge endpoint and server detection and response solutions as well as proper control of privileged accesses and administration rights, together with oversight and patching standards, while properly controlling for any non-supported systems still being in use.
Other security essentials include segregation of networks, together with the integrity of back-up protocols. To secure the full roll-out and same level among all group entities, continuous testing and vulnerability scanning, overlooked by a centralised security operations team are paramount.
Insurers will consider the revenues a company produces as an initial criteria, together with data amounts stored and processed, which generates a view of the ‘cyber footprint’ when weighing up coverage and pricing indicators. In addition, the recoverability of revenues, in light of the business interruption coverage will be of key importance. Providers are also exploring co-insurance retention and sublimit structures, where clients effectively self-insure a portion of their cyber exposure to help share the risk and manage exposure.
Ransomware continues to be a core risk for 2022, also the payment itself most likely continues to lose importance in the overall cost allocation after ransomware incidents. The debate continues among some governments and regulators as to whether making ransomware payments through insurance should be made illegal. We are following this debate and any ensuing regulations very closely.
While the focus has been for some time on the increase in severity and frequency of ransomware attacks, data breach exposure is also on the radar as an increasing cyber threat in 2022 due to incentives to tighten legal frameworks to protect customers and their data - which could ultimately lead to collective redress systems in the future and add to the hefty fines by regulators for data breaches, making this a key loss driver as it is already in the US today.
As previously mentioned, the world will continue to closely monitor the threatening situation at the eastern edge of the EU, which impacts the worldwide economy but also the cyber threat landscape, with potentially new importance of pure malware events (with no monetary, but rather political motivation).
We also expect further tightening of wordings to continue this year, in particular accidental event triggers or grant cover beyond the IT universe of the insured, where wordings are still wide. The remote working trend is also fuelling renewed focus on security protocols and mandatory cyber security wordings in contracts, for instance.
The war exclusions will gain attention and especially their language will be analysed with a more critical eye, taking into account the recent MERCK decision by the Superior Court of New Jersey highlighting the importance of policy language - in this case regarding the war exclusion that hadn’t been adjusted “despite the potential to do so” and therefore the coverage for the suffered Notpetya loss was found not to be barred by the “standard” war exclusion used.
Cyber security threats are constantly evolving, and so too is the insurance market’s response. There is clear demand for expert insight and advice on securing the highest quality coverage available.
Alta Signa continues its effort to support the European market with additional capacity and is working hard to further improve the current cyber offering to diversify beyond the current core industry focus.
Get in touch to find out more.