Our appreciation to Dr. Mutlu, WUST School of IT professor, for his suggestion to cover this week's discussion.
The cyber insurance market is expected to reach $20.6 billion by 2025. Due to the increase in the number of attacks, Cyber Attack insurance offers two risk mitigation approaches. First-party coverage that protects the company from data breach or Cyber Attack losses. Third-party coverage covers liability from customer, vendor, or other third-party claims.
It is generally accepted that Cyber Attacks can be insured but there are opinions to the contrary. Mario Greco, CEO of Zurich Insurance, one of the largest US insurance companies, thinks Cyber Attacks will not be insured when their volume and cost become prohibitive, and he issues a stern warning: "What if someone takes control of vital parts of our infrastructure, what will be the consequences? There has to be a perception that it's not just data, it's about civilization. These people can seriously disrupt our lives."
Hospital Cyber Attacks cause deaths and delay patient care. Pipelines have shut down by ransomware attacks, and government operations are under constant attack. The issues transcend finance into wider social and geopolitical implications.
Some insurance companies have increased their coverage rates, and most are amending the clauses in their contracts. In what is perhaps the “new normal” $100 million claim was made in relation to a NotPetya malware attack on the global food and beverage business Mondelez International in 2017 was denied by Zurich on the grounds that a "warlike action" was not covered by the policy.
In September 2022, Lloyd's of London argued in favor of a measure to reduce systemic risk from Cyber Attacks by introducing exceptions for catastrophic attacks backed by state actors. Such exceptions pose legal issues as it can be difficult to prove that perpetrators are affiliated with a government. Cyber experts have also cautioned that higher fees and more expansive exceptions may discourage individuals from purchasing any form of protection.
Greco said that all the damage from private sector Cyber Attacks cannot be covered on an ongoing basis. He called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks''.
Greco also praised the measures taken by the US government to deter ransom payments. In principle, there will be fewer attacks if ransom payments are reduced but there are several instances where some experts disagree citing the priorities of infrastructure and essential services. The US government has not made any definitive statement on this issue.
Cyber Security is not a one dimensional technical issue; it is multi dimensional and layered, involving People, Process and Technology spanning from “lone wolf” single actor attacks to state actors with geopolitical agendas. The vast majority of attacks target the human element wherein lies the greatest vulnerability, and that elevates the level of risk to hardly manageable proportions.
Irem Naz BAYSAN