On boxing day, it was reported that Zurich CEO, Mario Greco, told the Financial Times that cyber-attacks are set to become “uninsurable.” He said that cyber is “the risk to watch.”
You may be unsurprised to discover that the headline is arguably clickbait driven. However, drilling into the article reveals that the comments are more specifically aimed at cyber-war and systemic risk.
Over the past few years, systemic risks (risks that threaten the entire business, enterprise, entity, or economy, leading to its abolition), such as climate change or pandemics, have put the insurance sector’s ability to provide coverage to the test. Greco believes that cyber is the next to be challenged. However, some may argue that it already has been.
In 2017, for example, Zurich initially denied a $100m claim from Mondelez related to the NotPetya attack, stating that the policy excluded a “warlike action”. The two sides have only recently settled (more on this later).
Spiralling cyber losses have caused an evolution in the maturity curve of cyber insurance, affecting the cost of cover and tweaks in policies. For example, in 2021, Lloyd’s of London excluded specific nation-backed cyber-attacks from policies.
Attacks on critical national infrastructure have played into his argument, with cyber-attacks that, in his words, “can severely disrupt our lives.”
Greco called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those in some jurisdictions for earthquakes or terror attacks”. He also praised the US government’s stance on advising organisations against paying ransom demands.
Tiago Henriques, the VP of research at Coalition, responded to the Boxing Day article with this post on his LinkedIn profile: “If you say something on the news/events/social media like ‘cyber is un-insurable’ while there are companies successfully insuring it (at profitable and healthy loss ratios) this becomes more of a reflection of your organisation on how to underwrite cyber than a statement about the industry.” Feels like a mic-drop moment.
Daniel Carr is head of cyber at Lloyd’s of London Reinsurer, Ariel Re. He responded to the FT article: “[This is] more noise unfortunately and headline-grabbing. I’m looking forward to some considered commentary in the press that isn’t hyperbolic, [and] not aided by the tech/security sector using it to beat insurance with. If [security] tech was so brilliant, there wouldn’t be a need for insurance, so I don’t get the tribal-like rhetoric thrown around back and forth. Neither are silver bullets, and both are very much needed and perfectly sustainable – given the right market structures and solutions.”
This is a sweeping statement from a CEO who has just had to settle on one of the most famous cyber insurance claims to have affected our market (mentioned above). However, that incident happened six years ago, and the insurance market has matured incredibly.
Cyber risk is significant, but that doesn’t mean it’s uninsurable; just that the industry needed to catch up with the evolving risk environment.
Zurich is most likely still reeling from the Mondelez incident, and perhaps their CEO made a comment which has been blown up to grab a headline, which was unlikely to have been his intention. However, reading beyond the headline is essential – what Greco is actually referring to is not being able to insure unquantifiable cyber risks, such as war and systemic risks (like pandemics and climate change). This makes sense; for insurance to work, it has to be quantifiable.
The closest cyber incidents we’ve seen to systemic have been NotPetya (totalled £10bn in losses, £3bn of which were insured. Comparably, Hurricane Ian of October 2022 will cause between $50 – $65bn of insured losses across both market and public insurance) and SolarWinds (worldwide loss of £90m). Both incidents were quantified, and cyber insurers played their part by supporting the businesses. That’s not systemic.
Interestingly, Zurich does underwrite cyber, and it does so successfully. The team there are great. Many companies are successfully insuring cyber risk, which further fuels our belief that this comment has been taken out of context to make a headline.