Outdated war exclusion insurance policies may not cover cyber attacks
Outdated war exclusion policies in the insurance industry could result in billions in losses in the event of a major cyber attack.
That was the opinion of industry experts in Bridging the Cyber Coverage Gap, a panel held during the third day of the Bermuda Risk Summit 2022.
“The wording is predicated on an assumption that we could define war,” said Noel Pearman, senior vice-president cyber product line leader at AXA XL.
But he said that in a cyber attack it could be “exceedingly” difficult to tell who was attacking and what their motives were.
“Hackers are so sophisticated they can mimic other countries attacking styles to make it look as though another country attacked, and not the actual attacking country, or country sympathetic group of people,” Mr Pearman said.
“So, in terms of the effectiveness of the war exclusion, I think it is a question that is in the air. I don’t think it will be exceedingly effective right now. I think there are modifications that are coming to market that will help.”
He said one of the modifications might be to state “we will not cover a cyber incident as the result of an attack, which is in support of actual boots on the ground warfare”.
“That clarifies exactly when an exclusion would apply and not apply and take the terrorism piece out of it,” Mr Pearman said. “That might help, but it will be very difficult in the meantime.”
Yosha DeLong, senior vice-president, global head of cyber at Mosaic, said that if current war exclusions did not hold in the face of a zero-day cyber attack, the result could be up to 60 billion dollars in losses.
Other panellists estimated 20 to 40 billion in losses.
“I think the war exclusions are some of the original property ones,” Ms DeLong said. “Some of them are almost 100 years old. They are not built for purpose right now. That is the one thing we need to do.”
Ms DeLong said every carrier has a different policy and different wording. Something as simple as a comma or the word “and” could be the deciding factor in whether the war exclusion could be invoked.
“So that is something that we as a community are looking at right now, looking at what we do intend on covering and what we don’t intend on covering, and are we addressing that properly,” she said.
Lockton Re senior broker Patrick Bousfield, said Russia’s attack on the Ukraine had not resulted in an increase in ransomware attacks, so far.
“If you study the ecology of ransomware and bad actors, they are set in these two countries,” Mr Bousfield said. “There is chatter that those bad actors and entities are fighting a civil war at the moment so they are a little too busy to look for the profit motive.”
But he said indirect attacks were something to consider.
“There are other threat actors out there,” Mr Bousfield said. “They are going to take advantage of this moment. It takes a fair amount of investment to make a very wide impact, but you could very much see a digital nuclear bomb going off in certain sectors. Oil and gas would be the most likely.”
But Ms DeLong said the insurance community has done a really good job of focusing on the controls in the last couple of years.
“That is really key to preventing this particular event if it does escalate to being catastrophic to the industry,” she said.
Ari Chatterjee, chief underwriting officer at Envelop Risk, said that to make growth sustainable, it was important to come up with solutions.
“We have to find more sources of capacity outside the traditional market,” he said. “I think we have to improve our risk quantification even further and be ready for some of the terrible things that can happen, and have the capital ready to back up if need to be.”
Tracey Gibbons head of QBE Re was moderator for the panel.
The Bermuda Risk Summit 2022 was held the Hamilton Princess & Beach Club and was hosted by the Bermuda Business Development Agency.