Clifford Chance

Introduction and executive summary

Cyber risks are in the spotlight not only for the insurance sector but policy makers, regulators, tech firms and the broader businesses community. As organisations increasingly rely on digital technologies for their operations, cybersecurity is a board-level risk and, for critical infrastructure, a national security risk for governments. Managing this risk is becoming increasingly challenging, as each organisation's technology stack becomes more complex with multiple points of potential vulnerability and cyber attacks are becoming more sophisticated. In addition, there is capacity for cyber risks to increase exponentially over the next few years as a result of advances in artificial intelligence (AI). The global cost of cyber crime is projected to increase accordingly to nearly USD 24 trillion by 2027, up from close to USD 8.5 trillion in 2022. Additionally, cyber warfare has become a key part of contemporary conflicts and a key tool of state-sponsored aggression. The increased interconnectedness of businesses and systems, and widespread reliance on key technology players in extended supply chains, can mean there is a potentially significant contagion effect from a cyber incident.

To reduce the risk of a cyber incident, organisations can implement a number of technical and behavioural measures, and take actions to minimise consequences and improve recovery should an incident occur. Insurance, working together with the tech community and cyber security industry, plays a critical role in this. Insurers provide financial coverage for losses incurred from data breaches and security incidents, helping organisations recover more swiftly. Additionally, insurers are striving to work with businesses and governments to detect and tackle cyber threats and manage response plans to strengthen cyber resilience.

There is currently a significant protection gap between the insured losses and economic losses for cyber risks. Closing this gap requires greater awareness among businesses, especially SMEs, about the need for appropriate cyber risk coverage and investment in cybersecurity and operational resilience. Insurance is not a simple replacement for robust cybersecurity measures. A collective action is needed in which organisations must take action to strengthen cyber resilience, while insurers can foster knowledge-sharing partnerships to improve risk modelling and expand the scale and scope of cyber protection. Importantly, while the insurance sector plays a key role in mitigating cyber risks, given the potential scale of cyber risk losses in the event of a cyber catastrophe/large loss event, there are limits to the amount of financial loss the (re)insurance industry can absorb. For these large-scale loss events, governments may need to consider initiating public-private partnerships and providing a cyber reinsurance scheme or governmental backstops, similar to the type proposed by Pool Re, to manage unquantifiable cyber risks.

Key findings

What is the threat?

The types of cyber threats that businesses face vary by sector and are constantly evolving. Ransomware, business email and communication compromise, data breaches and supply chain vulnerabilities are major loss drivers in cyber insurance, in particular incidents stemming from compromised credentials. AI has the potential to increase these threats exponentially.

Current market position

Major cyber insurers acknowledge that cyber risk continues to increase, driven by the continued reliance on third-party technologies for business-critical systems and operations, including cloud technology. The impact of these factors is multi-faceted: advances in AI capabilities, for instance, lead to both increasingly sophisticated cyber attacks and more advanced cyber defences which may become available to organisations. Similarly, while the use of third-parties for critical systems introduces supply chain risk, in some cases, it can result in state-of-the-art cybersecurity that would not be available in-house.

Growing concern about cyber risk among policy makers, governments and regulators is resulting in a global trend towards increasing cybersecurity regulation, often tightening existing requirements and affecting a broader range of businesses than previous frameworks. Regulation can be prescriptive in areas such as cyber policies and documentation, incident management and notifications, and contracting with key suppliers. Together with the constant evolution of technical controls, this changing legal landscape can shape the expectations that insurers have regarding the technical and organisational measures that organisations should have in place when seeking protection for cyber risk.

There is increasing capacity in the cyber insurance market, which is already sizeable (estimated at USD 14 billion GWP in 2023), and is projected to more than double by 2027. Although cyber insurance rates surged drastically during the pandemic, they have fallen quite significantly in the past year as underwriters have become more comfortable with coverage terms and the market capacity has increased, supported by very strong underwriting results during the peak of 2022.

However, despite this progress, companies and governments globally are not adequately protected against cyber attacks. Various factors contribute to this "protection gap", including cyber insurance not being taken up by many SMEs (for instance, because it is considered too expensive, or due to scepticism around enforceability of policies), and lack of understanding around the product and/or the steps an organisation needs to take to ensure compliance with the terms of a policy.

Types of protection

The largest global insurance companies remain the key players in cybersecurity insurance. Typical coverage ranges between $500,000 and $5 million per occurrence. This insurance generally includes first-party coverage for costs directly incurred by the insured organisation (e.g., forensic investigation, notification costs, cyber extortion, business interruption, etc.) and third-party liability coverage for claims made by third parties (e.g., investigation, legal defence, damages, compensation, etc.). The potential impact of connected cyber risk and the high claims cost related to covering "black swan" events highlights the limits to the financial losses that the (re)insurance industry can absorb.

Exclusions

Exclusions to cyber insurance cover are broadly consistent with other insurance policies which exclude cover for warfare and terrorism. However, given the widespread use of cyber attacks by nation-state actors, these exclusions are particularly pertinent in the context of cyber insurance policies. Common exclusions include:

• War or terrorism – Any loss resulting from war or terrorism, regardless of any other cause or event contributing to the loss. Although cyber insurers may include an exception for cyber terrorism, the key challenge is attribution. For example, in 2017, the NotPetya computer virus caused billions of dollars in damage to many companies. Mondelēz International and Merck filed insurance cyber insurance claims. As the malware was linked to the Russian government, their claims were denied by insurers citing the exclusion clause for war. Nevertheless, a New Jersey appellate court ruled that the war exclusions did not apply as the attack was not considered "hostile or warlike" as it did not involve "a sovereign power…intended to relate to actions clearly connected to war, or at least, to a military action or objective".
• Failure of critical national infrastructure – The failure of critical national infrastructure (e.g., failure of a satellite/outage to telecommunications or other infrastructure).
• Failure to maintain security measures – An organisation is typically obliged, under the terms of the policy, to maintain appropriate procedures and controls to protect against cyber attacks. Insurers closely interrogate the policyholder's cyber posture, requiring substantial detail on its security programme.
• Jurisdiction – The nature of a cyber event means that the event and the losses can cross borders. An insured is always advised to be very clear as to which countries or territories the policy is intended to cover.
• Lloyd's of London – Following the court's ruling in NotPetya, from March 2023, all standalone cyber attack Lloyd's policies must contain a cyber-specific war exclusion excluding liability for losses arising from any state-backed cyberattack, unless otherwise agreed by Lloyd's. This puts cyber policies at Lloyd's potentially at odds with non-Lloyd's policies (although it is notable that Munich Re, one of the largest cyber underwriters, has been supportive of the Lloyd's exclusion).

With the industry's increasing focus on cybersecurity as a systemic risk, insurers may begin including more specific exclusions in their policies (e.g., criminal, civil or regulatory fines, sanctions, claims brought by related entities or employees seeking redress for the loss of their personal information following a data breach). These exclusions can significantly impact the utility of cyber insurance policies by narrowing the scope of coverage and potentially leaving policyholders exposed to substantial risks. Businesses should focus on reviewing and understanding their policies, and insurers should encourage insureds to implement robust cybersecurity measures to mitigate uncovered risks.

Market outlook on cyber – the future

Everyone in the cyber insurance ecosystem has a role to play. Actions that can be taken include:

• Microeconomic/organisation level actions – Businesses should take measures to strengthen cyber resilience by adopting best practices or standards. These include technical measures such as threat monitoring, as well as appropriate organisational measures such as implementing effective cyber governance lead from the top of the organisation and review of operational weaknesses and resilience plans.
• Actions by insurers – Insurers can incentivise good cyber resilience management for potential insureds. This includes encouraging sharing structured cyber loss and insurance data to aggregate and analyse information. Innovations in this space also play a role. Cyber catastrophe bonds which pay out based on parametric triggers for cyber events are becoming more popular as a way to help insurance companies manage the risk of large-scale cyber events by increasing capacity in the market which is similar to how natural catastrophe bonds are already used in the P&C market.
• Government intervention – Robust regulation of AI may offer an opportunity to limit the scope of cyber risks at source. While the feasibility of such regulation remains uncertain, a more immediate action could be the establishment of governmental backstops that cover losses from cyber risks that could affect macroeconomic stability. For example, in the UK, Pool Re (a government-backed fund for managing terrorism risk) has recommended the creation of a "Cyber Re" reinsurance pool. Participation in pool-based cover of this nature would be voluntary for insurers and would be funded via a cyber premium-driven reinsurance contribution. The plans put forward suggest a pool with ~£1bn-£10bn of reserves and would likely provide sufficient funding to mitigate a systemic cyber catastrophe event if supported by a state-funded backstop. This funding would be able to be recouped as the UK cyber market expands, which is expected to be around £1bn by 2025.