Blog / Cybercrime may become uninsurable
Losses caused by criminal activity may no l0nger be covered in the near future.
I have written about cyberinsurance changing several times in the past, including how a company settled their cyberinsurance lawsuit with their provider, how a pharmaceutical company won a massive lawsuit, and how Lloyds of London issued public recommendations for cyberinsurance providers. Taking all three together makes it clear that the cyberinsurance industry is undergoing some seismic changes, particularly in relationship to cybercrime.
One aspect of my job regular readers may recognize is helping clients complete their cyberinsurance forms. Over the past few years these forms have actually evolved, going from an originally useless joke to actually seeking useful answers to technical questions. One of the biggest challenges for an insurance provider is to find a way to measure their risk properly and accurately. Of course, considering cyberinsurance was first offered back in 2000 it makes sense that the industry has changed substantially in the intervening decades.
Now while some change should clearly be expected, I still wasn’t prepared for what the CEO of Zurich Insurance (a major insurance provider in the EU) said in a recent article where they stated they are looking to update their cyberinsurance offerings. But what exactly is the major upheaval they are looking to implement?
“Making cybercrime uninsurable”
If this statement doesn’t worry you, it should! Even though it’s just a public comment from a CEO and not actual company policy (yet), it’s still a startling idea. Of course, there’s no way to look up and see how the term “cybercrime” is actually defined, especially in this context. However, If you think it means insurers just don’t want to be responsible for ensuring criminal enterprises, you’d be mistaken; it’s already part of every insurance contract that if you incur losses while committing a crime your insurance won’t cover you. In fact, this has been true for insurance pretty much since it was conceived of.
So it seems like the only way to interpret that statement is to assume they’re referring to the losses incurred by someone else committing a cybercrime against you. Does cybercrime include ransomware? One would hopefully assume so. What about Denial of Service (DOS) attacks? Those are criminal activities, so again I would assume so. But what about losses due to phishing? After all, phishing is not directly illegal and the legality of it depends on the results. So would that be covered? I mean, pretty much all of the ways that an organization can incur significant losses related to computers are due to criminal activity. These kinds of policy changes would mean that cyberinsurance would only cover losses caused by things like power outages, software updates that go wrong (remember the big Rogers outage), and configuration mistakes (I’m looking at you Facebook).
Like Lloyds of London, Zurich Insurance is a major provider. When they make moves, other providers pay attention. Providing insurance is a business after all, so at the end of the day insurers need to make more money on premiums than they pay out on claims. Unfortunately the idea of making cybercrimes uninsurable in order to maintain profitability is deeply concerning, even if for now all we can do is wait and see what actually happens.
For this newsletters Shakespearean quote I’ll pull a simple line from the play Caesar: “Et tu, Brute?”
If you’d like to learn more about your cyberinsurance policy and how to ensure you’re properly insured, contact a TRINUS cybersecurity expert and we’ll be happy to help out.
Be kind, your friendly neighbourhood cyber-man.