Lloyd's of London logo

Cyber attack: The role of insurance

Enabling cyber resilience 

Cyber is one of the most complex and critical risks threatening national security and businesses today. The insurance industry is ready to respond, with simple and affordable products capable of expanding the market.

Cyber insurance is a growing but still relatively immature market, estimated at around $9.2 billion in gross written premiums in 2022 and expected to reach between $13 billion and $25 billion by 2025 [11]. However this still represents a very small portion of the potential economic losses that businesses and society face. In time, greater penetration of cyber insurance should create a virtuous circle. As underwriters gather more data on cyber risk, they will be able to develop more relevant and more attractive products for customers, driving higher demand.

At Lloyd’s there are more than 77 expert cyber risk insurers concentrated in one place, enabling the Lloyd’s market to offer relevant and tailored solutions for customers at risk from cyber attacks. There are around 20 different types of cover for cyber losses currently available from across the global insurance market, including cover for triggers such as data exfiltration, contagious malware, distributed denial of service, and financial thefts. You can find more information about the types of solutions that are available here, though specifications differ from market to market.

  [11] https://gfiainsurance.org/topics/487  

The benefit of cyber insurance goes beyond providing a financial pay-out but also offering expert consultancy and on-the-ground support. For example, Beazley provide both information security services to help businesses reduce their vulnerabilities and assistance to help resolve any breach that occurs, alongside risk transfer. Other insurers are partnering with IT security companies to monitor the threat landscape or customers’ own networks, which can help to reduce the likelihood of losses arising from systemic vulnerabilities.

Lloyd’s Lab has played a leading role supporting insurance innovations that work towards increasing cybersecurity awareness whilst offering pragmatic solutions. BOXX Insurance, a Lloyd’s Lab alumni, provides cyber threat prediction, prevention and insurance coverage for small businesses and homes by connecting insurance, big data and technology. Parametrix Insurance, a Lloyd’s Lab alumni, protects companies against business interruption loss due to cloud outages with simple and transparent coverage. It offers parametric insurance for external service downtime such as cloud outages, network crashes and platform failures.

Lloyd’s is committed to supporting a resilient cyber market, and is important that underwriters understand the complex and potentially systemic risks in cyber. There will be an ongoing opportunity for insureds, brokers, insurers, governments and regulators to work together to define and understand what is covered and not covered by traditional and emerging policies.

As the cyber class matures, it is likely that the coverage in place on insurance policies will be managed with increasingly sophisticated exclusions of acts of war and systemic risk, with cover bought back separately where there is appetite. This approach is important to ensure that aggregate risks are properly understood, controlled, and priced for, and that customers are clear about what risk they will be protected for and what risk they will retain.

Since 2020, at Lloyd’s we have mandated that all policies must clarify whether cyber coverage is provided or not. We believe it is in the best interests of the consumers, brokers, and syndicates for all policies to be clear on whether coverage is provided for losses caused by a cyber event. Lloyd’s further seeks to reduce ambiguity in cyber coverages by requiring the segregation of cyber war from standalone cyber policies in order to ensure the risk is adequately priced for and capitalised. In one potential approach to providing customers with such certainty as well as maintaining market stability, Chubb are managing the potential losses following a widespread cyber event through a range of affirmative and specific limits, retentions, and coinsurance.

Cyber risk is complex and constantly evolving, and the potential scale of economic losses from a systemic cyber attack requires continued action, collaboration, and an agile approach. Lloyd’s has run a series of events, including our first ever Cyber Risk Summit, interactive Cyber Attack Simulation and a Cyber Innovation Forum run by Lloyd’s Futureset, bringing together senior business leaders, policy makers, law enforcement, technology firms and cyber risk specialists to discuss creative solutions for this emerging and interconnected threat.

Supporting a cyber resilient society might seem like an impossible task – but if anyone has the expertise and ability to face that challenge, it is our market; in collaboration with policymakers, customers and all the stakeholders that collectively make up our ecosystem.

Facing into a braver future

The challenge of preventing, protecting, and resetting after a cyber attack is enormous. While the insurance industry holds unrivalled expertise when it comes to understanding complex risks, there are always opportunities to innovate and change.

Check wordings and highlight clauses: Make sure customers are aware what their policies do and do not cover, such as contingent business interruption (CBI) cover. Mitigation is a vital part of the insurer/client partnership. It is important that clauses in contracts are clear and prudent.

Address ‘silent’ cyber: At Lloyd’s we insist that all policies must either provide affirmative coverage or clearly exclude coverage. Where a policy is “silent” on whether it includes coverage for cyber incidents, there is ambiguity for both customers and insurers.

Understand the exposure: Recording the cyber coverage given to their customers and categorising it appropriately can help insurers understand possible aggregations of exposure to systemic events and develop sustainable cover.

Counterfactual thinking: Because of the rapid pace of change and integration of technology, the opportunity for operational failure in cyber keeps increasing. Rather than focusing on past events for the basis of cyber cover, counterfactual thinking can help insurers consider how products could be designed differently.

The government's perspective

The total cost of cyber attacks is already in the trillions of dollars per year[12]; and if the global catastrophe we contemplate were to materialise, this figure would only rise. With such a digitally-connected society, all our systems and institutions are exposed – so acting in isolation will fail to build the resilience needed. To provide the best possible protection, we and others in the insurance industry worldwide are actively collaborating with policy makers, including through forums such as our Lloyd’s first Cyber Risk Summit and Cyber Attack Simulation, to share risk, protect our customers and to create a braver world. 

Governments have a significant role to play in building resilience and enabling an effective post event response.

 [12] https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers  

Disaster response

The response to a cyber event of this severity could expect to have international input from the Five Eyes (FVEY), an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in information intelligence. In the UK a national network of computer emergency response teams known as CERTS, and a related international group called FIRST (the Forum for International Response Teams) have established networks which would be able to share information on the extent of the threat and any positive news on how to patch against it.

Education and awareness

Governments are able to play a vital role in promoting awareness of cyber risk and cybersecurity best practices, particularly for smaller businesses or individuals who may tend to underestimate these risks. Many governments also have sophisticated incident and response functions to provide support to victims of a large scale cyber event. Governments can work with insurers and cyber security experts to educate businesses and individuals about the type of support they can expect to receive following an event and how to access it.

Risk transfer

As the cyber class matures, it is important that insureds, brokers, insurers, governments and regulators work together to define and understand what is covered and not covered by traditional and emerging policies. This can lead to an informed debate about whether governments choose to take proactive or preventative steps such as organising a pooling mechanism to protect against a future global cyber catastrophe. Historically, such a debate has tended to follow a major loss rather than precede one. As cyber remains a relatively immature class with a short history, the development of new solutions is likely to be determined as much by public policy priorities as pure risk based economics.

Further insights

The economic impact

How vulnerable is the global economy to a systemic cyber attack?
Read about the impact

Additional insight from the scenario

Dig a little deeper into some of the insight from this scenario.
Read the additional insight

The scenario narrative

To understand how these events could take place
Discover our systemic risk scenarios

Disclaimer

This report has been produced by Lloyd's Futureset and Cambridge Centre for Risk Studies for general information purposes only. 

While care has been taken in gathering the data and preparing the report Lloyd's and Cambridge Centre for Risk Studies do not, severally or jointly, make any representations or warranties on behalf of themselves or others as to its accuracy or completeness and expressly exclude to the maximum extent permitted by law all those that might otherwise be implied.

Lloyd's and Cambridge Centre for Risk Studies accept no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.

Note that this report does not seek to replace or inform any of the mandatory scenarios which Lloyd’s publishes to support the Realistic Disaster Scenario exercises managing agents are required to undertake in respect of the syndicates managed by them.