The Federation of European Risk Management Associations (Ferma) is the latest to raise concerns about CIBER insurance around the world a few days ago.
FERMA has expressed concern that the cyber insurance market is evolving in isolation from the industries it serves.
El organismo advirtió que el seguro cibernético podría convertirse en un «producto inviable» para las empresas, ya que la compra de dichas pólizas se ha vuelto más difícil debido a las cláusulas de exención o exclusiones introducidas recientemente por Lloyd’s of London en todas las pólizas de esta naturaleza, y lo que es peor, lo recomienda a todos sus asociados aseguradores.
These clauses introduced by Lloyd's of London have caused consternation in the insurance market.
Some insurers in the market argue that cyber insurance is stabilizing and that businesses in general are more likely to be able to purchase a reasonably priced policy. However, buyers should take good advice before purchasing cyber insurance to avoid future coverage issues.
Indeed, Ferma, which represents 22 risk management associations in 21 countries, denounces that the cyber insurance market may be inexorably affected by the controversial exemption and exclusion clauses arising from the Russia-Ukraine war introduced in March by Lloyd's of London.
The clauses recommend that cybersecurity policies should exclude coverage for attacks by state-sponsored criminals.
This has generated some confusion and controversy over; how does one define a state sponsored attack? Since many attacks are anonymous, some have feared that any cyber attack may be outside of insurance coverage under the exemption clause stated above and which Lloyd's supports, due to the large masses of attacks on Western countries coming from countries in a war or pre-war situation.
In fact, in Spain there have been massive attacks with substantial economic damages in the last months coming from Russian territory, under this assumption, the policies might not cover these attacks.
The approach needs to be more balanced to meet the needs of industry clients, Ferma argues. "Without a more collaborative approach to cyber, balancing the risk appetite of the insurance market with the coverage requirements of corporate buyers, there is a risk that cyber insurance will become an unviable product for many organizations," the organization told the Financial Times business daily.
The clauses "highlight growing concerns about the overall value and sustainability of the cyber insurance product from a corporate perspective," especially for larger companies where the risk is much higher.
Ferma calls for a "constructive" dialogue between all players in the insurance landscape, from insurers, brokers and institutional buyers and/or companies.
Concerns also stem from the increase in cyber insurance premiums caused by the rise of ransomware in 2021, which caused the cost of cyber insurance to increase by 102% in the first quarter of 2022,
These figures have caused many to worry about the market. However, despite the unease this trend has caused, it appears that premium increases are slowing down.
A report recently published by the market states that, despite industry-wide concerns, there appears to be a new capacity to underwrite this type of risk which, together with better management of the business by insurers, will lead to a stabilization of rates by 2023.
El estándar de seguridad en entornos digitales e informáticos es exigido por las aseguradoras a niveles distintos y muy vinculado tanto al sector económico al que pertenece el contratante como a sus ingresos dice el informe. «Si tienen menos de 60 millones de € de facturación/año, entonces no tendrán que tener el mismo nivel de seguridad que un proveedor de servicios gestionados con 500 millones de € de facturación anual.».
«Si tiene menos de € 60 millones, tiene buenas copias de seguridad, tiene autenticación de múltiples factores para todos los accesos remotos y algún tipo de buena solución de punto final, eso probablemente será suficiente para obtener una cobertura razonable a un precio justo».
However, larger companies are under more pressure today, as they are more likely to be attacked. If they have a couple of hundred million in revenue a year, it may be the case that security monitoring and control must be continuous throughout the year to maintain coverage.
Some degree of volatility in terms of policy pricing and the markets' willingness to underwrite certain risks is to be expected however, as the insurance industry is still in its infancy, said Nicolas Jeanmart; head of personal and general insurance at Insurance Europe, (the European insurance federation). "The cyber insurance market is still in its infancy," according to Nicolas.
"Insurers providing cyber insurance coverage are constantly developing innovative and sustainable solutions, which typically include advice to companies on how to limit their exposure and support after an attack. Cyber insurance can only be offered if key conditions are met, in particular, proper risk management by the companies buying the coverage."
Because of this, insurers are in a better position than regulators to raise the bar on cybersecurity, he indicates. "I don't think the government is necessarily as reactive and as committed to the security of companies as these, which ; have their bottom line and survival tied to these security standards compromised.".
Galilea Group S.L.
Corporate and International