Mario Greco, Chief Executive Officer of Zurich Insurance, believes that cyberattacks will one day soon become ‘uninsurable’ as disruptions from cyber events significantly increase in scale and complexity. The comments were made recently in an interview with the Financial Times.
“What will become uninsurable is going to be cyber,” Greco said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?”
He added, “First off, there must be a perception that this is not just data…this is about civilization. These people (ransomware cybercriminals) can severely disrupt our lives.”
Insurance for cybersecurity has increasingly become expensive and complex. Insurance companies now require extensive audits, baselines, and security investments to help protect organizational networks from cyberattacks.
Cloud service providers such as AWS, Google Cloud, and Microsoft have significantly increased efforts to improve security transparency and reporting in cloud-hosted environments.
Zero trust network access and extending these principles into the cloud is part of the solution providers such as Google Cloud offer as part of the Risk Protection Program and Cloud Protection program. This helps mitigate risk and access exposure by enforcing identity and access controls across multi-cloud and hybrid-cloud architectures.
Cyberattacks increasingly difficult to defend and insure
Cybersecurity insurance policies surged 79% within the last year, according to researchers. That is largely because the cost of breaches, especially with ransomware attacks—has exploded in recent years.
Sophos, based in England, found that the average cost of remediating a ransomware attack grew from $761K in 2020 to $1.85 million in 2021.
All of this equals an increasingly untenable situation for insurance companies to offer cyber insurance for clients.
In 2019, Zurich initially denied a $100 million claim for food company Mondelez after a NotPetya attack. It was initially determined that the NotPetya attack was a “warlike action”, and therefore didn’t meet the criteria for an insurance claim.
The two sides later settled on terms, according to the Financial Times.
The difficulty in cyberattack attribution, what defines the scope of a cyberattack, and cyber forensics for the purposes of insurance claims makes the situation increasingly difficult.
Greco said to the Financial Times that there “is a limit of how much the private sector can absorb,” in relation to absorbing the costs to insure and compensate organizations seeking financial compensation after a cyberattack.
Rising cyber insurance costs and bigger exceptions to policies mean many organizations may simply skip out on any form of cyber insurance.
Greco is calling upon politicians and governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.”
Greco also lauded the US government’s steps to discourage ransom payments. “If you curb the payment of ransoms, there will be fewer attacks.”
