The Limited Times

Now you can see non-English news...

Risk from cyber attacks: "Damage that a private insurer cannot bear"

2021-11-25T09:40:56.714Z


In the event of a major hacker attack, does the insurance pay? There are now new regulations for this. Jürgen Reinhart from reinsurer Munich Re explains what they mean for clients and taxpayers.


Enlarge image

Laptop from above: In the past few years, insurers have done good business with cyber policies

Photo: B. TONGO / EPA / REX / Shutterstock

Insurers fear nothing more than incalculable risks. That sounds absurd at first, because according to popular belief, they are there to hedge against risks. However, it becomes difficult for the industry when it is difficult to calculate the extent to which certain risks will materialize over time and thus possibly damage that can only be borne by the insurers with losses or not at all. A study by the consulting firm PwC and the Center for the Study of Financial Innovation has shown that insurers currently see cyberattacks as the greatest risk of this kind.

Hackers have attacked the IT systems of companies, authorities and institutions with increasing frequency in recent years, sometimes causing great damage. The attackers are often concerned with extorting money, but sometimes also with sabotage or espionage. Who is behind the individual attacks can often only be speculated; sometimes there are criminal groups, sometimes state actors are in the background.

Insurers have been busy selling cyber policies for years, and Munich reinsurer Munich Re expects this market to grow from around seven billion dollars (2020) to 20 billion dollars in 2025. In the meantime, however, the costs often exceed the premium income, which is why some providers withdraw again. In addition, traditional property insurance companies also have to pay for damage from hacker attacks. Some contracts were still written at a time when cyberattacks mainly occurred in science fiction novels.

In order to get the increasing risk of hacker attacks under control, the members of the Lloyd's Market Association - one of the most important industry associations - decided on new standard clauses for cyber insurance this Monday.

They state what is meant by a cyber attack and what damage is not covered by insurers: for example, damage caused by attacks initiated by states.

Jürgen Reinhart, Head of Cyber ​​Insurance at Munich Re, explains what the new rules are all about.

SPIEGEL:

Mr. Reinhart, the insurance marketplace Lloyds of London has adopted standard clauses that determine when insurers bear the damage of a cyber attack - and when not.

Does the insurance industry want to use this to offload major risks to the state?

Reinhart:

No, above all we want to create clarity.

There have always been clauses that excluded the coverage of systemic risks, especially damage resulting from war or nuclear disasters.

But these clauses were out of date because they were formulated when wars were formally declared and fought with conventional weapons.

Today states use criminal organizations and attack covertly with cyberattacks.

This can lead to damage that a private insurer cannot bear.

SPIEGEL:

But so far, there hasn't been such extreme damage as a result of hacker attacks?

Reinhart:

That's true, but it was perhaps just a lucky coincidence.

There have been attacks, for example on the American software company SolarWinds, which presumably go back to state actors.

The financial damage was manageable, but in some cases could have been significantly greater.

Until two years ago, pandemics did not cause any systemic damage, but Corona has revealed that the insurance industry was not adequately prepared for such a pandemic either.

In the case of cyber risks, we want to prevent that.

SPIEGEL:

Why was it so difficult to even find a formulation for excluding cyberwar?

Reinhart:

In contrast to conventional war, it is difficult to prove with cyber whether the attacks are state-motivated.

Munich Re would therefore have liked to describe scenarios that lead to uncontrollably large damage without explicitly naming »war«.

That was not enforceable in the industry.

It was more important to us to reach a consensus in order to set a standard.

We therefore negotiated for a long time and finally found a compromise.

SPIEGEL:

And what does it look like?

Reinhart:

First of all, it is now ensured that in the event of a conventional war, the policies will not cover any cyber damage.

Second, the clauses stipulate that in the event of a state-initiated cyber attack that has a "major detrimental impact" on the state attacked, i.e. serious negative consequences, the insurer will not cover the damage.

That would be the case, for example, if the financial system, water or electricity supply or the health system collapsed as a result of an attack.

SPIEGEL:

How can you, as an insurer, even determine whether a government client is behind a cyber attack?

Reinhart:

According to the new clauses, the insurance does not apply if the state concerned attributes the attack to a state client.

If the damage is so severe, the affected governments will usually do so.

SPIEGEL:

What if the government of an affected country doesn't speak of an act of war?

Reinhart:

Then we as insurers have to prove that a cyber attack has a political background.

Until we succeed in doing this, we are allowed to suspend payments if there is sufficient evidence to settle the damage.

SPIEGEL:

The problem with cyber attacks is precisely that the client can hardly be discovered.

How are you going to do that?

Reinhart:

At Munich Re we have a large team of experts, some of whom have an intelligence background.

In addition, insurers also employ specialized external investigators.

"We have to look for solutions, but there are limits to our resilience"

SPIEGEL:

What do the regulations mean for your customers, primarily companies, but also authorities and utilities?

Reinhart:

With these new clauses, it should be clear to all companies in which cases insurers will compensate for the damage and in which cases they will not.

From now on, policies will gradually be changed accordingly.

However, it will take years for the new standard clauses to be implemented in all contracts.

SPIEGEL:

In recent years, insurers have done good business with cyber policies. However, since the number of attacks has risen sharply, insurers recently withdrew or restricted their offerings. Will more insurance cover be offered again due to the new regulations?

Reinhart:

The clarity provided by these clauses helps insurers, but politically motivated attacks are only one of several so-called accumulation risks.

There are other types of cyberattacks that can cause a variety of major damage at the same time.

For example, when entire supply chains collapse as a result of an attack or large cloud providers and thus tens of thousands of customers are affected.

If our industry can no longer cover cyber risks, we as insurers will become superfluous.

We have to look for solutions, but there are limits to our resilience.

SPIEGEL:

What happens to the remaining risks?

Does the state have to step in?

Reinhart:

A desired side effect of the new clauses is that the states will now have clarity, at least in the event of politically motivated attacks, as to which damage is privately covered.

This lays the foundation for a state solution, for example a kind of "cyber war pool", just like there is already a "terror pool".

"The subject is politically highly sensitive"

SPIEGEL:

Will the insurers participate in such a pool?

Reinhart:

With the new clauses we are pushing the limits of what we can do.

Munich Re will therefore not be able to participate in a pool.

The states would have to think about how to build up such a reserve.

SPIEGEL:

How high would that have to be for a country like Germany?

Reinhart:

I can't put a figure, but it would have to be a substantial amount.

SPIEGEL:

Wouldn't it make more sense to strive for a European solution?

Reinhart:

It would be ideal if states get together.

But the subject is of course highly politically sensitive.

The pandemic showed how little willingness to show solidarity within Europe was initially.

The question of how well companies and states protect themselves against attacks also always plays a role.

Source: spiegel

All tech articles on 2021-11-25

You may like

Life/Entertain 2024-02-10T09:33:33.284Z

Trends 24h

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.