Canadian Underwriter

Insurers checking their war exclusions for cyberattacks

March 10, 2022   by Philip Porado

Digital hand grenade

Print this page Share

While cyberattacks have increased since Russia invaded Ukraine and numerous countries responded with tighter sanctions, most of those attacks have been more basic distributed denial-of service attacks on both sides of the conflict, said a DBRS Morningstar commentary on cyber warfare’s potential impact on North American and European insurers.

“Although acts of war (declared or not) are typically excluded from cyber insurance policies,” said Marcos Alvarez, senior vice president and head of insurance at DBRS Morningstar, “the current conflict could potentially increase cyber-related insurance and reinsurance claims in Europe and North America, as attribution can be very difficult to determine in cyber incidents.”

He added it’s expected “that insurers and reinsurers will continue to clarify their cyber war exclusions to face the new realities of state-sponsored cyberattacks.”

Attributing cyberattacks to state actors, or proxies, is difficult since those engaging in cyber warfare usually don’t publicize their actions. The commentary said even a specific state actor is strongly suspected, “legal courts might not side with insurers, particularly if existing policy language is subject to interpretation.”

In response, DBRS Morningstar noted that, beginning in 2019, insurers and reinsurers have reviewed and tightened war exclusion language in both cyber insurance policies and all-risk property policies that could include ‘silent cyber’ coverage: situations in which a policy doesn’t explicitly include or exclude cyber risk.

Attribution will remain challenging, the commentary said, “because it places the onus on the insurer to demonstrate that a cyber incident was actually performed by a state actor or its proxy in the absence of official confirmation from intelligence agencies in the targeted country.”

And, for most litigation, getting information needed to prove state involvement could simply take too long – and in some cases may never be disclosed for security reasons.

Over the past two years, rising claims mean cyber insurers’ loss ratios have surged as profitability for cyber insurance products has deteriorated. Both frequency and severity of claims have been rising, the report said, citing National Association of Insurance Commissioners data that found the combined ratio for stand-alone and package policies covering U.S. cyber risks leapt to 66.9% in 2020 from 44.6% in 2019.

That’s led to sharp rate increases, and reductions in available limits per policyholder. DBRS Morningstar said it expects the hardening of cyber insurance rates to continue in 2022 given the potential fallout of the Russia-Ukraine conflict. Insurance and reinsurance companies also are hiking cyber rates to cover costs for services, such as negotiating with hackers and helping recover data after ransomware attacks.

DBRS Morningstar further predicted insurance industry litigation costs will rise as more policyholders take denied claims to court.

“The global cyber insurance market has experienced tremendous growth since 2015 in response to more frequent and sophisticated cyberattacks,” the commentary said, “a trend that we expect to continue in the medium term with gross written premiums estimated to reach more than US$20 billion by 2025.”

And reinsurance and insurance companies are closely eying the risk of a single cyber event simultaneously affecting several policyholders.

“Cyber risk has the potential to generate a chain of highly correlated losses because of the increasing connectivity of global communications and the widespread use of certain operating systems,” the commentary noted. “A systemic event of such scale, particularly in the context of state and non-state actors employing cyber warfare against adversaries, has the potential to cost multiples of the estimated size of the current cyber market.”


Feature image by