Cyber insurance has been a success story since the late 1990s, offering companies protection for one of their leading emerging risks. In my opinion, the most important requirement to manage an evolving risk is transparency, both in coverage and exposure. At Munich Re we believe that cyber insurance requires respect and proper risk management but is at its core modellable and insurable. With two notable exceptions: infrastructure failure and losses arising from war. Beyond the sometimes heated discussions about the best way to design cyber-war exclusions, and what pace the market can bear, insurers should avoid making premature compromises. Offering unintended cyber-war cover not only puts balance sheets at risk, but also the sustainability of the cyber market worldwide.
Armed conflicts are by their nature a matter for governments, it is for the state to intervene to mitigate the consequences of a war, for the citizens but also for the economy, as its consequences are so large and wide reaching that private industry simply is not able to bear such a ruinous risk. War exclusions have formed an accepted part of property policies for almost a century for precisely these reasons. Cyber policies also contain war exclusion clauses, as the industry does not intend to extend cover to warlike situations.
In 2010, the Stuxnet worm demonstrated that state actors were willing and able to use digital tools to intervene in international conflicts, and achieve their tactical or strategic goals. In contrast to Stuxnet, the NotPetya cyberattack in 2017 caused widespread damage beyond its presumed target, Ukraine. The consequences included significant disruption to many sectors and areas of life. NotPetya marked a turning point for the (cyber) insurance industry, reinforcing the real possibility for catastrophic non-physical damage at the hands of a state. Exclusions, particularly in property “all risk” policies, that focussed primarily on conventional aspects of warfare between states, such as the destruction of property, didn’t reference disruptive cyber induced attacks provided insufficient clarity when faced with such non-physical events. In some instances this has resulted in protracted litigation, as in addition intent of coverage was ambiguous in such policies.
Now that a “cyber-war” without or alongside physical components is a real possibility, it is time for the market to move beyond the exclusions borrowed from the property policies. Industry representatives and other stakeholders have been working towards solutions that provide clarity and thus can find broad acceptance across the market. The past has made it clear that developing suitable wordings will only be possible through collaboration, and by balancing the interests of all stakeholders.
One early initiative by the Lloyd’s Market Association (LMA) was to publish updated war exclusions for commercial cyber business in November 2021. The proposed wordings and their successors aim to clarify what would not be covered: (1) armed conflicts between states and accompanying cyber-attacks, (2) government-initiated hostile cyber-attacks against another country, which could have effects comparable to war like activities. This requirement is intended to ensure that cyber-attacks such as espionage, “hacktivism” and criminal attacks do not unintentionally fall foul of the new exclusions, in the meantime confirming that it is clear catastrophic non-physical hostile attacks by a state remain excluded.
This first step by the LMA towards more clarity on the topic, which was supported by insurers and reinsurers including Munich Re, led to a broader discussion in the market. Other initiatives followed, including from our joint initiative with Marsh, who wanted to obtain a better understanding of the intention behind the LMA’s original drafts. The goal of these and similar initiatives is to define and document as clearly as possible what does – and does not – constitute an insured incident.
For Munich Re, developing the cyber-insurance market sustainably, is our highest priority. A key requirement to achieve this is to ensure the war exclusions used are fit for purpose. Given the events of the past two years the imperative to act is increasing. The experiences around the pandemic, 9/11, and the current war in Ukraine demonstrated that as an industry we should act to safeguard our reputations – and balance sheets – by ensuring contract language, especially relating to systemic risks, is clear. Munich Re sees the benefit of widely accepted market solutions. Together with clients and brokers, major risk carriers such as Munich Re have been and will also be directly discussing and developing further potential solutions that adequately address the exposure issue.
The developing cyber market has so far been handling critical challenges relatively well. Making “silent” cyber exposure in property insurance more transparent and explicit was a positive step to isolate and manage the systemic risk. Identifying critical infrastructure failures, such as internet or power outages as an uninsurable risk, and excluding them from cyber policies, was another key milestone. The market has recently identified and reacted quickly to the ransomware trend, in the process helping to improve the resilience of industry by driving best practices. This adaptability is necessary to sustainably develop the cyber market, which by the end of 2022 had grown globally to approximately US$ 12bn, and which offers the digitalised world valuable prevention and risk-transfer services.
Transparency enables long term sustainable insurance solutions, and that is in everyone’s interest. Customers must be able to clearly understand the extent of their insurance cover at all times. Insurers need to ensure they do not take on any risk which may impair their ability to offer coverage in the future. As a marketplace of insurers, brokers and clients, we now need to take the next step in this direction with consistent and timely implementation.