A whopping $1.4 billion. According to the pharmaceutical manufacturer Merck, this is how much it cost a hacker attack that rendered around 40,000 computers in the company unusable in 2017. Damage of this magnitude is not uncommon after a cyber attack. A number of companies have already had to pay several hundred million euros because of cyber attacks. You can only insure a small part of it. Merck was lucky, the group was fully secured with an old policy. But the insurer Ace, now called Chubb, didn’t want to pay. Merck sued and was right in early 2022.
“Five or six years ago, insurers loudly offered us cyber coverage, the policies were getting cheaper and cheaper,” recalls an insurance buyer at a German industrial group. She does not want to be named because she wants to avoid a public dispute between her group and insurers. “Then the insurers found out, oops, there’s also damage. Since then it’s been getting more and more difficult,” she says.
“The market for cyber insurance is tight,” says Sandra Dammalacks, division manager at industrial broker Deas, which belongs to the Ecclesia Group. “The insurers have high minimum requirements for the IT of the companies they insure.” If these are not met, there are no offers or only those with reservations.
“We do not insure companies that do not meet our twelve core underwriting criteria,” confirms Jens Krickhahn, who is responsible for cyber business at Allianz Global Corporate & Specialty. Underwriting is what insurers call risk assessment and pricing. He complains that too few companies have functioning emergency plans. In the event of damage, the decisive factor is how seriously a company takes its IT security. For example, with data mirroring, saving data on a second data carrier and backing up: “I’ve seen many cases of damage in which individual backups weren’t available or didn’t work,” says Krickhahn.
Realtor Dammalacks believes that insurers are making things too easy for themselves. “Especially manufacturing companies find it difficult to meet the rigid criteria.” This applies to some chemical companies, to the food industry as well as to manufacturers of building materials. Even some insurance companies have outdated systems and fall victim to cyber attacks.
Industrial insurers, once very generous with cheap policies and high sums insured, are now becoming more restrictive. “Capacities have decreased,” says Dammalacks. “Up until two years ago, individual insurers insured up to 25 million euros per risk.” If a group then needed cover of 200 million euros, eight or more companies were involved, which is normal with such risks.
“Today, many companies give just five million euros by default, a few even ten million euros,” she says. In addition, the companies have increased their prices significantly for several years, “in some cases by several hundred percent”. For example, the companies have often halved the sum insured, but left the price unchanged. Insurers also require high deductibles. And such cyber cover is not cheap anyway. If you want to insure 100 million euros, in most cases you have to put two to three million euros on the table.
The all-risk policies actually insure all risks – including cyber attacks
The mood is bad between industry and the insurance industry. “Injuries and breaches of trust,” complained Jörg Schönenborn from Telekom. It is not without reason that buyers talk about conducting talks with their “fist in their pocket”.
The industry was particularly annoyed at how insurers dealt with so-called all-risk policies. In the past, a group could protect itself against all risks. Regardless of the reason the lines stopped, whether it was a fire, a storm or a cyber attack, the insurer paid. It was such all-risks coverage that led to Merck collecting $1.4 billion from Ace.
But after some spectacular damage, insurers have excluded cyber attacks from all standard policies. They refer to the separately available cyber covers. But many companies don’t get it, or not enough of it. As a result, many industrial groups are now uninsured against expensive business interruptions.
The insurers argue with the so-called accumulation risk, the risk that many units are hit at the same time. In storms or earthquakes, things are simple. If it storms in Florida, it’s unlikely the same thing is happening in Europe right now. Cyber attacks are different. A large-scale ransomware attack can hit many customers in all parts of the world at the same time. “In the worst case, this can drive an insurer into bankruptcy,” warns Petra Riga-Müller, board member at insurer Zurich.
It is also clear that the industry in Europe and the USA has enjoyed extremely low prices for their insurance for years. Now there are general price increases in lines such as fire or liability along with the partial withdrawal in cyber insurance.
Insurers are now wondering whether cyber risks should be insured privately at all. “What will become uninsurable is cyber,” said Zurich CEO Mario Greco in a statement at the end of December 2022 Interview with the Financial Times. “What if someone takes control of vital parts of our infrastructure?” He demands that governments should act and “create public-private systems”. Terrorism insurers like Extremus in Cologne, which cover major risks with state aid, are a role model.
Industry has set up its own insurer
The industry has started to fight back. On January 1, 2023, the insurer Miris started work in Brussels. It was founded by twelve European corporations. These include Airbus, Michelin and the chemical companies BASF and Solvay. Another 40 should show interest. Miris only offers cyber insurance for its members. There is a maximum of 25 million euros in insurance cover per year and member. The cooperative provider will therefore hardly overcome the shortage of capacity, but the founding has symbolic meaning. The fact that Miris exists at all puts pressure on the market and improves the negotiating position of buyers.
Thomas Pache, head of the cyber division in the German-speaking countries at the broker Aon, sees a slight easing in the market, which he does not attribute to the Miris foundation. “We currently have less damage,” says Pache. “Some attackers sponsored by the Russian state are currently busy fending off attacks on Russia themselves.” In addition, the industry has improved its security measures. At the same time, the first new providers came onto the market, including agencies for the London insurance market Lloyd’s.
Some calm is also returning to the prices. “We only have small premium increases for the contract renewals for 2023.” Pache finds it understandable that the companies look at the quality of IT security at the companies they insure.
Some industrial companies have growing doubts as to whether they should buy cyber cover at all. Because for a billion-dollar corporation, the 100 million euros or 200 million euros that can be insured with a lot of effort doesn’t make a big difference in an emergency. But the insurance buyer of the German industrial group knows the reasons why she can’t get out of the business so easily: “Investors in the capital market demand that you have something like this, and so do the D&O insurers.” D&O insurers cover executive and supervisory board members against personal liability risks if they make management mistakes that cost their employer money. In fact: If it turns out after a cyber attack that a company did not have cyber cover, it could hold the responsible board personally liable for the damage.
“The mood for cyber is resigned,” says the buyer. “I wish we could spend all the money we put into cyber insurance on improving our IT.”