Cyber insurance has been a success story since the late 1990s, offering companies protection for one of their leading emerging risks. In my opinion, the most important requirement to manage an evolving risk is transparency, both in coverage and exposure. At Munich Re, we believe that cyber insurance requires respect and proper risk management but is—at its core—insurable and able to be modeled, with two notable exceptions: infrastructure failure and losses arising from war.
Beyond the sometimes heated discussions about the best way to design cyber-war exclusions and what pace the market can bear, insurers should avoid making premature compromises. Offering unintended cyber-war cover puts not only balance sheets at risk but also the sustainability of the cyber market worldwide.
Armed conflicts are by their nature a matter for governments. It is the responsibility of the state to intervene to mitigate the consequences of a war, for the citizens and also the economy, as its consequences are so large and wide-reaching that private industry simply is not able to bear such a ruinous risk. War exclusions have formed an accepted part of property policies for almost a century for precisely these reasons. Cyber policies also contain war exclusion clauses, as the industry does not intend to extend cover to war-like situations.
In 2010, the Stuxnet worm demonstrated that state actors were willing and able to use digital tools to intervene in international conflicts to achieve their tactical or strategic goals. In contrast to Stuxnet, the NotPetya cyber attack in 2017 caused widespread damage beyond its presumed target, Ukraine. The consequences included significant disruption to many sectors and areas of life.
NotPetya marked a turning point for the (cyber) insurance industry, reinforcing the real possibility for catastrophic non-physical damage at the hands of a state. Exclusions, particularly in property “all risk” policies, that focused primarily on conventional aspects of warfare between states, such as the destruction of property, didn’t reference disruptive cyber-induced attacks and provided insufficient clarity when faced with such non-physical events. In some instances, this has resulted in protracted litigation, as in addition, intent of coverage was ambiguous in such policies.
Now that a “cyber war” without or alongside physical components is a real possibility, it is time for the market to move beyond the exclusions borrowed from property policies. Industry representatives and other stakeholders have been working toward solutions that provide clarity and thus can find broad acceptance across the market. The past has made it clear that developing suitable wordings will only be possible through collaboration and by balancing the interests of all stakeholders.
One early initiative by the Lloyd’s Market Association (LMA) was to publish updated war exclusions for commercial cyber business in November 2021. The proposed wordings and their successors aim to clarify what would not be covered: (1) armed conflicts between states and accompanying cyber attacks; and (2) government-initiated hostile cyber attacks against another country, which could have effects comparable to war-like activities. This latter requirement is intended to ensure that cyber attacks such as espionage, “hacktivism” and criminal attacks do not unintentionally fall foul of the new exclusions, while in the meantime confirming that it is clear that catastrophic non-physical hostile attacks by a state remain excluded.
This first step by the LMA toward more clarity on the topic, which was supported by insurers and reinsurers including Munich Re, led to a broader discussion in the market. Other initiatives followed, including from our joint initiative with Marsh, which wanted to obtain a better understanding of the intention behind the LMA’s original drafts. The goal of these and similar initiatives is to define and document as clearly as possible what does—and does not—constitute an insured incident.
For Munich Re, developing the cyber insurance market sustainably is our highest priority. A key requirement to achieve this is to ensure the war exclusions used are fit for purpose. Given the events of the past two years, the imperative to act is increasing. The experiences around the pandemic, 9/11 and the current war in Ukraine demonstrated that as an industry, we should act to safeguard our reputations—and balance sheets—by ensuring contract language, especially relating to systemic risks, is clear. Munich Re sees the benefit of widely accepted market solutions. Together with clients and brokers, major risk carriers such as Munich Re have been and will also be directly discussing and developing further potential solutions that adequately address the exposure issue.
The developing cyber market so far has been handling critical challenges relatively well. Making “silent” cyber exposure in property insurance more transparent and explicit was a positive step to isolate and manage the systemic risk. Identifying critical infrastructure failures, such as Internet or power outages, as an uninsurable risk and excluding them from cyber policies was another key milestone. The market recently has identified and reacted quickly to the ransomware trend, in the process helping to improve the resilience of industry by driving best practices. This adaptability is necessary to sustainably develop the cyber market, which by the end of 2022 had grown globally to approximately $12 billion (Munich Re estimate) and which offers the digitalized world valuable prevention and risk-transfer services.
Transparency enables long-term, sustainable insurance solutions, and that is in everyone’s interest. Customers must be able to clearly understand the extent of their insurance cover at all times. Insurers need to ensure they do not take on any risk that may impair their ability to offer coverage in the future.
As a marketplace of insurers, brokers and clients, we now need to take the next step in this direction with consistent and timely implementation.