The sustainability of the cyber insurance industry, and particularly concerns over cyber risk accumulation and systemic risks, will continue to be front of mind for the cyber insurance industry for the foreseeable future.
Within this, we have identified the following themes to look out for in the cyber insurance industry in 2024 and beyond.
1. Cyber war exclusions - time to be tested?
Many of the war exclusions we are familiar with, particularly in the property insurance context, date back to conflicts occurring in the 1930s, including the second Italo-Abyssinian War and the Spanish Civil War.1 An agreement was entered into between the Lloyd’s Underwriters Association (LUA) and the Association of British Insurers (ABI) to exclude war and civil war on all policies issued by Lloyd’s and London Companies subscribing to the agreement. This led to the introduction of the War and Civil War Exclusion clause NMA 464 1/1/38.
With cyber warfare becoming a common aspect of conflict in recent years, concerns over cyber insurance’s exposure to correlated widespread aggregation, as well as uncertainties in the construction of traditional war exclusions as applied to state-sponsored cyber operations, the insurance industry has moved to modernise war exclusions to address cyber warfare risk.
In November 2021 the Lloyd’s Market Association (LMA) released four war, cyber war and cyber operation exclusions that were intended to be models for standalone cyber policies. The clauses ranged from a blanket exclusion to gradations of exclusions and exceptions for various losses. In its companion Market Bulletin Y5381, Lloyd’s required that all standalone cyber policies have a suitable clause excluding liability for losses arising from any state-backed cyberattack with five minimum requirements,2 with this requirement taking effect on 31 March 2023. Although the LMA model exclusions themselves were not mandatory, it was said that they would meet all requirements. Insurers were free to use different language, if vetted by counsel and approved by Lloyd’s.
On 18 January 2023 eight amended model exclusions were published, differentiated by a Type A and a Type B.3 Notably, the Type B clauses lack attribution, which means that in order for these clauses to be compliant, carriers will need to articulate to Lloyd’s how they expect attribution to be addressed.
The LMA has also conducted a review of a number of sample clauses from various carriers and provided confirmation on compliance with Lloyd's requirements as set out in the bulletin.4
Whether they are caught within the Lloyd's requirements or otherwise, insurers will need to modernise their war exclusion for cyber coverage, particularly in relation to how state-sponsored cyber attacks are dealt with. Considering the current geopolitical landscape and ongoing conflicts and tensions around the world, as well as the rise of cyber warfare and state-sponsored cyber operations, the operation and scope of cyber war exclusions will likely be tested in the near future.
2. Active cyber insurance - the next big thing?
Businesses, and particularly small and medium-sized enterprises (SMEs), may increasingly look to active cyber insurance as an alternative insurance product in 2024 and beyond.
In 2023 an active cyber insurer, Coalition, entered the Australian market with a suite of active cyber insurance products.5 Active cyber insurance differs from traditional insurance coverage in that it focuses on preventing digital risks before a cyber incident occurs. It helps an insured to understand their cyber risk posture and improve their defences to minimise the likelihood of a cyber attack, instead of solely providing financial compensation and incident response support after a cyber incident occurs.
SMEs often lack the resources to invest heavily in uplifting their cyber resilience or tools to detect, assess, and respond to cyber incidents, and only 20% of Australian SMEs currently have cyber insurance.6 With its unique offering of active security protection and insurance coverage, we may soon see a bigger uptake of active cyber insurance amongst SMEs.
3. Talent shortage issue in underwriting and claims teams
The cyber insurance industry will continue to grapple with attracting and developing talent within its underwriting and claims teams.
Cyber is a class of insurance that is still relatively young and developing, and yet highly technical. The ever-evolving risk landscape and technicalities behind the nature of cyber attacks and claims means specialist knowledge is required to effectively underwrite and manage claims in this area.
Insurers in Australia and internationally have been adding cyber security professionals to their underwriting teams to fill the technical expertise gap. However, there remains a shortage of insurance professionals with specialised cyber security knowledge and expertise, as well as a good understanding of the operations and dynamics of the insurance market.
Investing in internal staff who have an interest in this area and establishing structured development pathways for their progression will likely be a focus for many insurers facing a talent shortage in their cyber line.
4. Developing innovative solutions for capacity
Government backstop and catastrophe bonds
Concerns about systemic cyber risks and cyber catastrophes are not new and continue to be a key item on the agenda for most cyber insurers. In 2023 we saw further development of two alternative solutions to deal with this issue.
In the United States, the first solution being explored by the US Treasury Department is the introduction of a federal insurance backstop for catastrophic cyber events, currently being researched by the Department’s Federal Insurance Office in line with the strategic objectives announced in the Biden administration's National Cybersecurity Strategy Implementation Plan.
The US Treasury’s “tentative conclusion” regarding the scope of its focus is that because the private market for insurance against attritional cyber risk from losses other than those related to major catastrophes is dynamic and growing, it anticipates that its assessment of a potential federal insurance response will remain sharply focused on catastrophic cyber risk.7 Further, when assessing the insurance market for catastrophic cyber risk, it will remain focused on "the policy options for some kind of public-private sector collaboration or other federal response that cabins catastrophic cyber risk alongside the existing and expanding commercial cyber insurance market".8
In Australia, the Australian Reinsurance Pool Corporation (ARPC) manages the terrorism pool and cyclone pool. The Australian terrorism pool still excludes cyber terrorism.9 Although the ARPC may one day include cyber risks (including cyber terrorism) in a cyber pool, we suspect that governments and insurers are waiting to see what emerges from the US Treasury's proposal for a federal insurance backstop for catastrophic cyber events and how that could be replicated or adapted. Work focussed on this proposed solution will continue in 2024 and beyond.
The second alternative solution is the further development of cyber catastrophe bonds. In January 2023 insurance group Beazley unveiled a US$45 million catastrophe bond, the first insurance-linked securities (ILS) instrument established in the cyber insurance market.
The bond gave Beazley broad cyber reinsurance cover for remote probability catastrophic and systemic events, including tech errors & omissions (E&O) risks, across a one-year term.10 This was followed by a second cyber catastrophe bond issuance, using the same format of placing it with investors, and adding US$20 million of fresh reinsurance cover from capital markets.11 A third cyber catastrophe bond issuance provided a further US$16.5 million of reinsurance cover, which means Beazley had US$81.5 million of cyber reinsurance in cyber catastrophe bond form running to the end of 2023, with final maturity on 8 January 2024.12
Beazley announced on 2 January 2024 that it had closed its first 144A cyber catastrophe bond providing cover of US$140 million.13 This inaugural 144A bond builds on its previous US$81.5M million cyber catastrophe bond programme of 2023. Named PoleStar Re Ltd, the Series 2024-1 Class A notes are designed to cover remote probability catastrophic and systemic events. Structured on an indemnity trigger and per-occurrence basis, the bond runs for a two-year term to the end of 2025.14
In November 2023, AXIS Capital Holdings Limited also announced the closing of its first 144A cyber catastrophe bond, a US$75 million Long Walk Reinsurance Ltd transaction that provides the firm's subsidiaries with fully collateralised indemnity reinsurance for systemic cyber events on a per-occurrence basis.15 We understand that the US$75 million of Series 2024-1 Class A notes are scheduled to mature in January 2026.
These developments suggest that the ILS investor community has confidence in such products and continues to see opportunities in this space. Specialty solutions to address systemic cyber risk and cyber catastrophes will continue to be a key theme for the cyber insurance industry in the years to come.
5. Adapting to new risks - OT/IT overlap
To remain sustainable, the cyber insurance industry must be responsive to the risks brought about by emerging technologies and overlapping risks – such as the OT/IT overlap. Operational technology (OT) remains a critical component of any heavy industry organisation's ability to monitor and control internal systems. Previously, this involved physical servers and machinery that were typically isolated from the digital world. This meant it was more common for information technology (IT) networks to be targeted by hacking groups, as they could be accessed online.
As technology has improved, OT equipment has developed to include aspects of both physical machinery and online networks. An example of this is the recent increase in factories incorporating AI to improve the efficiency of their machinery. As a consequence, OT servers have become more vulnerable to cyber attacks and ransomware and malicious compromise attempts against OT assets have increased significantly.16
It is therefore no surprise that the Australian Prudential Regulation Authority (APRA)17 has issued new standards on operational risk management, Prudential Standard CPS 230 Operational Risk Management, with a focus on operational resilience to maintain continuity of critical financial services, including to combat elevated levels of cyber risk. The CPS 230 aims to strengthen the management of OT systems and OT risks through new requirements that address weaknesses in existing controls, improve business continuity planning to ensure APRA-regulated entities are positioned to respond to severe disruptions, and enhance third-party risk management by ensuring risks from material service providers are appropriately managed. This prudential standard will commence on 1 July 2025. This will work alongside Prudential Standard CPS 234 Information Security, which seeks to strengthen minimum cyber standards for APRA-regulated entities.
As the cyber insurance industry faces growing challenges posed by overlapping risks, it will need to continue to adapt its products in response.
Access CyberSight 360 - A legal perspective on cyber security and cyber insurance for more on the key events, legislative and regulatory changes, trends and lessons from the year in cyber, and what we can expect in the year ahead.
1 https://www.insurancejournal.com/news/national/2023/04/04/715079.htm
2 1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion. 2. (Subject to 3) Exclude losses arising from state-backed cyber-attacks that: (a) significantly impair the ability of a state to function; or (b) significantly impair the security capabilities of a state. 3. Be clear as to whether cover excludes computer systems that are located outside any state affected in the manner outlined in 2(a) & (b) above, by the state-backed cyberattack. 4. Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states. 5. Ensure all key terms are clearly defined
3 LMA5564A, LMA5564B, LMA5565A, LMA5565B, LMA5566A, LMA5566B, LMA5567A, LMA5567B
4 https://www.lmalloyds.com/LMA/Underwriting/Non-Marine/Cyber_Clauses/cyber_war_clauses.aspx
5 Coalition is backed by Allianz Australia Limited
6 https://insurancecouncil.com.au/issues-in-focus/cyber-risk/; https://www.lifeinsuranceinternational.com/news/coalition-active-cyber-insurance-australia/
7 https://home.treasury.gov/news/press-releases/jy1922
8 Ibid
9 https://arpc.gov.au/resources/mind-the-gap/
10 https://www.artemis.bm/news/beazley-sponsors-third-cyber-catastrophe-bond-16-5m-cairney-iii/
11 The Beazley cyber cat bonds are privately placed Section 4(2) issuances, using as their special purpose insurer (SPI) the Artex Risk Solutions owned and operated segregated account reinsurance transformer platform, named Artex SAC Limited, acting on behalf of a segregated account, or cell
12 https://www.artemis.bm/news/beazley-sponsors-third-cyber-catastrophe-bond-16-5m-cairney-iii/
13 https://www.beazley.com/en-us/news-and-events/beazley-closes-$140m-cyber-catastrophe-bond
14 Ibid
15 https://www.reinsurancene.ws/axis-successfully-closes-markets-first-144a-cyber-catastrophe-bond/
16 https://www.cyberinsuranceacademy.com/knowledge-hub/guide/how-is-the-cyber-insurance-industry-dealing-with-operational-technology/
17 https://www.apra.gov.au/operational-risk-management-0
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.
