Not the damage of climate change, but the risk of cyber-attacks could become uninsurable in the near future. CEO Mario Greco of Zurich, one of Europe’s largest insurance companies, made this warning in conversation with the business newspaper The Financial Times. Although insurers had to pay out more than 100 billion dollars (93 billion euros) for the second year in a row to compensate for damage caused by natural disasters, Greco says cybersecurity will soon no longer be covered.
According to the Zurich CEO, when we think of cybercrime, we often think mainly of the capture of privacy-sensitive information, and not of what can happen if someone takes control of vital parts of the infrastructure. “These people can seriously disrupt our lives.”
Zurich CEO: public-private partnership needed to insure systemic risks
Cyber attacks on critical infrastructure such as those in Kiev, where large parts of the population were without power in 2015 and 2016 as a result of a computer hack. Or the ransomwareattack that shut down a crucial US oil pipeline last year and caused fuel shortages in some states. Also read: Companies pay hackers, even if they are not insured. ‘There is no good alternative. In such an attack, hackers hold the data of companies or government services hostage, to force them to pay a ransom. Meanwhile, social disruption can cost many times more. The origin of the groups is not always known, although it is believed that hacker collectives are often active that have ties to the Russian, Chinese or North Korean governments.
Read alsoNCTV: The Netherlands loses out to cyber threats
Off the air for two weeks
Not only companies are the target, as it turned out this month in Antwerp. On December 6, it became apparent that a hacker collective had infiltrated the city’s IT systems. When the alarm was raised, hackers had been ‘in’ for thirteen days – and were demanding a ransom. If the city did not transfer 2 million euros, the hackers would release a large amount of privacy-sensitive data. Shortly before the hack, a campaign had been started to raise awareness about cyber attacks among residents and businesses. “Perhaps somewhat ironically”, Antwerp mayor Bart De Wever smiled somewhat convulsively during a press conference at the beginning of last week.
To prevent worse, the plug was pulled from all IT systems. Several services in the city were offline for almost two weeks. The hackers eventually withdrew their demands, possibly for fear of being identified. It is not known what the cyber break-in ultimately cost the city – in any case, according to De Wever, no ransom was paid. The city would also not be insured against cyber attacks. After all, whatever amount you throw at it, “one hundred percent security does not exist,” said De Wever.
And that is precisely the problem of insurers. The number of cyber attacks has been increasing for years, and with it the damage. The claims are causing insurers to increase their policy conditions; measured over April and May of this year, according to research by insurer AON, premiums had risen by 27 percent compared to a year ago. More and more customers also have to meet high security requirements – the American insurer AIG asks customers to fill in a list of 25 questions about their security measures. Those who score more than unsatisfactory will not receive a policy.
According to CEO Greco, there are limits to the risks that the private sector can bear. According to the Zurich chief, governments should set up a “private-public partnership” to ensure the systemic risks posed by cyberattacks – risks that are generally difficult to quantify.
European directive must be stricter
Insurers are also looking forward to a revision of the EU cybersecurity directive. The current guideline (2016) applies to companies with an ‘essential function’, such as in the telecom and energy sector. In Brussels, policymakers are considering a revision that will result in more sectors falling under the stricter rules and the number of measures will also increase. Thanks to the new directive, ‘uninsurable’ companies should become safer, which reduces the risk and the costs of cyber insurance can be reduced somewhat. It is not yet clear when the revision will be available. Until then, the following applies: do not click on suspicious links and update IT security in due course.