From extortion to cyber clarity, we offer our international experts' predictions on the opportunities and challenges that underwriters may face in the coming year and beyond.
1. Should cyber insurance cover extortion?
The official position of the US and UK governments is that they will not pay money to kidnappers. Italian law goes further and families are barred from paying ransom demands or negotiating with kidnappers, except with the permission of a prosecutor and the cooperation of the police. The assets belonging to the kidnapped victim's family are automatically frozen. The rationale is obvious. So why have governments stood back, allowing the targets of cyber extortion to pay in the hoping of receiving decryption keys? In the early days of ransomware, the typical demand was for a payment of US$300 (230) in Bitcoin. It made sense to pay rather than risk disruption. Nowadays, demands can run into millions of dollars, with attackers researching their target's ability to pay and timing their attacks with precision. On 2 October 2019 the FBI made an announcement seeking to discourage ransom payment. Europol also supports an initiative called "No More Ransom". Beyond initiatives like this, governments have held back from making payment unlawful. Is the current position sustainable? Regulators could use AML regulations to target companies who facilitate payments. Or governments may decide that the greater good demands a broader prohibition. This won't be easy when the targets are, say, hospitals or emergency response services. One thing is for certain the more time that passes before a concerted effort is made to address this issue, the more serious it will become.
2. Cyber clarity will not be straightforward but must be prioritised
Since 2015, the Prudential Regulation Authority (PRA) has been escalating its scrutiny of cyber risk. Lloyd's has accelerated this process, publishing Bulletin Y5258 on 4 July 2019. This imposes a timetable for syndicates to provide clarity to customers on coverage for cyber exposures, with sanctions threatened where syndicates fail to comply. The PRA will expect similar steps to be taken by insurance companies. This will not be straightforward to implement. There is no clear definition of cyber risk. The scope of cyber risk in insurance also continues to evolve, which is a good thing as innovation is needed as cyber threats are also evolving. Cyber clarity is nonetheless a laudable objective and, with or without regulatory pressure, something which the market must prioritise.