A body representing risk managers across Europe has warned cyber insurance could become an “unviable product” for companies as concerns grow over insurers failing to cover big state-backed attacks.
The Federation of European Risk Management Associations, an umbrella body representing 22 trade associations, said the cyber insurance market is “evolving in isolation from the industries it serves”.
It highlighted a move by Lloyd’s of London, the specialist insurance market and hub for cyber insurance, demanding that standard cyber policies have an exemption for big state-backed attacks.
“Without a more collaborative approach to cyber balancing the risk appetite of the insurance market with the coverage requirements of the corporate buyers, there is a risk that cyber insurance becomes an unviable product for many organisations,” Ferma said in a statement shared with the Financial Times.
The intervention is the strongest yet by the business lobby over the controversial exemption and wider concerns about cyber insurance.
Last month, the FT revealed that Bank of America was among the high-profile groups that had expressed concerns directly to Lloyd’s on its new requirement.
Ferma said the Lloyd’s move “highlights growing concerns about the overall value and sustainability of the cyber insurance product from the corporate perspective”, particularly for big businesses.
It called for “constructive dialogue” between all parties in the insurance market — including insurers, brokers, corporate buyers and regulators — and an annual COP-style event on cyber resilience.
“Why pay what some consider expensive premiums for increasingly limited coverage when further investment in cyber security is viewed as a more effective way of managing the risk?” said Philippe Cotelle, Ferma’s deputy president and head of insurance management at jet manufacturer Airbus’s defence and space division.
Defending its marketwide requirement, Lloyd’s said it “did not take this decision lightly and is committed to it”, adding: “Our response ensures we maintain an adequately capitalised market for manageable events, while providing clarity for customers on emerging political risks.”
It stressed that the new rule allowed for separate add-on policies to be brought forward covering big state-backed attacks, and that some were being developed.
Cyber insurers say the fears about policy gaps are overplayed.
James Burns, head of cyber strategy at insurer CFC, said last month that the Lloyd’s mandate had “been consistently misrepresented as a requirement to exclude all nation state attacks”.
The requirement, he wrote in a LinkedIn post, was only “to exclude attacks that are so catastrophic in nature that they destroy a nation’s ability to function. Think the digital equivalent of a nuclear strike”.
Critics say ambiguity over exclusions — Lloyd’s described attacks that provide a “significant impairment to state infrastructure”, a hotly debated meaning — will open the way to insurer challenges and costly legal battles.
In some cases, insurers have sought to avoid paying claims linked to the 2017 NotPetya attack, which was blamed on the Russian government, on the basis that it was a “warlike” act.
