Cyberattacks could soon become impossible to insure

[Alfonso Maruccia]

Why it matters: Attacks against critical technologies and cyber-infrastructures are increasingly becoming the most dangerous threat against civilization. That, at least, is the opinion of some insurance figureheads, which seemingly don't want to pay victims the enormous amounts of money needed to cover the costs of attacks.

The costs of cyberattacks will soon become so high that insurance companies will not be able to do business with the affected parties anymore. According to Mario Greco, chief executive of Zurich Insurance Group, cyber-risks will soon take the place of pandemics, climate change and other natural disasters as systemic risks which are essentially "uninsurable."

For the second year in a row, 2022 is ending with more than $100 billion-worth of claims for natural catastrophes, but according to Greco, cyber is the true risk to watch. "What if someone takes control of vital parts of our infrastructure, the consequences of that?" Greco stated in an interview with the Financial Times.

The CEO of the Swiss insurance giant – a company with 55,000 employees and customers in 215 countries – is suggesting that cyberattacks can go beyond simple data breaches. "This is about civilization," Greco said, because black-hat hackers, cyber-criminals and state-sponsored techno-spies can "severely disrupt our lives."

The increasing activity by the aforementioned cyber-criminals and spies has already brought some important changes to the insurance business. Cyber-losses are skyrocketing, so insurance companies are trying their best to limit the amount of money granted to their clients. Insurance costs are being pushed up, while policies have been "tweaked" so that the clients are getting less by paying more.

Some outstanding examples of the new regime include the food company Mondelez, which was initially denied a $100 million claim by Zurich after the NotPetya attack in 2019. The formal reason: the insurance policy excluded a "warlike action." In September, Lloyd's of London decided that the insurance policies should have an exemption for state-backed attacks to limit systemic risks to the market.

According to Greco, the only way to guarantee that insurance companies will continue to do business in the technology and private market is to set up some sort of private-public system to better absorb and handle systemic risks.

Those risks cannot be quantified, Greco said, and must be treated like earthquakes or terror attacks when it comes to insurance costs for private companies. In this regard, Zurich's CEO praised the US government and how Washington is calling for views about a potential federal insurance response to cyber-threats like the Colonial Pipeline incident.

Permalink to story.

https://www.techspot.com/news/97118-cyberattacks-could-soon-become-impossible-insure.html

 

[psycros]

Just a nutty thought, but hear me out...maybe not connect everything to the Internet? Or even stop selling all your customer's data to cyber-criminals? How about requiring biometric 2FA for all critical infrastructure? Crazy, I know.

 

[passingposeidon]

Just a nutty thought, but hear me out...maybe not connect everything to the Internet? Or even stop selling all your customer's data to cyber-criminals? How about requiring biometric 2FA for all critical infrastructure? Crazy, I know.

You'd be amazed at how hard it is to buy commercial cyber insurance for a company. Companies have many different vendors all with different security, the people who understand this are often far from the insurance buyers (typically risk managers), you need to complete hugely complex questionnaires for which the answers are all different depending upon which vendors system you are considering (you may have 5-10 different systems all with different security features). So how does an Underwriter even begin to understand just what terms to offer and how much premium to charge? And how does an insurance buyer collect all that data from an IT team who likely have no background in insurance? It is far from simple.

 

[Bullwinkle M]

Cyber Insurance is not needed if you are Bullwinkle J Moose

Yeah, I still study malware online with Windows XP-SP2
It does not have a single security update from Microsoft and has been running online in a full admin account since 2014

ZERO successful ransomware attacks and ZERO successful wipers and I'M STILL Number 1

Beat that, AnandTech / Techspot / Bleeping Computer and all the "Experts" from every "Security" site that banned me for speaking the truth

Sure, I may be a complete A-Hole, but with those kinds of credentials, why wouldn't I be?

Happy New-Year!

 

[sorten]

"cyber-risks will soon take the place of pandemics, climate change and other natural disasters as systemic risks which are essentially "uninsurable."

Nothing is taking the place of climate change. Cyber-risks will take down companies but watch what happens when a country runs out of fresh water. It's looking like the Colorado river will be dead as a water or power source within the decade.

Maybe the author meant to write "will join (other examples) as uninsurable".

 

[Hodor]

Well, it's especially hard to defend from someone who actually designs CPU architecture and builds insecurities right into the hardware. Or producers of routers with built-in back orifices. Or micro-controllers with external access possible after sending special codes. Or blue-tooth enabled devices, where the BT standard is full of holes by design.

That's why it's impossible to stop the hackers. Because the world's top hardware and software producers cooperate with various agencies (and/or criminals) to add vulnerabilities right into the hardware, drivers and operating systems.

Despite what the world media might say, those who will bring down the infrastructure won't be some random hacker gang, or "dangerous hackers" from N. Korea. Nope. It will come from the top financial and political centers. Who will find many ways to profit from it. Not just financially.

 

[toooooot]

Well, it's especially hard to defend from someone who actually designs CPU architecture and builds insecurities right into the hardware. Or producers of routers with built-in back orifices. Or micro-controllers with external access possible after sending special codes. Or blue-tooth enabled devices, where the BT standard is full of holes by design.

That's why it's impossible to stop the hackers. Because the world's top hardware and software producers cooperate with various agencies (and/or criminals) to add vulnerabilities right into the hardware, drivers and operating systems.

Despite what the world media might say, those who will bring down the infrastructure won't be some random hacker gang, or "dangerous hackers" from N. Korea. Nope. It will come from the top financial and political centers. Who will find many ways to profit from it. Not just financially.

Then it is possible that cyberwars and huge losses will encourage companies that make software and hardware to create safer products

 

[Vanderlinde]

Cyber Insurance is not needed if you are Bullwinkle J Moose

Yeah, I still study malware online with Windows XP-SP2
It does not have a single security update from Microsoft and has been running online in a full admin account since 2014

ZERO successful ransomware attacks and ZERO successful wipers and I'M STILL Number 1

Beat that, AnandTech / Techspot / Bleeping Computer and all the "Experts" from every "Security" site that banned me for speaking the truth

Sure, I may be a complete A-Hole, but with those kinds of credentials, why wouldn't I be?

Happy New-Year!

That is, untill one employee unaware clicks on a excel, loads in a piece of malware, and tanks your whole infrastructure. Your basicly saying that your insecure machine is secure because of whatever reason. Untill they get in. Your toast.

 

[Rq3EWAq]

Blah, blah, blah.. Fear porn.
"cyber-risks will soon take the place of pandemics, climate change and other natural disasters"
Yeah, for those who are spoon-fed TV propaganda, it will. World Economic Forum announced rise of "cyberpandemic" more than a year ago. Sheeps obediently fear what they are being told.

 

[godrilla]

Blah, blah, blah.. Fear porn.
"cyber-risks will soon take the place of pandemics, climate change and other natural disasters"
Yeah, for those who are spoon-fed TV propaganda, it will. World Economic Forum announced rise of "cyberpandemic" more than a year ago. Sheeps obediently fear what they are being told.

The WEF probably have stakes in both the multi billion dollar cyber security vulnerabilities market and the insurance for cyber security protection. They are probably paying hackers to make a whole encyclopedia on every possible vulnerability on everything connected to the internet and then either selling those findings to the highest bidder and selling insurance based on those findings. Unfortunately this is the new norm of macro level manipulation on all things like healthcare, energy, cyber security, and soon food.
How do you bankrupt a company. Charge them insurance to protect them, hack them using loopholes/ vulnerabilities. Rinse repeat. Charge them a higher premium for less protection until the mega corporation isn't satisfied with the buy out price and so on and so forth.

 

[Hodor]

Then it is possible that cyberwars and huge losses will encourage companies that make software and hardware to create safer products

Nope. Because there's a constant need to spy on the population. That requirement overrides any financial loses.

 

[SixTymes]

Just a nutty thought, but hear me out...maybe not connect everything to the Internet? Or even stop selling all your customer's data to cyber-criminals? How about requiring biometric 2FA for all critical infrastructure? Crazy, I know.

Its not a "nutty thought" and has been repeated and suggested many times before you. Companies should look at ways to REDUCE the need to be online. After all, it wasn't that long ago when the world functioned without an internet

Again, notice I said reduce and not disconnect.