Why it matters: Attacks against critical technologies and cyber-infrastructures are increasingly becoming the most dangerous threat against civilization. That, at least, is the opinion of some insurance figureheads, which seemingly don't want to pay victims the enormous amounts of money needed to cover the costs of attacks.
The costs of cyberattacks will soon become so high that insurance companies will not be able to do business with the affected parties anymore. According to Mario Greco, chief executive of Zurich Insurance Group, cyber-risks will soon take the place of pandemics, climate change and other natural disasters as systemic risks which are essentially "uninsurable."
For the second year in a row, 2022 is ending with more than $100 billion-worth of claims for natural catastrophes, but according to Greco, cyber is the true risk to watch. "What if someone takes control of vital parts of our infrastructure, the consequences of that?" Greco stated in an interview with the Financial Times.
The CEO of the Swiss insurance giant – a company with 55,000 employees and customers in 215 countries – is suggesting that cyberattacks can go beyond simple data breaches. "This is about civilization," Greco said, because black-hat hackers, cyber-criminals and state-sponsored techno-spies can "severely disrupt our lives."
The increasing activity by the aforementioned cyber-criminals and spies has already brought some important changes to the insurance business. Cyber-losses are skyrocketing, so insurance companies are trying their best to limit the amount of money granted to their clients. Insurance costs are being pushed up, while policies have been "tweaked" so that the clients are getting less by paying more.
Some outstanding examples of the new regime include the food company Mondelez, which was initially denied a $100 million claim by Zurich after the NotPetya attack in 2019. The formal reason: the insurance policy excluded a "warlike action." In September, Lloyd's of London decided that the insurance policies should have an exemption for state-backed attacks to limit systemic risks to the market.
According to Greco, the only way to guarantee that insurance companies will continue to do business in the technology and private market is to set up some sort of private-public system to better absorb and handle systemic risks.
Those risks cannot be quantified, Greco said, and must be treated like earthquakes or terror attacks when it comes to insurance costs for private companies. In this regard, Zurich's CEO praised the US government and how Washington is calling for views about a potential federal insurance response to cyber-threats like the Colonial Pipeline incident.