Lloyds of London, a UK insurance market, made waves with its recent announcement that they will be excluding nation state cyberattacks from their cyber insurance policies from March 31st 2023.
Actors backed by nation states can proliferate attacks more quickly and easily than ‘normal’, and as Lloyds’ spokesperson Tony Chaudhry commented, society’s critical dependency on digital infrastructure means that the losses that could arise “have the potential to greatly exceed what the insurance market is able to absorb”.
Following this announcement, we spoke with Jack Chapman, Egress VP of Threat Intelligence, to discuss what this development means for organizations.
How does Lloyds’ decision not to offer cyber insurance coverage for nation state attacks fit with changes in the wider market?
“This is a significant step by Lloyds – but it doesn’t come out of the blue.
“If we step back and look at overall trends, more data breaches happen each year and the cost borne by organizations (and their insurers) also continues to increase. In fact, the US Treasury has said that ransomware payouts in 2021 totaled more than the previous decade combined.
“In response, evolution was already underway in the cyber insurance industry, with a tightening of terms and conditions, compartmentalization of cover, and higher premiums. Heidi Shey, a principal analyst at Forrester, has described this as a ‘hardening of the market’.
“So Lloyds’ decision can be seen as a leap, rather than a step, forward – but it’s not out of context with the cyber insurance industry at large.”
Why has Lloyds singled out nation state attacks vs. other cyberattacks?
“The announcement is a definite line in the sand – they’re saying they won’t cover these attacks because it’s too costly to do so and therefore the risk to them as a firm is too high.
“Nation state attacks have more resources behind them, so it’s possible for these bad actors perpetrating the attacks to sustain their attacks over months, and even years, to yield the ‘results’ they’re looking for. They can also act at a scale that ‘normal’ cybercriminals can’t.
“In addition, nation state attacks are normally targeted at high-risk organizations – those that handle highly classified or sensitive data such as governments, or those that would cause significant disruption if breached, for example critical national infrastructure. As well as targeting the organizations directly, cybercriminals also target their supply chain.
“Typically supply chain businesses don’t have as robust cybersecurity measures in place, and it is easier for a hacker to leapfrog into the actual target. The cost to respond to and remediate a successful nation state attack is significantly higher than for other businesses.”
What does this mean for organizations?
“When specifically considering the nation-state piece to this, it’s my belief that organizations are going to get burned by funding litigation against their insurer or by taking the hit of covering the damages from the attack.
“It can be incredibly difficult to attribute attacks, particularly for mid-market and smaller organizations, so it will be hard for them to validate whether or not a cyberattack can be classified as a nation state attack. If they need to dispute a decision by their insurer, this will put smaller companies at a disadvantage.
“Thinking beyond this specific issue and about the wider cyber insurance industry, it’s likely this sets a trend that could have a significant impact on organizations.
“Many policies contain sub-caps within the overall headline policy number, which results in some organizations thinking they have more cover than they actually do. A recent report by Blackberry revealed that 37% of organizations with cyber insurance don’t have enough coverage for the average ransomware payment demand. 43% aren’t covered for secondary costs, such as court fees or employee downtime.
“To obtain, and retain, cyber insurance, organizations have to jump through numerous hoops, including detailed reviews with an insurer’s underwriting team to assess factors like levels of protection, internal processes, and technical and organizational controls.
“Higher risk businesses may also find that cyber, and increasingly Professional Indemnity, cover is being written on an ‘all claims’ (rather than ‘any one claim’) basis which impacts the real overall level of cover if there are multiple claims in a year.
“The fact is organizations won’t be able to rely on cyber insurance alone.”
How does Egress help its customers with cyber insurance?
“As mentioned, to secure cyber insurance organizations have to go through detailed reviews to help the underwriting team assess the levels of risk the organization faces and the protections they have in place to reduce the risk. There’s little chance of getting insurance if you haven’t got good email security software in place.
“Email security is key for every organization. Egress helps customers by providing intelligent email security to protect against both inbound and outbound email threats.
“Egress Defend detects and neutralizes the advanced phishing threats that are frequently used in the delivery phase of the kill chain. Egress Prevent and Protect address the outbound risk of data loss and an unprotected information, reducing the risk that sensitive data is exposed to unauthorized access through human error or exfiltration from people inside your organization.”
Want to learn more?
Sign up to the Egress Human Activated Risk Summit on October 5th 2022, to hear from Judy Selby, Kennedys Law, and Megan Ryan, Hiscox, talk about the lessons learned from post-breach reality.