Your Cybersecurity Insurance is Absolutely Worthless…and it will get worse.

To be clear, I am not trying to sell you a policy. I don’t sell policies. And, I don’t have a recommendation for a policy. I don’t have a solution for you because every policy I have seen is worthless.

Which is why I always say….

“Your cybersecurity insurance policy is absolutely worthless, but I would never want to go through an SEC audit or examination without one”.

This is a line I have been towing for years. I have covered the topic in several webinars. A recording of the latest is below.

Now, it is going to get worse…

Starting 31 March 2023, insurance companies will require all standalone cyber attack policies to include a clause excluding liability for losses arising from state-backed cyber attacks. This is in addition to the “war” clause that already exists and is so problematic.

The new clause will exclude any losses due to a war–declared or not–even if the policy has a separate war exclusion. In addition, it must also exclude any losses arising from state-sponsored cyberattacks that disable a firm’s ability to function properly.

Furthermore, the contracts will now have a stipulation on whether cover excludes IT systems not located in the country “under attack”, and it should set a clear standard for how the involved parties will reach an agreement if any state-sponsored cyberattack originates from one or more countries.

The evolving risk of cyber-related business was noted by one firm, Lloyd’s. They warn that if not managed properly, it could lead to significant losses for syndicates that would be difficult to recover from.

“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s added.

MTradecraft agrees. Especially considering that a large majority of FinTech providers have a widespread and little to no cybersecurity budget.

Lloyd’s stated that it is aware many managing agents already have clauses specifically excluding war and non-war state-sponsored cyber-attacks, but they need to be of a high standard with solid wordings.

“We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust,” said Lloyd’s.

Starting March 31, 2023, this new requirement will go into effect for every policy–both at its inception and renewal.  Note, that this coincides with the SEC’s new cyber regulations known as 206(4)-9.

So again, please understand your cybersecurity policy is worthless. Unfortunately, the SEC and your clients expect you to have coverage.

Your only defense is to do your required cyber audits (SEC 206(4)-9) so that you patch systems, plug open ports, train your employees, and manage your vulnerabilities before they are discovered by malicious hackers…or your insurance company.

2 thoughts on “Your Cybersecurity Insurance is Absolutely Worthless…and it will get worse.

Leave a Reply