It’s rare to find an insurance policy against war breaking out, but there’s a $10 billion market for cyber-insurance that guards against the threat of ransomware attacks. With the world as violent and turbulent as it is right now, though, lines between the two are blurring.
The ongoing wars in Ukraine and Gaza have insurers on such high alert that many simply aren’t offering coverage any longer, on top of which AI is creating new and unpredictable cybersecurity risks. And insurers expect a “significant” increase in hacks in 2024, to boot.
Those were the three key findings of a new report on cyber-insurance trends from consultancy Woodruff Sawyer. Insuring against cybercrime has grown from a tiny niche to a $10 billion market, with firms that offer coverage ranging from small specialty carriers to household names such as Chubb and Travelers. They offer coverage for losses incurred relating to companies’ IT and computer systems—for example, if companies are hacked and lose data or have to pay ransoms to get it back.
Woodruff Sawyer surveyed over 40 of its clients and found that the industry has a gloomy outlook this year: 56% of respondents said they believed cyber risk would “increase greatly” in 2024. They pointed to ransomware and war-associated risks as two of their biggest concerns.
“If you have an attack that is part of a war campaign, it can affect private companies across the globe that have nothing to do with war,” said Woodruff Sawyer national cyber practice leader Dan Burke in an interview with Fortune. “That is the true risk that’s elevated by conflict and war and geopolitical tension. That’s really what underwriters are mostly concerned about.”
A famous example of this type of ransomware attack was a virus called NotPetya, which circulated in 2017. Originating in Ukraine, it quickly went global and compromised the computer systems of dozens of companies, including drug giant Merck and shipping company Maersk. The White House estimated it caused $10 billion in damages.
“The NotPetya attack was a Russian-based attack against an accounting software in Ukraine. And it turns out that that specific piece of software was used by multinational corporations across the globe,” said Burke. “Because all these multinational companies were using it, they too were affected … There is the potential for an attack emanating out of Russia against Ukraine expanding its boundaries way beyond Ukraine.”
Wars in Ukraine and Gaza have insurers worried about this type of tactical ransomware getting loose and affecting companies worldwide—to such an extent that many of them have simply stopped offering coverage, excluding war-related risks from their policies. That’s left clients in the dark about how to navigate their cybersecurity strategy.
“There’s so much confusion about what they’re trying to exclude and what they’re trying to cover … It makes it very hard for a buyer to really understand what their risk and exposure is when it comes to cyber warfare,” said Burke.
Although excluding war-related risks represents a significant shift in the cyber-insurance sector, it’s not uncommon for conventional policies. The fact that it’s harder to define what constitutes a war-related claim is one of the reasons it’s taken the cyber industry longer to catch up.
To be sure, Burke told Fortune, war exclusions are “on every insurance policy that has probably ever existed,” and these were “traditionally defined as kinetic warfare. So a tank’s rolling into a region. It’s more appropriate for a property damage type of issue where there’s mass destruction.” This hasn’t turned out to be “super appropriate” for a cyberattack.
Federal regulations are also complicating the cybersecurity landscape: Updated SEC rules that went into effect Dec. 18 require firms to disclose a hack within four days. That means companies will often have to tell investors about a breach before they know its full extent, exposing them to bad PR and heightened scrutiny from investors. Insurers noted that they were keeping a close eye on how these new rules could affect damages and payouts for clients.