Is cyber risk transfer through financial instruments still a valid mitigation/strategic option?
- The Merck settlement took over 5 years & with war exclusion clauses in place, eliminating cover for state-sponsored attack impacts, what other considerations are required?
- Many US states have now made payments for ransomware attacks illegal;
- Those States that have public laws against ransomware payments have a lower incidence that others;
- Entities stating they have substantially increased ITSEC spend have been targeted less than those who do not make such public statements;
- Cyber re/insurance premiums increased 50-70% over the past 12 months;
- Attachment points are high & most cover is EoL or with low limits (the Yahoo hack of 2016 cost over $175 million; higher levels are needed).
- ILW/ILS major announcement deals numbered 4 in 2023 – those pushing for ART via financial instruments are within the financial markets, or VC-funded CRQ entities desperate to find a pathway out from a high burn rate;
- AI/post-quantum cryptographic vulnerabilities mean zero data & no experience in what will occur when mal actors leverage these areas & risk carriers have no idea what individual, aggregated or sectoral impacts they will undoubtedly have.
What has the highest levels of cyber breach/vulnerability compromise? Human error.
Years of data amply demonstrates the cost-benefit of training & education.
Allocate budget to ITSEC & training for the best bang-for-buck & forget ILS/ILW – look to captive options if there is a pressing mandate to use a financial instrument to mitigate cyber exposure.
Allocate capital to ITSEC & personnel up-skilling, rather than face years of litigation arguing if a carrier should pay out or not – look at the Covid-19 BI claims history for clear evidence of what your organisation’s cyber resilience needs.
