Swiss Re Proposes Government Bail Out as Cybercrime Insurance Costs Spike

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. From a report: Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally, and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association. While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. "The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

Why does no one mention ...

[whoever57]

actually spending more money on IT and specifically IT security?

Why is that apparently not an option?

Re:

[UMichEE]

If you're a hammer, then every problem looks like a nail. If you're an insurance company, every problem looks like an insurance gap.

Re:

[ceoyoyo]

Insurance lets you even out the cost of risk. If the cost of insurance is cheaper than doing something else, you take the insurance.

So if you're an insurance company, you naturally want to avoid the situation where "doing something else" becomes financially attractive.

Re:

[Fallen Kell]

Simply hiring more and spending more on IT staffing and security personnel does not fix the problem of vulnerable software and configurations. If your business was built around doing certain processes, and those processes use a vulnerable piece of software, or vulnerable configuration, you possibly can not actually remove the vulnerability without the entire business being affected.

A complete buy-in would be required by all business, engineering, platform, sales, etc., teams to revamp how they do things in

Re:

[RealUlli]

What do you think will happen when your insurance tells you "stop using software X or lose your coverage" or the fine print in the contract says, "not covered are incidents that are caused by flaws in certain software"?

Insurance are in the business of calculating risk. They probably can calculate the risk of using software from a certain vendor. They just need to add a price tag to the risk. It seems nobody wants to pay that price, though.

IN total, it reads a bit like "Privatize profits, socialize risks (or

Re:

[alvinrod]

Why bother if you can just fuck up badly and get the government to bail you out. It seems to have worked for the financial industry.

Getting insurance can increase security spending

[dalosla]

IT security and cybercrime insurance are not mutually exclusive. The process of getting insurance and can prompt spending on security to get a lower rate. We are going through that process right now as the private equity firm that bought our company has said that we need to get a quote on cybersecurity insurance. We have accelerated security improvements that were underway. The insurance company does a detailed risk evaluation, and it was clear that the more secure you are, the less you pay.

Re:

[AmiMoJo]

Money isn't necessarily the issue.

For insurance companies they need to have standards that they can write into the policies. Don't meet the minimum standard for security and your claim is denied, same as if a homeowner didn't fit locks or left a window open.

Problem is that it's hard to create effective standards for cyber security. Too many variables, too many different configurations, lots of in house apps not used anywhere else, and the ever present threat of zero day exploits. It's difficult to write "hi

Re:

[jabuzz]

Nope it's dead easy the UK government has done all the leg work for you. I suggest you Google "cyber essentials". All you need to do is write into your policy that unless you are cyber essentials compliant then your claim will be denied. Simple really and I bet most companies that get hit with cyber attacks are not cyber essentials compliant.

The other thing is that insurance companies are not charging enough for cyber coverage. If they started doing their actuary correctly and bumped the price up perhaps co

Re:

[Local ID10T]

"[S]pending more money on IT and specifically IT security" is too vague to be useful. Insurance is cheap, and the insurance companies are not requiring any specific actions as a condition of coverage.

Security is hard. It is a moving target. By the time you can define the threat and the proper response/mitigation, a new threat is already here. Follow industry best practices you say? Everyone has a different idea of what that means, so expect endless arguments over whether best practices were followed.

Re:

[gweihir]

Because then they would also have to say that most companies that got hit were basically asking for it by shoddy practices, bad security and prioritizing profits over everything. A lot of powerful people do not want to hear that.

Re:

[LostMyBeaver]

Because with the massive flood of half ass IT security entering the market, its utterly useless to go there.

Did you know most IT sec programs in universities and trade schools world wide teach no computer science? Not even the basics like "what is a BIOS"?

As usual

[John Allsup]

Privatise the profits, socialise the losses.

Re:

[vladoshi]

Yep.

Re:

[sir_smashalot_3rd]

This

Re:

[nasch]

Buying insurance is socializing losses?

Re:

[nasch]

Ah I went back and re-read the summary and I see the part about the government backed fund.

How about. . .

[BytePusher]

How about they fund cyber security measures and put regulations in place instead? This seems like a way for greedy capitalists to shirk their responsibilities and suck from the government once again

I'd rather the money went to bounties.

[Fly Swatter]

On the perpetrator's heads. Wanted: dead or alive, mr./mrs./identifies not as mr./mrs. hacker kiddie. No identification. Unknown age. Unknown height. Unknown weight. Unknown country. Good luck.

Let them fail

[quonset]

If they're too incompetent to manage their business it is not the responsibility of taxpayers to bail them out.

Failure must always be an option when it comes to private industry.

$1 Trillion Dollars?

[wisnoskij]

How are these hackers not getting bombs dropped on their houses?

For that amount of change intercontinental missiles might not make sense, but some navy artillery or some jets or helicopters would.

Re:

[gweihir]

Because nobody knows what to house to target. Or there may be something nuclear coming back if you did that.

Ironic

[John Smith 2294]

Since Switzerland is the source of plenty of "cyberattacks". Some of the most brutal I have ever seen. (Looking at you ProtonVPN...).

Neutral? My arse. Switzerland has been openly at war with many countries for quite some time now.

Re:

[John Smith 2294]

Add the UCEPROTECT extortionist to the list. Completely destroyed OVH hosting in one fell swoop. Presumably as mercenary action on behalf of Microsoft, Amazon and/or Google.

Conveniently he seems to be immune to local Swiss law enforcement as well.

Switzerland is in complete control of who hosts what and where. So they can go cry a river about their insurance money. I'm sure many times that money has been earned in their own offensives.