Starting in 2023, Lloyd's of London is requiring its members to exclude catastrophic, state-based cyber attacks from its cyber insurance policies. This is certainly a controversial topic and is knowingly fraught with problems from the get-go. Undoubtedly there will be a lot of claims litigation around this, such as:

  • How do you define what a “state-based” cyber attack is?
  • How do you attribute it?

This change has been in the works for some time, and is not surprising - insurers are looking to reduce claims, especially catastrophic claims. Most probably, the rest of the insurance industry will follow Lloyds and these types of clauses will be embedded in many policies in the future.

Cyber attacks are not rare

The purpose of any insurance policy is to insure against rare, catastrophic risks. Note the word “rare.” Cyber attacks are not rare. They happen every day, affecting companies of all sizes around the globe. Therefore today’s version of cyber insurance is somewhat akin to US health insurance.

A cyber insurance policy doesn’t reduce cyber risk

What does the Lloyds change tell the holder of the cyber insurance policy? With exclusions and sub limits increasing, policyholders have much more “skin in the game.” All risks are not being covered. You can’t afford to think that your cyber insurance will cover you for all cyber related damages. You need to adopt an attitude of proactively reducing cyber risk so that the risk of a cyber event or a cyber attack is minimized.

This does not happen when you take out a cyber insurance policy. A cyber insurance policy will pay you for covered losses, but isn’t it better not to experience the loss to begin with?

In order to minimize risk, you need to become more active in cyber risk management, if you are doing it at all.

What is cyber risk assessment?

Let’s use a simple analogy. Let’s perform a risk assessment on the chances that someone will break into your house. What do we have to consider? Certainly where you live and where your home is situated in the neighborhood. Also, is there a lot of crime in your neighborhood? Do you lock your doors and windows? If a window is not locked, where is it? Is it accessible from the ground or do you need a 20 foot ladder to get to it?

After performing this risk assessment, you will better understand the chances of getting robbed. Based on the risk assessment, you might start locking your doors or add a security alarm. Or you might just do nothing. But at least you have considered the risks and potential consequences and you know where you stand.

The concept of cyber risk management is very simple:

  • Perform a risk assessment on a periodic basis
  • Analyze the results of the risk assessment and develop/implement a Risk Mitigation plan
  • Rinse and repeat

However, be advised that developing a risk assessment/risk mitigation plan is best done by an experienced professional in order to get the most accurate analysis. At Trava, we specialize in providing risk assessments to SMBs.

All companies need to focus on minimizing risks to make cyber attacks “rare,” yet so many don’t. The difference between performing or not performing a risk assessment could easily be hundreds of thousands of dollars. When was the last time you really identified and mitigated cyber risk? I would enjoy chatting with you about it. Schedule a call directly with me here.