8 Questions for Amwins’ David Lewison on the Impact of Warfare on the Cyber Insurance Markets

An experienced insurance executive, David Lewison of Amwins discusses the wars in Ukraine and Gaza and their impact on cyber warfare and insurance.
By: | April 10, 2024
Topics: Cyber

Risk & Insurance’s editor-in-chief, Dan Reynolds, recently spoke to Dave Lewison, executive vice president at Amwins, to discuss the implications of global conflicts on cyber warfare, the current state of the cyber insurance market, and the potential misuse of artificial intelligence in cyberattacks. What follows is a transcript of that conversation, edited for length and clarity.

Risk & Insurance: What might be the implications of the wars in Ukraine and Gaza on cyber warfare and its impact on insureds?

Dave Lewison: As brokers, our views can differ from carriers. Carriers aim to protect their balance sheet and provide insurance, while our role is to ensure the product delivers what the insured hopes for and protects them from cyber events and potential litigation arising from war or losses.

Our main concern is the increasing exclusions in policies. We understand that no carrier wants to be in the middle of insuring armed conflicts between states, as commercial insurance is meant to protect businesses during normal operations, not during war. Carriers have had war and terrorism exclusions in cyber insurance policies for years to avoid being involved in war.

A couple of years ago, carriers started drafting new war exclusions due to concerns about systemic risk. If a war involved countries where they had significant business, they could face global business interruption losses on their cyber policies. Initially, brokers were not overly concerned as long as state-sponsored bad actors infiltrating networks were still covered, which has been a long-standing issue.

However, when the war broke out, concerns arose about insurance relying on systems in affected countries. While there may be fewer concerns about Russia or Ukraine, many network security and tech firms are based in Israel, and people use those services. The early exclusions broadly excluded anything arising out of or related to war, armed conflict, civil unrest or riots.

The exclusions have since evolved to be clearer in handling these situations. Munich Re and Beazley, two of the largest players in the cyber insurance market, have made significant efforts to refine their language. They now define war as a kinetic or physical conflict and specify that the exclusion won’t apply if the insured is not one of the two sovereign states or nations involved.

This means that if a U.S. health care entity, for example, is collateral damage but does not operate in the affected regions, they will still have coverage. Many carriers have drilled down on this language, often due to pressure from the brokerage community to address the impacts that concern them.

Anytime there is a new or resurgent threat, policy language quickly evolves to address it. In the early days of cyber insurance, ransomware coverage was included but largely ignored until the 2019 ransomware epidemic. This led to a closer examination of how the coverage worked and the introduction of dependent business failure coverage.

Dependent business failure covers situations where the insured’s business is impacted by a system they rely on but don’t own, such as a third-party sales system. Early versions of this coverage only applied if the insured’s own system was compromised, but it has since been expanded to cover instances where the insured is dependent on the affected system to operate.

Insurance carriers are not evil and looking for ways out, but ambiguity in policy language often gets tested when real problems arise. This is when both insurers and brokers learn about potential issues and engage in a push and pull to refine the language and coverage intent.

R&I: How prevalent are the differences in language and coverage requirements among major global brokers, particularly regarding war exclusions?

DL: Every major broker likely has its own “secret sauce” of desired coverages, often in the form of amendatory endorsements developed from experiences where a client’s claim was denied. The goal is to word these endorsements in a way that provides certainty and prevents similar denials in the future.

The variations in war exclusions across different global brokers were particularly striking to me recently. For instance, I learned that what satisfies Aon’s requirements might not be sufficient for WTW, and WTW’s preferences may differ from Marsh’s. It was interesting to see a carrier present a menu of agreed-upon options, allowing us to select the most suitable wording for our needs.

R&I: What impact have the conflicts in Ukraine and the Middle East had on the frequency and severity of cyberattacks globally?

DL: In the early days of the Russia-Ukraine conflict, two major players on the state-sponsored attackers list became preoccupied with attacking each other, resulting in a temporary reprieve for the rest of the world. However, this did not stop other state-sponsored hackers or hacker groups residing in those countries from continuing their activities.

There were rumors of hacker groups in Russia and Ukraine relocating to other countries to continue their operations, which primarily involve credit card fraud, social engineering and ransom attacks, rather than engaging in war or benefiting their host nations. Additionally, it is widely reported that North Korea’s economy is subsidized by ransom attacks, and if they were engaged in a war, their hackers would likely be focused on attacking their adversaries.

Similarly, there are parts of Russian intelligence that allegedly obtain funds through illicit means, and they have been occupied with the conflict in Ukraine. Several markets have noticed a decrease in activity originating from these regions.

R&I: What is the current state of the cyber insurance market, particularly in terms of pricing and the impact of ransomware activity?

DL: The cyber insurance market has undergone significant changes in recent years. In 2019, the frequency and severity of cyber incidents, particularly ransomware attacks, increased dramatically. Insurers responded by raising rates by 100 to 300% between 2019 and 2021 and mandating strict security controls — such as air-gapped backups and multifactor authentication — as prerequisites for coverage.

In 2022 and 2023, insurers reported seeing improvements in the market, leading to a relaxation of some security control requirements. However, over the past 12 months, there have been indications that ransomware activity is as prevalent as it was before the market hardening. While fewer unprotected risks exist, there are still vulnerabilities due to human error and configuration issues.

The rapid response to the cyber crisis was driven by the short-tail nature of ransomware losses, which require immediate payouts. Currently, the market is in a transitional phase, with rate decreases slowing to 5% up or down. Good risks are seeing decreases, while the excess layers of insurance towers are experiencing more significant price competition.

As a wholesaler focusing on middle-market and smaller risks, Amwins is somewhat insulated from the volatility seen by global brokers dealing with large insurance towers.

However, the underwriters experiencing the loss activity are questioning the rationale behind the current pricing trends. Despite this, base rates remain higher than pre-crisis levels, suggesting a more stable market in the near future, barring a significant deterioration in conditions.

R&I: What measurable impact are you or your contacts seeing from the use of artificial intelligence in cyberattacks?

DL: AI is being used by both the attackers and defenders in the cyber landscape. While hackers employ AI to create new strains of malware that can slip past security measures, cybersecurity providers leverage AI to analyze the vast number of attacks and quickly identify emerging trends.

AI’s ability to recognize attack patterns, even when the code is slightly altered, makes it a valuable tool for cybersecurity. However, AI also introduces new risks in the insurance market, particularly in the context of blended tech E&O and cyber products.

If an AI makes a mistake in writing code or borrowing source code, it could trigger a tech E&O loss. As a result, not every market is willing to insure AI risks, and those that do are likely to be in the wholesale space, where innovative solutions and crafted wordings are more common.

R&I: What advice would you give a buyer of cyber insurance in terms of navigating the market and making the right decisions?

DL: The good news is that brokers are here, and there are brokers who know what they’re doing. Just like when I buy my personal lines, which is not my specialty, I have a person I call to ask about coverage issues. Definitely rely on brokers who demonstrate expertise in cyber insurance.

Smaller retailers may not have a dedicated cyber expert, which is where wholesalers stepped up 20 years ago to teach classes on this new product that people didn’t understand. You should have a dialogue with your broker to ensure they’re not just applying a formula based on your industry. There should be a conversation, possibly involving an underwriter from at least one market, to discuss how you operate and ensure the coverage fits your needs.

There are policies out there that are cheap and often admitted, designed to be easily purchased. While the coverage could be good, there might be gotchas. People sometimes choose a brand-name admitted policy because they feel they have to sell admitted, but they could be missing out on 8 to 10 key things that could impact their coverage. A non-admitted policy from another provider might offer customization for their industry group.

As a buyer, asking a lot of questions and playing the “what if” game is valuable. Make sure you have someone on your team, like an in-house tech person or an MSP that manages your security, as part of the conversation when buying. They can ask questions about specific scenarios and where they would be covered in the policy. If the broker can’t answer, underwriters can, and wholesalers definitely can, as we get dozens of these questions every week.

R&I: What concerns do you have about the potential misuse of AI in cyberattacks, particularly in relation to social engineering and hacker group impersonation?

DL: As we’re still learning how AI will be used, there are valid concerns about its potential misuse in cyberattacks. Deepfakes, for instance, could be used to create false videos of politicians saying things they never would, causing political unrest and mayhem, even after the truth is revealed.

AI could also make social engineering attacks more sophisticated. We’ve already seen cases where bad actors gained control of someone’s email and phone, bypassing multifactor authentication. They convincingly impersonated a manager, instructing an employee to deliver a large sum of cash to a specific group, claiming it was an urgent matter to avoid regulatory shutdown. The employee, following proper protocol, confirmed the request via text message, not realizing the phone was compromised. AI could make such attacks even more convincing by cloning voices, making it extremely difficult to distinguish between legitimate and fraudulent requests.

Furthermore, AI could enable hackers to impersonate well-known hacker groups by mimicking their attack styles. This could mislead investigators and cybersecurity firms, who often rely on recognizing patterns to determine which groups are more likely to provide decryption keys after a ransom is paid. If a lesser-known hacker successfully impersonates a group known for honoring ransom payments, they could take the money and disappear, leaving victims without recourse and causing confusion in the cybersecurity community.

R&I: How can multifactor authentication be defeated by bad actors, and what are the implications for cybersecurity?

DL: In the early days, companies like RSA would provide users with a key fob token displaying changing digital numbers. When logging in, users would enter the code shown on the token, creating a closed-loop system that was supposed to be secure.

However, if someone gained access to the token provider’s network, they could see all the keys. This means that relying on a third party for security can backfire if that party gets hacked, ultimately compromising your own system.

It’s a constant challenge to stay ahead of creative bad actors who find new ways to exploit vulnerabilities. As cybercriminals continue to evolve their methods, it becomes increasingly difficult to ensure the effectiveness of even the most robust security measures, like multifactor authentication. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance