ESTATE PLANNING | INSURANCE | INVESTING | PORTFOLIO SPOTLIGHT | TECHNOLOGY & OPERATIONS | YOUR PRACTICE
What If Insurers Abandon Cyber Coverage?
The list of exclusions is expanding while premiums rise. By Dustin Carlson
THE NUMBER OF CYBERATTACKS IS SOARING— ESPEcially from attackers using the burgeoning technology of generative artificial intelligence. Not only are the numbers increasing, but many of these attacks are aimed at small and midsize businesses. That’ s because cyber thieves see smaller companies as less well protected, and that perception isn’ t entirely wrong.
That means these companies are going to need more robust cyber insurance protections, because such attacks can conceivably wipe out a business, especially if the company participates in a highly regulated vertical such as banking, finance or healthcare.
And yet, at a time when more cyber insurance protections are needed, the major insurers are adding more and more exclusions to their policies while at the same time boosting premiums.
Some of these exclusions are sleight-of-hand tactics created so that the insurers simply won’ t have to pay out for a crippling hacker intrusion. Consider, for example, a move by several of the largest carriers to exclude coverage for attacks by nation-states.
At one level, it might seem reasonable. After all, what dry cleaner or car wash chain could hold up under an attack from the likes of Russia, China or North Korea? Dig a bit deeper, however, and it becomes clear that the state-actor dodge is simply that: a dodge to avoid paying.
The Nation-State Conundrum
One reason insurers back away is that it’ s virtually impossible to positively connect a nation-state to a cyberattack, since the countries involved cover their tracks with surgical precision. A trail might lead to North Korea or China, but just enough for plausible deniability. It could always look as if someone left a false trail on purpose. These states don’ t attack directly. They use highly skilled criminal groups to do their work for them. Such groups then also extort money and steal data for their other clients. So there’ s no way to establish the group was ever working directly for a state actor like China.
In the haze of such attacks, insurance carriers can argue that their small business policy holders were victims of state attacks and ask the businesses to somehow prove they weren’ t. If you think proving a specific attack was done by a foreign government is hard, try proving somehow that it wasn’ t.
The major carriers have come up with other types of exclusions for coverage as well, including those for employee errors— for example, if a worker is tricked by a cyber thief into downloading malware or revealing system credentials.
34 | FINANCIAL ADVISOR MAGAZINE | APRIL 2025 WWW. FA-MAG. COM