Cyber attacks are one of the greatest threats facing buildings as they become connected and smart, but ensuring smart buildings are insured for cyber threats is also becoming increasingly difficult. The rising vulnerability of connected buildings is driving limited cyber-coverage and some brokers have even withdrawn from the space altogether. There are some early signs of policy change but on the current trajectory, this could create serious issues for the Smart Building Industry.
“It should be of little surprise that cyber insurance is becoming harder and more expensive to obtain. The “loss ratio” for cyber insurance rose dramatically in 2020, to 67.8%, from 44.8% in 2019. Insurers are reacting by modifying their operation and redoubling their efforts to better assess and quantify their cyber risk,” reads our latest cyber security research. “Rising costs have even led to some major insurers withdrawing from the market for ransomware cover entirely, with global insurance provider AXA announcing in May 2021 that it would no longer cover ransomware payments in France, for example.”
Driven by increased cyber attacks, there is a growing corporate awareness of cyber risks and the potential costs of cyber security breaches, allowing the cyber insurance market to grow into a significant insurance market segment. Fitch Ratings, which assigns insurer credit ratings, estimates that the market had grown 74% to $4.8 billion in the U.S. alone by the end of 2021, significantly outpacing growth in the broader insurance sector. While, the US Accountability Office (GAO), reported that the number of clients purchasing cyber coverage increased from 26% in 2016 to 47% in 2020, leaving plenty of companies without cover for cyber breaches.
“When it comes to policy renewals, most insurers are now tightening the language used in their standard property policies in relation to cyber events, including actively excluding cover for cyber-breaches of digital systems and electronic data,” highlights our new research report. “A large proportion of smart building owners and operators are essentially totally unaware that they have no legitimate insurance cover for their smart building systems and would be fully liable for all associated costs in the event of a cyber breach – truly a concerning state of affairs.”
There has been a huge increase in the number of insurers that specifically exclude cyber events that affect digital building systems, such as HVAC, lighting, elevator, parking, and access control, from their policies. The latest policy from Allianz Engineering for construction and power, for example, explicitly excludes coverage for loss, damage, legal liability, additional expenditure or cost consisting of or in consequence of cyber events. “Most of the industry is probably self-insuring and does not know it, while at the same time doing very little to mitigate the actual risks,” Rob Murchison, Principal at Intelligent Buildings, told Memoori.
As cyber insurance from traditional policies becomes more difficult and costly for smart buildings, many are turning to stand-alone cyber insurance. On average, cyber insurance rates rose by 89% in the fourth quarter of 2021, according to Risk Strategies’ State of the Market 2022 Report. And, according to leading US insurer, Marsh, half of its US clients purchased stand-alone cyber insurance policies in 2021, almost double the 26% of clients in 2016. These trends are expected to continue into 2022, which is why insurers are putting a greater emphasis on risk management.
“Standalone cyber liability insurance or data breach insurance policies are offered by several major providers, including Crum & Forster, AIG, and Chubb. A cyber insurance policy may include assistance during a cyber incident, however, the levels of cover available may still only lead to a reduced set of OT risks, instead of blanket coverage of all costs resulting from a cyber incident,” explains our cyber security report. “While stand-alone cyber insurance policies that supplement the coverage and improve protection against cyber attacks for buildings are becoming available, the need to take out an additional policy to effectively cover the risks significantly adds to the cost.”
Standalone cyber insurance can only plug the coverage gap for so long. Until brokers fully understand the true scale of the attack surface in smart buildings, they will have no way to calculate risk accurately or price premiums fairly. However, for those claiming insurance for cyber events, high-profile cases related to the NotPetya attacks in the build-up to the war in Ukraine have triggered landmark rulings that could provide hope in solving the cyber insurance problem for smart buildings.
In January 2022, Global biopharmaceutical company Merck won a $1.4B legal dispute against its insurer for NotPetya attacks’ by suspected Russian sponsored hackers. After Merck’s insurer, Ace American, denied coverage for the NotPetya’s impacts based on an “Acts of War” clause, Merck successfully sued them, arguing that it was essential to reconsider how war can be defined in the digital age. It is believed that Merck and other high-profile cases are even influencing change at Lloyds of London, the key marketplace where three-quarters of all underwriters go to provide insurance coverage of businesses.
Early signs of hope from Merek’s lawsuit and the Lloyds bulletins are positive, but not enough to address the growing number of cyber-uninsured smart buildings in the world today. More should be done by buildings to improve cybersecurity, of course, but those that create adequate security should have the option of fairly priced insurance. Cyber security breaches can easily be described as inevitable, which will always raise concern for insurance providers, but without reasonable cyber insurance options available, building owners may begin to reconsider their smart ambitions altogether.
“For cyber insurance in the real-estate/smart buildings market, as is so often the case, the picture is more nuanced, with its own set of unique challenges,” explains our comprehensive new cyber security report. “Rising levels of cyber risk posed by IoT devices and connected smart building systems is having a significant adverse effect on building owners’ ability to effectively insure their assets, with some industry observers even going so far as to state that “the lack of effective cyber cover is rapidly becoming the leading barrier to smart building adoption moving forward”.