Mosaic’s DeLong calls for governments to assess cyber attribution and help bring clarity to market

Mosaic’s global head of cyber Yosha DeLong has given her backing to the “strong intent” behind Lloyd’s new war exclusion on cyber policies, highlighting the increased clarity this brings for buyers.

In an interview with The Insurer TV at this week’s Bermuda Risk Summit, DeLong said the creation of government bodies that establish attribution for cyber risks would bring further clarity as the market develops.

This may in turn pave the way for the creation of public-private partnerships (PPPs) to support risks that cannot be handled by the private market alone, she said.

On Lloyd’s new exclusion, DeLong said: “I think the intent behind it is strong and customer forward. It was rolled out with the intent of telling customers what is covered, when it's covered and how it's covered.

“While it does control the accumulation risk presented, it also has a lot more clarity for the customers as to the type of event that they're looking to not provide solutions for in the insurance industry.”

DeLong recognised that the war exclusion may be perceived as overly complex by some in its incorporation of various different elements into one exclusion – namely, state-sponsored attacks, large-scale events with a detrimental impact to one sovereign nation by another, and attachment to traditional warfare.

“It's those three elements lumped into one, where we're trying to communicate what we're concerned about as a market. For the long-term sustainability, we need to find a solution for this,” she said.

Challenges of attribution

PPPs will likely emerge as useful tools to facilitate solutions to these market concerns, DeLong said.

She noted that, as part of the Association of Bermuda Insurers & Reinsurers, Mosaic recently submitted a paper to the US government on the expectations of a PPP from a cyber perspective, including a request for help tackling the challenges of attribution.

“One of the things we're asking for is help on the attribution side, having an actual government body established across the globe,” DeLong said.

“That could help us with some of these attributions. Working more quickly with clients on what's actually happening behind the scenes would add that clarity as well.”

Challenges in attribution and accumulation risk compound the “very turbulent couple of years” just experienced by the cyber insurance industry, she said, which included the emergence of ransomware in 2018-19 which was then accelerated by pandemic-induced transformations in digitalisation.

Now, the cyber landscape is increasingly also informed by impacts of the Russia-Ukraine war, with DeLong noting that the Russian invasion in February 2022 led to disruption within hacking communities.

“My concern is that, despite the conflicts that were occurring within organisations and ransomware groups, they are now starting to regroup. I don't look at the downturn [in hacking] that we saw as a result of this as a long-term impact – it's one of the blips on the radar that occurred out of this particular conflict,” DeLong said.

From a cyber insurance perspective, since 2021 Mosaic has observed a shift in demand towards more accurate and granular data for more impactful modelling.

This can then be used to look to access alternative capacity on the reinsurance side within the ILS market, noted DeLong, as granular data points would demonstrate the ability of the cyber insurance market to underwrite these risks in a long-term profitable way.

“Nothing ever gets boring in cyber,” she said.

“Cyber never sleeps, and we're going to continue to see market shifts in the next couple of years as some of these more dynamic changes continue,” DeLong concluded.

The Insurer TV talks to Mosaic’s Yosha DeLong

  • Watch the 8-minute video interview with Mosaic’s global head of cyber Yosha DeLong to hear her thoughts on:
  • The current cyber risk landscape and dominant trends
  • The impact of the Russia-Ukraine conflict
  • What impact Lloyd’s new cyber exclusions will have when they come into force on 31 March
  • Outlook for PPPs in cyber and the sustainability of the cyber market