There’s an old joke: what do hospital gowns and insurance policies have in common? You’re never covered as much as you think you are.
The punchline is unlikely to have anybody rolling around the floor in fits of laughter (if it does, you should really get out more) but it certainly seems pertinent in light of the Mondelez vs. Zurich Insurance Group case.
As reported by the Financial Times, Mondelez, the food conglomerate that acquired Cadbury in 2010, is suing Zurich Insurance for its refusal to pay-out on a whopping $100 million claim relating to a cyber attack.
Mondelez was among the numerous unlucky organisations to fall victim to NotPetya, one of the most infamous malware attacks of 2017 — the White House called it: “the most destructive and costly cyber-attack in history”.
According to Mondelez, NotPetya brought down 1,700 of the company’s servers and 24,000 laptops. Mondelez claims, under the terms of their property insurance policy with Zurich, it’s covered for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”.
Zurich offered an initial payout of $10m but then rejected the claim altogether citing an exclusion for “hostile or warlike action in time of peace or war” by a “government or sovereign power.” Of course, Zurich will now have to prove the Russian government was involved. While American and British intelligence are confident they are to blame, it is still going to be a tricky process to present irrefutable proof.
Whether or not Zurich’s “war exclusion” argument will succeed remains to be seen but this case also points to a broader issue commonly found within the cyber insurance marketplace: ambiguous policies.
See also: Cyber insurance: Information Age’s comprehensive guide to cyber liability insurance – As part of Information Age’s Cyber Security Month, we have provided our comprehensive guide to cyber insurance
The problem with cyber insurance
Thanks to the sharp increase in cyber incidents, cyber insurance is growing in popularity fast. PwC estimate annual gross written premiums for cyber insurance will increase from roughly $2.5 billion today to $7.5 billion by the end of the decade.
But it’s early days and some would argue that the market has a long way to go.
Bruce Hepburn, CEO of Mactavish, thinks aspects of the market are “immature” and “untested”. According to a recent report by his company, which surveyed around 700 UK senior managers, just 40% of respondents believe their organisation has adequate insurance cover against cyber-attacks. Fewer than one in three believe their company currently buys cyber-specific insurance; 35% think cyber insurance in unfit for purpose; 30% thinks it’s too expensive and 22% do not trust insurers to pay-out.
How businesses can find the right cyber insurance cover
For the report, Mactavish also analysed numerous market-leading off-the-shelf cyber insurance policies and identified at least 8 common flaws:
- Cover often only extends to incidents triggered by attacks or unauthorised activity and can exclude issued caused by accidental errors
- Cost of data breaches can be limited – payouts only cover costs a business is legally required to incur
- Cover for system interruption is often limited to only the short period of actual network interruption — not taking into account the knock-on revenue impact of disruption
- Cover for systems that are outsourced vary and are often limited or excluded
- Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems
- Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond
- Notification requirements are often onerous and complicated
- Following an incident, a business might not get to choose their PR, IT or legal specialist of choice. Instead, they are limited to who their insurer appoints
Commenting on these figures, Hepburn claimed: “Some of these policies have been rushed to market by insurers eager to capitalise on the growing cyber risks facing organisations, and their desire to spend significant amounts of money to protect themselves against this.”
He added: “Very few claims have been made on these new cyber insurance policies, but my bet is that many will be disputed, or settlements will be much lower than clients expected. However, this can be avoided if organisations first understand the cyber risks they face, and then secure a bespoke policy to meet their needs.”
The non-smoker discount
To put it bluntly, it appears the insurance sector has not been able to keep up with cyber threats. As new threats pop-up in cyberspace, new policies typically lag behind in a confused state.
A lack of visibility of their client’s cyber health also challenges insurers. This is very important for insurers, for example, if somebody wants health insurance, proving whether or not they smoke or that there’s no hereditary diseases which run in their family is vital in establishing how much their premium should be.
The visibility issue isn’t just one affecting insurers. Many firms don’t have the tools to adequately assess and respond to the rising levels of cyber risk they’re exposed to. A recent report from the insurer Hiscox claimed that nearly three-quarters (73%) of global firms are “cyber-novices” when it comes to the quality and execution of their security strategy.
Cyber-insurance can reshape the way organisations do security for the better
Understanding digital risks
If it’s the case (and it is) that cyber insurance policies are confusing and have room for improvement, the best thing a company can do is first to understand the cyber risks they face, and then secure a bespoke policy to meet their needs.
“Getting a good understanding of what could go wrong is a great place to start,” said Ben Rose, co-founder and insurance director at Digital Risks. “Then you need to work out what the likely impact of these incidents is, be it a negative impact on customers or bad press. You also need to understand how long it might take to get back on track afterwards.”
He added: “How can you be confident you’re are covered if you don’t know what you need to be covered for.”
But as the Hiscox study pointed out, understanding cyber health is clearly a struggle for many organisations.
Related: How understanding risk is making data safer – In IT, experts sometimes reminisce about the days when the data centre was simpler and demands on the infrastructure and the IT team itself were fewer
“Of course, many companies don’t have a full view of the things that could go wrong, but there are steps you can take,” explained Rose.
According to him, a common mistake many customers make when shopping for cyber insurance is going through the same insurance broker they’ve been dealing with for years.
“They may be able to get you a great quote for your car or property, but traditional brokers probably don’t understand the technical elements of modern business. So getting somebody involved who is technical enough to understand the intricacy of a cyber insurance policy is key.”
Rose also stressed the importance of carrying out a cyber risk assessment. This, he argued, can help organisations understand the areas they need to protect and where they are most vulnerable. According to Digital Risks, businesses should audit the data and information that they hold and then establish it’s value. Then they should look at how they store it. All this will help you understand what you want out of a policy.