How Well Will Cyberinsurance Protect You When You Really Need It?

Originally published by Ericom Software.

Written by Stewart Edelman, Chief Financial Officer, Ericom Software.

According to a report from Hiscox, a UK-based insurer with over 3,000 employees across 14 countries, 20% of the more than 5,000 businesses surveyed responded that a cyberattack had nearly caused their bankruptcy. 87% of businesses around the world saw cyberthreats as the greatest hazard to their financial health.

Recognizing this grave threat, many companies have rushed to purchase cyberinsurance, confident that insurance will protect them from the gravest harm in the event of a cyberattack.

There’s only one catch: cyberinsurers – like all insurers -- do not like making big payouts, so they often seek a way to avoid paying a claim. Recently, they have turned to the “act of war exclusion” as one of those ways.

Act of War Exclusion

Most insurance policies – including cyberinsurance policies – contain an “act of war exclusion” similar to this:

“You are not insured for: war, civil war, revolution, rebellion, insurrection, or civil strife arising from any hostile act by or against a belligerent power, capture, seizure, arrest, restraint or detainment (piracy excepted), and the consequences thereof or any attempt thereat, derelict mines, torpedoes, bombs or other derelict weapons of war.”

Act of war exclusions are nothing new – they’ve been around since the 1700s. But the nature of war has changed a lot in the last 200 years. Exactly what is and what is not excluded by these clauses in today’s age of nation-state cyberattacks is now being re-determined in courtrooms, through litigation.

NotPetya Litigation

The NotPetya cyberattack that was launched in 2017 is one of the costliest cyberattacks to date, with total damages estimated at over $10 billion.

While no individual or state entity officially claimed responsibility for the attack, Russia is widely believed to have been behind it. The attack initially targeted Ukraine, then spread widely to other countries due to a self-replicating feature. Mondelez International, maker of Ritz Crackers and Oreo Cookies was one corporate victim, and pharmaceutical company Merck was another. Mondelez claimed to have suffered over $100 million in damages and Merck claimed their losses topped $1.4 billion.

Both companies filed claims with their cyberinsurers, and in both cases the insurers attempted to deny the claims based on the war exclusion clause.

Many legal questions were raised in these cases, including exactly what constitutes an act of war and efforts to parse the detailed legal language in the insurance policies.

Mondelez and its insurer, Zurich Insurance Group, reached an out-of-court settlement. Merck won its case in court, with the insurers ordered to pay up. The judge in that case ruled that the act of war exclusion is meant to apply to armed conflict, and that the insurers did not notify Merck that a cyberattack could be considered an act of war before the attack took place.

A further complicating factor in considering these attacks to be acts of war is that the attack was perpetrated against Ukraine. Companies based in other countries certainly weren’t the intended targets of an act of war but were rather victims of unintended, and possibly unforeseen, consequences. What they suffered was not even direct collateral damage, but rather damage that was random, at best.

The Consequences of the NotPetya Litigation

The victims of the attacks won their legal fights or at least received what was presumably an acceptable settlement. Isn’t that good news for other potential victims of similar attacks? Doesn’t it indicate that these kinds of attacks are covered and not excluded as “acts of war”?

Well, yes and no. Clearly, the tug-of-war between insurance companies and their clients has only begun. Insurers don’t want to – in fact, may not be able to afford to – provide coverage for attacks that may have originated with a nation-state, while businesses naturally want coverage for all cyber risks to their businesses, regardless of the origin of the attack. We can expect language in newly issued insurance policies to explicitly address this question and will most likely not be in favor of those purchasing them.

This makes it more important than ever for your legal team to review all cyberinsurance policies carefully to make sure they include the events that you want to be covered. With so much state-sponsored malware in circulation, insurance companies probably cannot exclude it all, but are certainly seeking all ways they can to minimize exposure.

Another possible outcome is the creation of a government program to back up cyberinsurers. The Terrorism Risk Insurance Program, which was formed to allow insurance companies to continue to cover acts of terrorism after 9/11 without endangering their own financial health, is a model of how such a program could work.

In addition to sharpening the language in insurance policies to restrict coverage, two other changes are relatively certain: insurance premiums for cyberinsurance will continue to rise, and insurance companies will start requiring their clients take stronger cybersecurity measures, including multifactor authentication (MFA) as a bare minimum.

Protecting Yourself

Relying on cyberinsurance to protect your organization against cybercrime without doing all that you can to prevent attacks is like depending on closed windows and doors to prevent someone from robbing your house and relying on homeowner’s insurance to cover the risk: It may cover most losses, but leaves you vulnerable to embarrassment, exposure of personal items, and a huge cleanup job. And if like most businesses, yours holds others’ property also, such as customer data or shareholder investment, it could leave you exposed to legal and regulatory risks as well. Prevention is a much wiser approach.

Increasingly, having robust cybersecurity in place is not only smart but a prerequisite for obtaining cyberinsurance. With cyberinsurers increasingly conducting risk assessments, the better your cybersecurity the lower your premiums are likely to be.

Today, Zero Trust represents the gold standard in cybersecurity. Instead of an outdated perimeter-based defensive approach, it approaches every user and every interaction, at any access point, as a potential threat.