Cyber insurance: A study in fine print
Insurance is no substitute for a strong resilience posture
The economic damage from cybercrime doesn’t always come in the form of bits and bytes. In 2017, when the NotPetya cyber strike first hit, some of the collateral damage came in the form of cookies, crackers and chocolate — and denied insurance claims. Mondelez International, maker of Oreo cookies, Ritz crackers and Cadbury chocolate, lost access to its logistics software after a NotPetya attack in 2017, affecting shipments across the food giant’s global operations. Recovery took weeks as the company piled up losses in excess of $100 million, according to court documents reported in the media.
To add insult to injury, Mondelez’s cyber insurance claims were denied as acts of war by foreign governments rather than criminal acts by individuals, a standard insurance clause that exempts insurers from covering damages caused by war.
The New York Times declared the 2017 NotPetya attack “a watershed moment for the insurance industry.” Since then, insurers have been applying the war exemption to avoid claims related to some digital attacks. Mondelez is suing, as is the pharmaceutical giant Merck, another victim, after insurers denied its claims for a NotPetya attack that caused nearly $700 million in damage.
Malware such as NotPetya and WannaCry are behind the most damaging attacks to date, according to Munich Re. But these ransomware events join a long list of claims denied. Insurers have been wiggling out of many such claims since shortly after they began selling cyber risk policies, leaving many to wonder: What does cyber insurance actually cover? Some of the biggest breaches of customer data in recent years happened at organizations that carried insurance, but that insurance paid out far less than what those organizations believed they were entitled to receive.
“There has been some disappointment in the marketplace because people thought they were buying a policy that gave them some protection, only to find out it didn’t,” says Larry Ponemon, founder of the Ponemon Institute, a technology research firm that helps organizations conceptualize the true cost of a cyber event.
To be sure, cyber insurance is very hard to underwrite. For insurers, cyber risk has a long tail. The true cost of a significant breach can easily reach into the hundreds of millions.
“Cyber risks are one of the biggest threats to the networked economy,” says Torsten Jeworrek, board member at Munich Re. “Increased networking of machines, and equipment in particular, can also give rise to very complex risks such as data theft, disruptions in the interaction between networked machines, and even the failure of entire production lines and supply chains,” he points out. In fact, the economic costs of large-scale cyberattacks already exceed losses caused by natural disasters, says Jeworrek.
Insurance companies have managed their risks with relatively low caps and broad exclusions. Remediation costs and notification costs might be covered, at least in part. But what about reputational damage, loss of IP or forensics? Most insurers are simply not willing to underwrite those risks because they don’t have the data to calculate the potential costs yet.
It’s no surprise, then, that cyber insurance is not nearly as prevalent as the many cyber risks faced by organizations today. PwC estimates that only a third of U.S. companies carry some type of cyber insurance.
Only 4 in 10 organizations that carry cyber insurance believe that the costs of data recovery and crisis management are covered in full, according to a recent Forbes Insights survey of global executives titled “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?” Most executives recognize that their organizations would be on the hook for costs associated with legal expenses, regulatory fines, an outage caused by human error — traditionally the most common cause for an outage — and other common losses after a cyber event.
One potential perception gap comes from the self-assessment of cyber hygiene that insurers require. This is covered in the fine print, which can run to several hundred pages.
“If a CISO rates his or her organization highly and it turns out that assessment wasn’t really true, coverage can be denied,” explains Ponemon. “If your data center is down a certain number of days, for example, it probably means you didn’t have the right redundancy.” It gives the insurance company room to wiggle out or reach a settlement that’s less than the full cost.
One company found this out the hard way after a massive data breach. Its insurance company did a postmortem on the breach and discovered that customer data had not been properly encrypted. In this case, the company at fault displayed a distressing complacency toward encryption, in part because it was insured against losses. The insurance company refused to pay.
There is a need for greater transparency on the part of insurers, but organizations must also be honest about their standards and practices. Ironically, Ponemon’s research shows that companies with a strong security posture are more likely to buy insurance. “Philosophically, they see it as a complement to current security rather than an alternative,” he explains.
Insurance is no substitute for a strong resilience posture. Insurers can — and will — refuse to cover events that could have been avoided. Organizations can prepare for a number of what-ifs by creating adequate redundancies, practicing disaster scenarios and ring-fencing critical systems. For specific risks that cannot be avoided, cyber insurance may be an option — but read the fine print first.
This article was originally published on Forbes.com; the content is unchanged.