In a previous Packetlabs article, we outlined the economic repercussions resulting from the 2017 NotPetya ransomware attack that crippled Mondelez International’s global operations for weeks. Resulting from this sudden attack, the maker of Oreo cookies, saw losses in the excess of one hundred million dollars, according to court proceedings.

To make matters worse, Mondelez’s cyber insurance claims were denied under the exclusions section of the wordings for “acts of war by foreign governments”, a standard insurance clause that releases an insurer from covering the damages caused by acts of war.

This event has been marked as a perpetual tipping point for the insurance industry with respect to cyber policies. Since this initial denial, we’ve seen insurers using the war exclusion to avoid paying out on claims related to many forms of digital attack.

In a necessary recoil, Mondelez and Pharmaceutical giant Merck, also denied for its claims resulting from the NotPetya attack that generated some $700 million in damage, are suing insurer Zurich for breach of contract.

Background

According to reinsurer, Munich Re, Ransomware attacks including NotPetya and WannaCry, are among the most detrimental form of cyber-attack. Despite this fact, insurance companies have been creeping their way out of all sorts of claims shortly after they began writing cyber insurance policies. The trend has not gone unnoticed and many policy holders find themselves asking, what does my cyber insurance actually cover? Some of the largest breaches of customer data, in recent years, all happened at organizations that were carrying cyber insurance. Unfortunately, the actual pay outs were far less than the victim organizations believed they were eligible for.

“There has been some disappointment in the marketplace because people thought they were buying a policy that gave them some protection, only to find out that it didn’t.

Larry Ponemon, Founder of Ponemon Institute

To be clear, cyber insurance is extremely difficult to underwrite. For insurance companies, cyber risks are particularly far-reaching. The actual cost of a significant data breach can certainly reach into the hundreds of millions in a very short time span. In fact, the financial costs affiliated with large scale cyberattacks exceed the losses seen in natural disasters.

“I don’t think we or anyone really knows what they are doing when writing cyber.”

Warren Buffet, Chairman & CEO of Berkshire Hathaway

Insurers have managed their risks with relatively low limits and broad sweeping exclusions. While remediation costs and notification costs may be covered, the reputational damage, loss of intellectual property, (including data, trade secrets etc.), and forensics are risks that most insurers are unwilling and unable to underwrite. Most insurers simply do not have the actuarial data to calculate the potential costs of these risks.

With statistics like this, it’s not surprising that cyber insurance is still not nearly as widespread as the number of cyber risks encountered by organizations. PwC estimates that only a third of U.S. organizations hold some form of cyber insurance. Many clients are starting to question the true value of these policies, which will inevitably slow market growth. Further, many exectutives recognize that their organizations would be on the hook for all costs associated with legal expenses, regulatory fines, and outages caused by human error.

Perception: Facts vs. Reality

Another avenue that insurers have been using to minimize losses stems from the self-assessment of cyber-hygiene that many insurers require from their clients, again typically buried in the wordings. For example, if a CISO rates their organization very highly, and after a loss, it’s determined that that assessment wasn’t accurate, they can deny coverage on the basis of misrepresentation.

While it is fair to say that greater transparency is required by insurers, organizations must also be honest about their cyber security practises and standards. Ponemon research has shown that organizations with the strongest security posture are more likely to buy insurance. These organizations view insurance as a complement to cybersecurity, rather than an alternative.

Bottom Line

By now, most organizations have realized that insurance, while an important means of risk management, is no substitute for a strong cyber security posture. Organizations can prepare for breach and attack scenarios by implementing the following:

  1. Annual Penetration Testing: Internal and Third-Party Vendors
  2. Annual Breach and Attack Simulations: Phishing Campaigns & Cyber Awareness Training
  3. Annual Security Maturity Assessments
  4. Remediation Efforts: Completed by Technical Service Providers

For more information on any of the services outlined above, please contact us for more details.