Prediction Series #5: Companies have a growing need for the safety net of cyberinsurance – but could that safety net be threatened in court?

Cyber insurance coverage may face coverage change pending foundational court case

In the era we live in today of continual cyber attacks, many companies buy themselves an extra layer of data breach protection by getting cyber insurance. In 2017, premiums totaled $1.84 billion, 37% over 2016. In 2018, a large area of increased growth came from SMBs purchasing cyber insurance. But is cyberinsurance currently threatened by a pending court case?

Despite large payouts, the industry is still profitable because more companies are seeing the value and choosing to purchase coverage. In 2016, $2.5billion went toward cyber insurance premiums - .09% of total premiums paid for all insurance. But policies are going up – expected to be $7.5billion by 2020. The number of insurance companies providing cyber insurance is now at 60. As of this year, one third of companies have opted to carry cyber insurance coverage.

Your cyberinsurance company may not come through for you

So in light of increasing popularity of cyberinsurance coverage, companies should be feeling more secure about data breaches, right? Not so fast, thanks to some developing news this past December. A prominent company, Mondelez, owner of brands we know like Nabisco, Oreo, Cadbury, Toblerone and more, experienced huge damage by the NotPetya cyber worm in 2017. Mondelez had cyber insurance and submitted a claim, believing their coverage would help cover some of their extensive damage. Their policy provided for “all risks of physical loss or damage to property, including physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

But their insurance company, Zurich, has denied coverage based on an exclusion clause. Specifically, a clause in the policy bars coverage for hostile or warlike actions, including “action in hindering, combating or defending against an actual, impending or expected attack” by a “government or sovereign power, military, naval, or air force, or an agent or authority” from any party specified above. Zurich (and others) have named Russia, a government and sovereign power, as responsible for the NotPetya attack.

The two companies are at a standoff. Mondelez is therefore suing Zurich and the court case outcome will significantly impact both Mondelez and Zurich. The results will reverberate beyond the two parties to all insurers and insured, whose fate of the reliability of their own cyber coverage hangs in the balance as well.

Cyberinsurance future may hang in the balance of the courts

The cyberinsurance industry will remain a key player in each company’s security and data breach planning. But if Zurich prevails in court, companies who want to keep their coverage could put pressure on insurance carriers to remove exclusion clauses of warlike actions from their policies. The likelihood of being hit by ransomware like NotPetya and WannaCry is too great for insurers to attempt to sidestep coverage, leaving companies exposed to great risk. But with NotPetya’s global damages ranked at $10 billion, insurers will argue the cost of covering those risks is too great – either driving up premiums or causing them to withdraw coverage.

Further resources:
Virsec Web Application Security

Virsec Security Platform