Cyber Insurance - Is It Worth It?
With the rising number and frequency of threats and attacks, more and more companies are investing in cyber insurance (CI) to protect themselves and their companies. While this is a forward-thinking measure to protect a company against risk, companies are finding it more and more difficult to get their claims paid by their insurer.
Know your policy
Cyber insurance is a fast-growing market and with fast growth often comes disreputable players and ethically questionable business practices. Market analysts are predicting the CI industry will experience 24% revenue growth over the next 4-5 years. While market revenue growth like this is good, it’s unsure that the revenue growth will keep up with the number and expense of claims.
Second-tier CI companies, and some first-tier companies, are denying claims and using questionable reasons to do so. In a recent issue of Cyber Protection Magazine, Lou Covey detailed two of these reasons.
The first is the war exclusion. This is invoked when foreign governments are determined to be responsible for cyber-attacks. This is also where things can be left open to interpretation. The big question is whether an attack is a cyber crime or a cyber war. Insurance companies are defining cybercrimes as an act of cyber-war as a reason to deny claims.
Back in 2014, following the NotPetya cyber attacks, Mondelez submitted a claim to their CI company, Zurich American Insurance Company, which was promptly denied under the War Exclusion. In the policy, Zurich said:
"This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
2) (a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in I or ii above." - Source
As you can see, a plain text reading shows that since the attack was determined to be the responsibility of the Russian government, Zurich considered it an “act of war”.
Zurich rescinded their denial, promised to pay damages, and then reaffirmed their denial. Mondelez promptly sued Zurich and, as of this writing, the case is still winding its way through the courts.
The second is the “silent non-affirmative” language defense meaning an insurance company doesn’t have to tell you what their denial criteria are. Typically, insurance companies only cover ransoms to protect human life by industry standards. If a ransomware attack shuts down an ICU in a hospital, then it might be covered to protect human life. If a company database or a data center is damaged, the carrier could deny the claim.
Is It Worth It?
That’s the $64,000 question. Governments are moving toward enacting laws making the payments of ransoms illegal, further letting cyber insurance companies off the hook. Additionally, in the US, companies can write off ransomware payments as “ordinary, necessary, and reasonable” expenses, so paying the ransom makes good business sense.
As it currently stands, and with the direction the CI industry, and the governments that regulate it, are moving, it doesn’t appear that cyber insurance is worth it.
It may give your executive management a warm, fuzzy feeling, but if you are attacked, your CI carrier will more than likely leave you out in the cold.