An image showing padlocks and a keyboard representing cybersecurity and cyber insurance.

Carriers Are Pushing Cyber Insurance, but Do Policies Pay Out?

July 12, 2019 | Purdue Global Law School

Recent research from IBM and the Ponemon Institute suggests the average cost of a data breach is approaching $4 million, with some “mega breaches” costing nearly 100 times that amount. Faced with existential threats to their operations, businesses are increasingly purchasing cyber insurance to help mitigate their risk.

Most cyber insurance policies cover an organization’s liability for a data breach in which sensitive information is compromised, and may also help offset losses due to cyber extortion, fraud, and data loss. No industry standard yet exists for underwriting these policies, but they typically cover expenses related to conducting forensic investigations, notifying data breach victims, providing credit monitoring services, and defending lawsuits. Some policies also provide coverage for business disruption, crisis management, recovering systems and data, and regulatory fines and penalties.

However, some organizations are finding that the policies they purchased don’t provide the protection they expected. In a growing number of cases, claims have been denied due to exclusions and exceptions that are not well understood by buyers.

NotPetya Causes Billions in Damages

In the aftermath of the 2017 NotPetya ransomware attack, companies learned just how technical distinctions can nullify cyber insurance coverage. Generally considered the most devastating cyberattack ever, the NotPetya outbreak affected more than 2,000 companies and resulted in more than $10 billion in damages. Although Ukraine felt the initial brunt of the attack, it spread across Europe and into the U.K. and U.S.

Western governments were quick to accuse Russia of the attack. The White House issued a brief statement on Feb. 15, 2018, alleging that NotPetya “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” Russia was threatened with “international consequences” for launching “a reckless and indiscriminate cyber-attack.”

The malware is called “NotPetya” because it was initially believed to be a variant of the Petya ransomware attack. However, Petya is fairly typical ransomware that encrypts the victim’s data and demands payment in Bitcoin in exchange for the decryption key. NotPetya poses a far greater threat because it can spread from system to system without human intervention. Furthermore, security analysts have determined that there is no way to recover files encrypted by NotPetya, suggesting that the malware is designed to destroy data rather than obtain a ransom payment.

Was NotPetya a ‘Warlike Action’?

Among the companies hardest hit by the NotPetya attack was Mondelez International, the Illinois-based food conglomerate that owns the Nabisco, Cadbury, and Toblerone brands, among others. Mondelez reported that viruses in two separate locations permanently disabled 1,700 servers and 24,000 laptops and caused a variety of operational and supply chain disruptions resulting in losses exceeding $100 million.

Mondelez had purchased a cyber insurance policy from Zurich Insurance Group, with coverage for “physical loss or damage to electronic data, programs, or software” related to the “malicious introduction of a machine code or instruction.” The company filed a claim for damages suffered in the NotPetya attack.

After U.S. cybersecurity experts blamed the attack on the Russian military, Zurich denied coverage, citing an exclusion for a “warlike action” taken by any “government or sovereign power.” On Oct. 10, 2018, Mondelez filed suit against Zurich in Cook County, Illinois, seeking $100 million in damages for breach of contract, promissory estoppel, and bad faith.

Mondelez asserts that the “warlike action” exclusion was intended to apply to conventional warfare and that invoking it for a cyberattack is unprecedented. The company also emphasizes that Zurich bears the burden of proof to show that the exclusion applies.

Scant Evidence

Zurich faces a high hurdle in proving that the attack was akin to an act of war. The Western governments that accused Russia offered no real evidence, and Zurich will have to satisfy the court that the Russian government launched the attack for some military purpose.

Nevertheless, the ongoing litigation is roiling the emerging cyber insurance industry. Although such policies have been around since the 1990s, the market only really began to take off in 2005 following the DSW Shoe Warehouse data breach—the first breach to compromise more than 1 million records. According to data from the 2017 RIMS Cyber Survey reported by Insurance Journal, 83% of organizations have cyber insurance policies.

However, some signs show that cases such as the Mondelez-Zurich suit are having a chilling effect on the industry. In one recent study, more than two-thirds of companies with cyber insurance said they don’t believe the policies adequately cover their risks. Many complained about the lack of policy standardization, with terms, definitions, and exclusions varying from one insurer to another. To regain customers’ trust, insurers will need to clarify their cyber policies and conditions under which exclusions apply.

Learn More About Cybersecurity Law

As data breaches grow in prevalence and severity, cybersecurity legal experts will be increasingly needed to navigate this relatively uncharted field. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.