With volumes of cybersecurity insurance claims surging, businesses need to be more careful than ever about what their policies do and don’t cover, according to an academic who warned that insurers are becoming more mercenary in their interpretations of cyber events.
“Claims officers have to balance multiple competing interests,” Dr John Selby, a lecturer in business within Macquarie University’s Department of Accounting and Corporate Governance and an active member of the Optus-Macquarie Cybersecurity Hub, told attendees at this month’s Australian Cyber Conference in Melbourne.
“If they don’t deliver on the promise the insurance company made to policyholders, nobody will buy insurance from the company in the future – but if they pay out too much money to you, there won’t be enough left over to pay out other claims that come along later in the year.”
The increasing climate of cybersecurity incidents was driving many companies to lodge claims with cybersecurity insurers – who are becoming more careful in finding ways to minimise or deny their obligation to pay up.
Disparities between conventional insurance concepts and IT concepts were creating discord, Selby said: some policies, for example, are designed around first-party losses only and don’t cover them for third-party losses – leaving businesses without the basis for a claim if they have outsourced business functions to cloud-based service providers.
Similarly, strict definitions of the term ‘contractors’ may limit losses to actions by humans – which complicates things when evaluating the potential liability of non-human service providers such as cloud operators.
Face with a loss from a cybersecurity incident, businesses should “question whether each part of your loss falls within the scope of the insurance,” Selby said, highlighting the need for coverage to explicitly address incidents such as cyber extortion, impersonation of legitimate service providers, and even self-caused errors or omissions during software development and deployment.
Insurers “may also ask if you failed to comply with any of your other obligations under the policy,” Selby said, “and they may look at whether there is another legal basis to deny coverage, such as doctrines of waiver and estoppel.”
Given the predominance of human error in many data breaches, the potential contribution of employees to the breach is also likely to be raised – leading to some uncomfortable conversations between executives and IT leaders.
As they seek to minimise their exposure to cybersecurity claims during claims adjustment, insurers may limit payouts to particular sub-limits for losses – leaving victims well short of the total coverage provided by their policies.
Businesses need to “properly calculate” how big potential losses could be, Selby noted, particularly since changing cybersecurity regulations are regularly adjusting exposure – for example, through changes such as the government’s increase of maximum penalties for privacy breaches from $2.1m to $10m.
Yet calculating losses can be difficult because the scope of the damage, and its implications for business interruption, often only become clear after the fact. This issue came to the fore this year after global food giant Mondelez, which owns brands including NotPetya-ravaged Cadbury, sued insurer Zurich for denying its claim after the 2017 malware attack ravaged 1700 servers and 24,000 laptops.
Zurich relied on an exception in Mondelez’s property insurance policy that exempted it from payments during a time of war – which Zurich argued applied when outside parties were actively engaging in hostile action against the insured.
The insurance company’s interpretation stretched conventional definitions of war that “assume there will be physical conflicts with kinetic objects resulting in property damage and destruction,” Selby said. “However, technology evolves – and as technology is weaponised, new technologies gain strategic advantage.”
The case is still in court and “Zurich bears the onus of proving NotPetya was an act of war,” he continued, noting that a decision in the insurer’s favour “would have a significant effect upon the cyber insurance market” by creating demand for business cover to bridge that gap. A finding for Mondelez, by contrast, could see cybersecurity premiums raised substantially to cover an impending flood of payouts.
Claims on cyber insurance policies have grown significantly this year, with cyber insurance specialist Emergence Insurance recently noting that claims frequency had increased 29 percent year-on-year during fiscal 2019.
Professional, scientific or technical services companies, as well as those offering financial services, were up 20 percent while healthcare and social assistance provider claims were up by 14 percent, and financial and insurance services providers up by 12 percent.
The results mirrored the distribution and trends of Notifiable Data Breach (NDB) reporting, with average claim severity 51 percent higher than in the previous year.
Hacking was responsible for 36 percent of claims, and extortion for 31 percent.
“No amount of risk management can get you out of the sights of a determined cyber attacker,” Emergence head of sales Gerry Power said, flagging human error and noting that “employees must understand they are the last line of defence if security systems fail.”