Cyber insurance is often hailed as the “silver Bullet” that will solve all the cyber security issues for organizations. It appears to be a simple, elegant solution. If an attack occurs, call your insurance company, pay a small sum and let the insurance company deal with the fallout.
Indeed, the uptake of cyber insurance and the willingness to claim have both increased. The cyber insurance market is expected to grow at a CAGR of 26.5 percent from 2019 to 2028.
Recently, AIG said that cyber-insurance claims nearly doubled between 2017 and 2018 and that they received more cyber insurance claims last year than in 2016 and 2017 combined.
This is not surprising as cyber insurance policies tend to be very profitable for insurance companies. The way to calculate this is by the “loss ratio” of insurance policies, which is the number of claims paid to customers divided by the premiums charged by insurers. In 2016, the loss ratio on cyber insurance policies was 46%. By 2017, that figure dropped to 32%, meaning that for every $1 million in premiums that customers pay each year, insurance companies pay out just $320,000. That represents a 68% profitability rate!
Security is a top driver of cyber insurance adoption, with 71% of organizations purchasing cybersecurity insurance as a precautionary measure, while 44% cited an increased priority on cybersecurity as the reason they bought a policy.
Most executives who buy cyber insurance are confident that it will pay off in case of an incident. A survey of 105 CFOs at enterprise-scale companies with annual revenue of at least $1 billion found that 71% in total felt that they were adequately covered in the event of a cybersecurity incident. 45% expected their cyber insurance provider to cover most of their losses in the event of a breach, and 26% expected the provider to cover their losses in full.
However, even if activating one’s insurance seems like the simplest solution, it might not be a viable option for long. Insurance companies will employ greater sophistication in their evaluation and response mechanisms and will reject more claims on the basis of the client’s inadequacy, the identity of the attackers or the methods used.
One example of this occurred when Mondelez International, maker of Oreo cookies, lost access to its logistics software after a NotPetya attack in 2017. Recovery took weeks as the company piled up losses in excess of $100 million, according to court documents reported in the media. Mondelez’s cyber insurance claims were denied on the grounds that the attack was an act of war by a foreign government rather than a criminal act perpetuated by individuals: a standard insurance clause that exempts insurers from covering damages caused by war.
In another case, insurance company Hiscox refused to pay their client, DLA Piper, following a devastating ransomware attack that wiped out systems at DLA Piper and cost the firm 15,000 hours of extra overtime for IT staff. That overtime amounted to several million pounds in wages. Hiscox claimed that DLA Piper did not have a cybersecurity-specific policy and that their “generic” insurance doesn’t cover this kind of damage.
The case of Everest National Insurance Company vs. National Bank of Blacksburg in Virginia is even more concerning. After a major cyber attack resulted in a cyber breach and significant operational downtime, the bank filed a cyber claim with its insurance company in the amount of $2.4 million. After investigating the claim, however, the insurance company only agreed to pay $50,000. The case went to court at the beginning of 2019 and proceedings are ongoing.
More recently, insurance company AIG refused to compensate a client for cyber-induced losses, claiming it is not required to pay for losses resulting from criminal activity. Hackers stole $5.9 million from a New York-based outfit in 2016 by sending phishing emails to company employees from spoofed email addresses requesting monetary transfers. Insurance company AIG says its policy stipulates that the insurer will not cover losses stemming from criminal activity and refused to pay for the loss. The case is now being discussed in court.
Moreover, it is clear that insurers will find additional ways to avoid payment. In particular, it seems that insurers will focus on human error as a reason to refuse payment. Since humans are involved in almost all data breaches, it would be easy to cite “the human factor” as a cause of the incident and refuse payment on the basis of negligence (or malifense). Even when payment would be unavoidable, it is likely that insurers will do their outmost to minimise their exposure to cybersecurity claims and limit payouts to particular sub-limits for losses – leaving victims well short of the total coverage provided by their policies.
These incidents, along with the fact that many clients don’t understand the intricacies of cyber insurance policies, provide some concrete evidence that cyber insurance is not to be taken at face value. At most, it can be seen as an external budget meant to offset the costs of breach. It should not, under any circumstance, be seen as a replacement for a robust security posture, which requires modern cybersecurity technologies, trained teams and tested procedures. Failure to reach required security levels will make it easier for insurers to refuse payment, making the investment in cyber insurance both redundant and costly.