Business across all industries are now more aware than ever of the importance of employing a robust cyber security strategy. Yet despite the cyber industry continuing to receive more and more widespread attention, some areas still operate in the shadows. When issues or incidents occur, many companies lack support on what next steps they should take to recover or recoup any losses. To this end, a precarious trend has emerged in which companies are using their standard commercial insurance policies to cover cyber incidents, instead of specific cyber insurance policies, since these policies do not explicitly exclude cyber matters, and thus the trend has been dubbed ‘Silent Cyber’.
Not only is this a poor option for the companies, but insurance companies are looking to crack down on Silent Cyber. More must be done to support businesses in the widespread adoption of cyber-specific policies which have terms tailored to the cyber landscape.
The state of cyber insurance coverage in the UK
The Silent Cyber dilemma
Businesses across a myriad of industries know all too well how valuable insurance policies are to their organisation. Typically insurance policies cover the cost of damage or loss on a particular matter or area (including property, credit risk and product liability). However, when it comes to a cyber attack or data breach, the question is raised on whether a typical commercial insurance policy can cover these kinds of incidents.
This question is currently being addressed in a major ongoing legal battle. Food conglomerate Mondelez is suing Zurich Insurance for its refusal to pay out a huge $100 million claim relating to a cyber attack. Mondelez was one of several victims of the 2017 NotPetya malware attack which damaged 1,700 of their company’s servers and 24,000 laptops. Mondelez claims that it is covered for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”, under their property insurance policy with Zurich. Zurich disputed the claim, citing an exclusion for “hostile or warlike action in time of peace or war” by a “government or sovereign power”. Now Zurich will have to prove that there was Russian government involvement, as suggested by several parties.
Mondelez vs. Zurich: How watertight is cyber insurance coverage?
This lack of clarity is causing a considerable headache for both companies as well as significant legal costs. To avoid this scenario, it is vital that both companies and insurance firms actively address this Silent Cyber dilemma.
Insurers vs. companies
For companies, claiming on insurance is a notoriously laborious process that can often turn into a multi-year reclaim. In addition, companies are often at the mercy of the judiciary system when trying to recover costs. For smaller firms, insurance policies themselves can be costly, and many may question why they cannot utilise their commercial insurance policy if a cyber incident affects their company in a commercial capacity; especially if this isn’t specifically excluded in their policy.
However, for insurers, this is a worrying and potentially extremely costly loophole that must be addressed urgently. As companies continue to use Silent Cyber with their non-cyber specific policy, and as cyber incidents continue to increase, insurance firms will need to act – either by specifically excluding cyber from commercial policies or developing more cyber-centric policies that fit a business’s needs.
Thinking for the future
Despite the cyber insurance industry growing rapidly, many believe that aspects and policies of the market are as yet untested. While some insurers do currently offer cyber-specific policies, many will have been rushed to the market in an attempt to capitalise on the growing trend of businesses investing more money and effort into protecting their organisation from cyber security risks. Businesses may also question whether the insurance sector is able to keep up with the rapid pace of the cyber industry. Cyber threats are continuing to evolve, especially in the sophistication of the attacks, and typically new policies will lag behind.
To combat both of these issues, insurance firms must ensure they have thorough visibility on their client’s cyber health. Insurers must work hand in hand with their clients to ensure that a robust assessment of the business’ cyber maturity is carried out. Following this process, the insurance firm can then develop a tailored cyber policy based on the needs of the business as evidenced in the assessment. This will help build trust between the company and the insurer and allow the company to feel safe knowing that any cyber incidents will be covered under their bespoke policy.
Silent Cyber will only continue to be an issue if insurance firms and companies fail to understand the benefits of cyber-specific policies. Companies don’t want to risk that their insurer may refuse to pay out a claim and insurance firms do not want to lose out on the rapidly growing market. Both parties can benefit from working together to create personalised cyber policies that address cyber security risks.
Michael Aminzade is the Managing Director of Cyber at 6point6