Dark clouds hover over the booming cyberinsurance industry. Cyber policies currently value an estimated $5.2 billion and should reach $7.5 billion by the end of the decade. However, a recent lawsuit shows that these policies might not protect insurance holders as well as they had believed.
After NotPetya — a malware program allegedly produced by Russia — struck Mondelez International in 2017, the food giant filed a claim with Zurich American Insurance for $100 million in damages. Zurich had initially agreed to a payment of $10 million but then denied the claim, citing a policy exception for warlike actions. Mondelez filed a lawsuit in response, and although that lawsuit has centered around the definition of cyberwar, it has also drawn attention to several broader concerns with cyber policies.
The spotlight reveals cracks in the shadows
In the wake of the Mondelez lawsuit, journalists and industry insiders have paid more attention to the most common gaps and cracks found around the edges of standard, off-the-shelf policies:
- Cyberinsurance policies may not protect you from yourself. Off-the-shelf policies often only cover attacks and unauthorized access, not accidents. They may also exclude software or systems that are still in development.
- Your coverage may not extend beyond your walls. Outsourced systems may not receive full coverage, or they may be excluded. Contractors may also fall outside of coverage – even when your business is legally responsible.
- Standard policies may introduce unwanted complications. The notification requirements can be overly complex, and insurance companies may limit your ability to appoint your own IT, PR and legal specialists in the wake of an attack.
- An off-the-shelf policy may not cover the full costs of a cyber event. Protection against data breaches may only cover the money you are legally bound to spend, rather than the larger, practical costs. Likewise, systems interruption coverage may not account for any disruption of business that follows the restoration of network services.
At the very least, if you consider a standard cyber policy, you will want to perform a cyber risk assessment and make sure the policy covers your biggest needs. Otherwise, you might pursue a bespoke cyber policy. Just make sure you work with someone who fully understands the technical aspects of your cyber needs and the structure of your policy.
Understand your needs
Cyberinsurance policies are likely to change in the wake of the Mondelez decision, but it could be months or years before the suit settles. For now, business owners will want to take close stock of their cybersecurity needs and their policies to make sure the two line up.