The cyber insurance industry is hot. Most analysts see an average increase of revenue of 24 per cent by 2026. According to some experts, companies buying cyber insurance may not be covered.
While the market appears quite healthy, cracks are forming. Payouts for ransomware are growing faster than the insurance industry can capitalize them. Premiums are rising to cover the potential losses but are not keeping pace with the claims. As a result coverage limits are dropping. Moreover, Insurance companies are using weak reasons to not pay claims, leading to multiple lawsuits.
Two common but little-discussed clauses in standard policies allow insurance companies to deny coverage without telling the insured: the war exclusion and “silent, non-affirmative” wording in the policy language.
The international food company Mondelez sued Zurich American Insurance Company, for invoking the war exclusion in the NotPetya breach. The breach affected multiple countries around the world. In the case of Mondelez, the claim was for $100 million for damage to the operational technology. When the US State Department blamed the Russian government, Zurich called it an act of war and invoked the exclusion. The problem is, an insurance company cannot declare a war exists. Still, the insurance company was looking for an out.
In the case of “silent non-affirmative” language, the insurance company doesn’t have to say why they may deny or cover a claim. According to Gerry Kennedy, CEO of Observatory Holdings, the insurance industry, only covers ransoms to protect human life by industry standards. That standard is rarely stated in policies and, therefore, is non-affirmative. If a ransomware attack shuts down an ICU in a hospital, then it might be covered to protect human life. If a company database or a data centre is damaged, the carrier could deny the claim.
Flipping the script
Kennedy says the workaround for that possibility is to file a “reservation of rights” letter with the insurance company before they do it to you.
“A longstanding practice in the insurance industry is for the carrier to send a Reservation-of-Rights letter when are denying coverage,” he explained. “It is a legal document to notify an entity about their coverage. When a carrier sends it to an insured, they do so stating that the claim may not be covered under the existing policy, but they are going to conduct a further investigation into the matter.”
Kennedy said nothing stops policyholders from “flipping the script” on the insurance company and stating what they understand is covered, preempting denial of coverage. This document also bypasses the non-affirmative stance, forcing insurance companies to clearly state what they won’t cover in a cyberattack.
Insurance industry getting a clue
Lloyd’s of London now stipulates that first-party property damage policies must be clear whether cyber coverage exists . The company outlined several additional classes needing to address cyber. Kennedy, who is also an insurance broker, is representative of multiple carriers that identify and address exposures.
When the insurance company sends out the reservation-of-rights letter to the policyholder, it’s a customary practice to protect the rights of the carrier. Kennedy and his team came up with their own version designed to protect the policyholder rights, prior to a breach.
Making a profit is hard
Part of the problem is the actual funding of potential claims. The insurance company not only has to come up with the ransom amount, but fund any liabilities that may come from government fines for stolen customer data, lost business, replacement of equipment and labour to restore attacks systems. The bottom line is, the premiums do not cover all of that.
“Insurers are changing their appetites, limits, coverage and pricing,” Caspar Stops, head of cyber at insurance firm Optio, said. “Limits have halved – where people were offering 10 million pounds ($13.50 million), nearly everyone has reduced to five.”
In the meantime, there is significant pressure on national governments to outlaw the payment of ransoms in cyberattacks. There are already bills before the UK Parliament and in several US state legislatures to enact such a ban. The EU, on the other hand, is proposing a law to require cryptocurrency transparency, which would unmask the criminals.
However, there may be no need for insurance. U.S. companies can write off ransomware payments as “ordinary, necessary, and reasonable” expenses, so paying the ransom makes good business sense. In the end, however, paying ransom encourages criminals so banning them may help everyone but the criminals.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.