Not all cyber insurance policies are equal

Monday, 29 August 2022

Many Australian businesses are facing the painful realisation that their cyber insurance coverage may be nowhere near as comprehensive as initially believed.

Recent cases are revealing unrealistic expectations of cyber insurance policies or failure to understand them in the first place, while insurers narrow policy limitations and lift minimum cybersecurity requirements. All organisations should be reviewing their cyber insurance policies as well as prioritising risk management strategies.

A recent Australian court ruling found automotive distributor and service firm, Inchcape, could not claim costs incurred in the clean-up and recovery after a cyber attack. In a clear example of a company failing to understand its policy’s terms and conditions and thus the style of coverage provided, the federal court judgement declared Inchcape’s financial losses were incurred due to its own decisions, not as of a direct result of the cyber attack.^[1]

The catch here was that the insurance policy contained multiple references to the phrase, “…direct financial loss resulting directly from…” which limited the insurer’s liability. Lawyers for the victim pointed out that the way “direct” claimable and “indirect” claimable costs were described in the judgment would be of concern to organisations with similar policies, suggesting their coverage was potentially inadequate. Granted, Inchcape tried to make this claim on its crime policy as it didn’t have cyber insurance. Even if it did, however, there may have been many grey areas with which to contend as cyber insurance policy is an evolving space and one often viewed by industry insiders as in its infancy.

Another case illustrating this is the data breach suffered by pharmaceutical giant Merck &Co. In 2017, the company endured an estimated $1.9 billion in losses after a NotPetya ransomware attack believed to have been initiated by state sponsored Russian hackers.^[2] Despite Merck’s “all-risks” policy, it was forced into a lengthy five-year high-cost court battle when insurer International Indemnity pursued an exemption after declaring the hack, “…an act of war,” due to the ransomware’s believed origin. Merck eventually won the case, but it sounded warning bells for two reasons. Firstly, most organisations would not have had the resources to fight such a battle. Secondly, it prompted some insurers to add more robust cyber exclusions to their policies.

For businesses, the significance of cyber insurance still evolving is that policies may not cover lost profits, even if they cover operational losses such as payroll and restoration costs.^[3] Cyber insurance policies also tend not to cover the tangible consequences of an attack, such as a breach causing a manufacturing firm to supply contaminated goods to customers which leads to illness. In such cases, a company would have to rely on other business and insurance policies. Similarly, most cyber policies do not cover new software in the case of damaged equipment, but instead only provide for software to be restored to the same version being operated at the time of the attack.

It should also be clear that cyber insurance policies need to be regarded differently to their more stock-standard counterparts. As a rule, they should be reviewed by a legal counsel specifically through the lens of cyber risk management. We find that what is often misunderstood is the sheer extent of the exclusions that can be relied on by insurance companies to avoid paying cyber breach-related claims.^[4]

Concerningly, the increasing scale and number of cyber attacks is inflating insurance premiums to levels that for some may eventually become unaffordable. Cyber insurance premiums increased by an average of 27.5% in Q1 2022, according to The Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index.^[5] While down from 34.3% in Q4 2021 this was still a dramatic increase. Meanwhile, coverage limits were lowered, especially for specific industry sectors such as healthcare and education.^[6]

Reasons given by respondents to the council’s survey indicated the number of claims as the primary driver, with one respondent noting cyber attacks can affect any business. High costs are especially worrying for smaller and medium-sized businesses which may not have the same ability or financial resources as larger companies to respond to attacks or challenge insurance company decisions in court.

Furthermore, even if a company is financially compensated via a claim, reputational damage and other losses will still have an impact on company performance long after the initial data breach. The average cost of a cyber claim in Australia, while still below the global average, is roughly $3.35 million – an increase of almost 10 per cent year-on-year.^[7] The top three industries impacted were finance, technology and services. However, it should be noted that cyber attacks are now widespread across all industries, and especially major infrastructure organisations.

Cyber insurance is, of course, still an important risk management tool. But it should be viewed as a safeguard – something to be relied upon only as a last resort should a cyber incident occur. The primary focus for organisations must continue to be on preventative measures and taking cyber risk management strategies more seriously.