Monday, 28 March 2022 For many Australian businesses, insurance is a “set and forget”. Company executives assume that, after taking coverage for a specific issue, they will be covered. In the world of cyber security some recent examples show that is not always the case. The outbreak of war in the Ukraine, should give many businesses cause for concern. In 2017 a sophisticated cyber attack called NotPetya, and widely attributed to Russian hackers, was aimed at Ukraine. As is often the case, the hack extended beyond Ukraine and impacted hundreds of companies around the world. NotPetya hit the pharmaceutical giant Merck & Co, which suffered $US1.4 bn ($1.9bn) in business interruption losses. Merck made a claim against an all-risks insurance policy that provided coverage for losses from destruction or corruption of data and information – but immediately ran into trouble. The insurer, International Indemnity, rejected the claim and sought to invoke an act of war exemption. Only after a very lengthy and expensive series of legal proceedings was Merck successful. However, many other organisations may not have the significant resources required to pursue this path if their claim is denied. The disturbing consequences of the NotPetya attack continue to rumble through the cyber insurance market. With the Australian Cyber Security Centre publishing an urgent warning to organisations to protect themselves from the increasing threat of cyber attack, many businesses are suddenly taking up cyber insurance in an attempt to mitigate risk. But are they really covered? It is estimated that the global annual cyber insurance premium market is $US5 bn, with the market experiencing strong and increasing demand. Given the increase in number and severity of cyber attacks leading to higher claims, what was once a profitable line of business for insurers has quickly turned into a category with unsustainable financial returns. So serious is the financial outlook for insurers that S&P Global Ratings has warned of the potential for cyber risks to impact on insurers’ credit ratings. Lower credit ratings result in higher premiums across all insurance categories. As with all insurance contracts, the devil is in the detail. What is often not understood are the raft of exclusions and carve outs that can be relied on by insurance companies to avoid paying claims related to cyber breaches. Confusion is rife for businesses trying to navigate often tricky offerings, with some policies covering the costs associated with data and privacy breaches, while others claim to cover the entire spectrum of costs incurred as a result of a cyber incident. Many insurers have amended wording to make it clear that property and general policies do not automatically include coverage for cyber-related incidents. Others are introducing new exclusionary clauses that go beyond traditional acts of war and include cyber operations attributable to a state or those acting on its behalf. Meanwhile, cyber insurance limits are being lowered every year by insurers, sometimes even halved, while premiums increased by up to 40 per cent in 2021. Even when organisations completely understand the wording of their policy, there are many hurdles to jump before a successful claim can be made. The nature of cybercrime invites deception and misdirection and attribution of the attack to a specific hacker is not always possible. In other cases, the identity of a state-sponsored agent may be known but kept confidential for political or diplomatic reasons. The breakout of war in Ukraine has both cyber insurance providers and policy holders very concerned. While the conflict in Ukraine may seem like a war occurring in a faraway land, the world has seen many examples of self-seeding hacking tools deployed in one part of the world that quickly spread. Prior to Russian troops invading, cyber attacks were launched on Ukrainian financial, aviation and IT providers. In response, the Ukrainian Government announced that it had mobilised an IT army to fight off Russian hackers. NATO remains alert to the prospect of cyber attacks spreading to Western countries. Coupled with the uncertainty associated with cyber insurance in times of war, it is clear that organisations need to take cyber risk management more seriously. The worry is that viable, affordable cyber insurance may become “collateral damage’’ - another casualty of the war. This article was originally written by Chris Martin as an op-ed piece for The Australian. External media content and news articles published on this website are covered by KordaMentha’s commercial licence with The Copyright Agency. For more information, visit https://www.copyright.com.au. You must not copy this work without permission.