According to cybersecurity insurance experts at KordaMentha, cyber insurance coverage may not be nearly as comprehensive as initially thought.
A recent Australian court ruling found that car dealer and service company Inchcape could not claim costs incurred for cleanup and recovery after a cyberattack.
According KordaMentha analysts, the Inchcape case is a clear example of a company failing to understand the terms and conditions of its policy and the style of cover provided, resulting in the Federal Court ruling declaring that Inchcape’s financial losses were incurred due to of its own decisions, and not as a direct result of the cyberattack.
“TThe problem here was that the insurance policy contained multiple references to the phrase “direct financial loss resulting directly from”, which limited the liability of the insurer, ” KordaMentha analysts said.
Lawyers for the victim pointed out that the way in which “direct” and “indirect” claimable costs were described in the judgment would be of concern to organizations with similar policies, suggesting their coverage was potentially inadequate.
Inchcape attempted to make this claim about its criminal policy, according to KordaMentha analysts, because he had no cyber insurance.
“Even if that were the case, however, there might have been many gray areas to wrestle with, as cyber insurance policy is an evolving space and one often considered by industry insiders as in its beginnings, KordaMentha analysts added.
Cyber insurance policies should be viewed differently from their more standard counterparts. Generally, they should be reviewed by legal counsel specifically, KordaMentha analysts explained in more detail through the prism of cyber risk management.
“What is often misunderstood is the scope of exclusions that insurance companies can rely on to avoid paying claims related to a cyber breach.” KordaMentha analysts said.
In 2017, another case illustrating this was the data breach suffered by pharmaceutical giant Merck & Co. The company suffered losses estimated at $1.9 billion after a NotPetya ransomware attack, allegedly launched by hackers. state-sponsored Russian computers.
Despite Merck’s “all risks” policy, Merck was forced into a costly five-year long legal battle when insurer International Indemnity sought an exemption after declaring the hack an “act of war” due to the presumed origin of the ransomware.
Merck eventually won the case, but KordaMentha analysts say it “sounded the alarm bell” for two reasons.
First, most organizations would not have had the resources to fight such a battle. Second, it has prompted some insurers to add more robust cyber exclusions to their policies.
“For businesses, the importance of ever-evolving cyber insurance is that policies may not cover lost profits, even if they cover operational losses such as payroll and catering costs.”
“Cyber insurance policies also tend not to cover the tangible consequences of an attack, such as a breach causing a manufacturing company to supply contaminated products to customers, resulting in illness. In such cases, a business should rely on other business and insurance strategies.”
“Similarly, most cyber policies do not cover new software in the event of damaged equipment, but only provide for the restoration of software to the same version running at the time of the attack”, KordaMentha analysts said.
According to the Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index, cyber insurance premiums increased an average of 27.5% in the first quarter of 2022. From 34.3% in the fourth quarter of 2021, it was still a dramatic increase, while coverage limits have been lowered, particularly for specific industry sectors such as healthcare and education.
The reasons given by respondents to the council’s survey indicated that the number of complaints was the main driver, with one respondent noting that cyberattacks can affect any business. High costs are a particular concern for small and medium-sized businesses, which may not have the same capacity or financial resources as larger companies to respond to attacks or challenge insurance company decisions in court.
Reputational damage and other losses will still impact business performance due to a claim, long after the initial data breach, even if a business is financially compensated.
Data from the Council of Insurance Agents & Brokers’ Index shows the average cost of a cyber claim in Australia, while still lower than the global average, is around $3.35 million, an increase of almost 10% year-on-year. The three main sectors affected are finance, technology and services.
“It is important to note that cyberattacks are now prevalent across all industries, and especially in large infrastructure organizations,” KordaMentha analysts have concluded.
[Related: Enterprises increasingly prioritising budget for cyber security]