To print this article, all you need to do is be registered or log in to Mondaq.com.
What businesses need to know as cyber insurance evolves.
Many Australian businesses are faced with the painful realization that their cyber insurance coverage may not be as comprehensive as initially believed.
Recent cases reveal unrealistic expectations of cyber insurance policies or a failure to understand them in the first place, while insurers are reducing policy limits and lifting minimum cybersecurity requirements. All organizations should review their cyber insurance policies and prioritize risk management strategies.
A recent Australian court ruling found that car dealer and service company, Inchcape, could not claim costs incurred for cleanup and recovery after a cyberattack. In a clear example of a company not understanding the terms and conditions of its policy and therefore the style of coverage provided, the federal court judgment said that Inchcape’s financial losses were incurred as a result of its own decisions, and not as a direct result of the cyberattack.1
The catch was that the insurance policy contained multiple references to the phrase “…direct financial loss resulting directly from…” which limited the liability of the insurer. Lawyers for the victim pointed out that the way in which “direct” and “indirect” claimable costs were described in the judgment would be of concern to organizations with similar policies, suggesting their coverage was potentially inadequate. Admittedly, Inchcape tried to push this claim on its crime policy because it didn’t have cyber insurance. Even if that were the case, however, there might have been many gray areas to grapple with, as cyber insurance policy is an evolving space and often considered by industry insiders to be at its beginnings.
Another case illustrating this is the data breach suffered by pharmaceutical giant Merck &Co. In 2017, the company suffered losses estimated at $1.9 billion after a NotPetya ransomware attack allegedly launched by Russian state-sponsored hackers.2 Despite Merck’s “all risks” policy, Merck was forced into a costly five-year long legal battle when insurer International Indemnity sought an exemption after declaring the hack, “…an act of war”, in due to ransomware belief. origin. Merck eventually won the case, but that raised alarm bells for two reasons. First, most organizations would not have had the resources to fight such a battle. Second, it has prompted some insurers to add more robust cyber exclusions to their policies.
For businesses, the importance of ever-evolving cyber insurance is that policies may not cover lost profits, even if they cover operational losses such as payroll and catering costs.3 Cyber insurance policies also tend not to cover the tangible consequences of an attack, such as a breach causing a manufacturing company to supply contaminated goods to customers, resulting in illness. In such cases, a company should rely on other commercial and insurance policies. Similarly, most cyber policies do not cover new software in the event of damaged equipment, but only provide for software to be restored to the same version it was using at the time of the attack.
It should also be clear that cyber insurance policies should be viewed differently from their more standard counterparts. Typically, they should be reviewed by legal counsel specifically from a cyber risk management perspective. We find that what is often misunderstood is the sheer scope of exclusions that insurance companies can rely on to avoid paying claims related to cyber breaches.4
Additionally, the growing scale and number of cyberattacks are inflating insurance premiums to levels that for some may eventually become unaffordable. Cyber insurance premiums increased by an average of 27.5% in the first quarter of 2022, according to the Council of Insurance Agents & Brokers’ Commercial Property/Risk Market Index.5 Although down from 34.3% in Q4 2021, it was still a dramatic increase. Meanwhile, coverage limits have been lowered, especially for specific industry sectors such as healthcare and education.6
The reasons given by respondents to the council’s survey indicated that the number of complaints was the main driver, with one respondent noting that cyberattacks can affect any business. The high costs are of particular concern for small and medium-sized businesses, which may not have the same capacity or financial resources as larger companies to respond to attacks or challenge insurance company decisions in court.
Additionally, even if a business is financially compensated through a claim, reputational damage and other losses will still impact business performance long after the initial data breach. The average cost of a cyber claim in Australia, while still lower than the global average, is around $3.35 million, an increase of almost 10% year-on-year.seven The three main sectors affected are finance, technology and services. However, it should be noted that cyberattacks are now prevalent across all industries, and especially in large infrastructure organizations.
Cyber insurance remains of course an important risk management tool. But it should be seen as protection – something that can only be relied on as a last resort in the event of a cyber incident. Organizations must continue to focus primarily on preventative measures and take cyber risk management strategies more seriously.
1Ry Crozier, Australian court rules insurer not liable for ransomware cleanup costs (August 9, 2022) HTTPS://WWW.ITNEWS.COM.AU/NEWS/AUSTRALIAN-COURT-FINDS-INSURER-NOT-LIABLE-FOR-RANSOMWARE-CLEAN-UP-COSTS-583681#:~:TEXT=AN% 20AUSTRALIAN%20LAWSOCUTE%20OVER%20RANSOMWARE%20INSURANCE%20COVER%20HAS,AS%20FORENSICS%2C%20INCIDENT%20RESPONSE%20AND%20REPLACEMENT%20hardware >
2 Andrea Vittorio, Merck’s $1.4 billion insurance win separates cyber from ‘act of war’ (January 20, 2022) HTTPS://NEWS.BLOOMBERGLAW.COM/PRIVACY-AND-DATA-SECURITY/MERCKS-1-4-BILLION-INSURANCE-WIN-SPLITS-CYBER-FROM-ACT-OF-WAR >
3 Connected risk solutions, What cyber insurance does not cover (nd) HTTPS://CONNECTEDRISKSOLUTIONS.COM/THINGS-CYBER-INSURANCE-DOES-NOT-COVER/ >
4 Chris Martin, Rise in cyberattacks could make insurance unaffordable (March 28, 2022) HTTPS://KORDAMENTHA.COM/INSIGHTS/THE-AUSTRALIAN-RISING-CYBER-ATTACKS-COULD-MAKE-INS >
5 The Council of Insurance Agents and Brokers,
Commercial property/damage market index Q1/2022 (May 25, 2022) HTTPS://WWW.CIAB.COM/RESOURCES/Q1-PC-MARKET-SURVEY-2022/ >
6 United States Government Accountability Office,
Cyber insurance: Insurers and policyholders face challenges in a changing market (May 20, 2021) HTTPS://WWW.GAO.GOV/PRODUCTS/GAO-21-477 >
seven Sasha Karen, Average cost of Australian data breach pinned at $3.35 million (July 29, 2020) HTTPS://WWW.ARNNET.COM.AU/ARTICLE/681738/COST-AVERAGE-AUSSIE-DATA-BREACH-PINNED-3-35M/ >
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.