As the costs and frequency of cybersecurity breaches continue to rise, it’s no surprise that cyber insurance has entered the discussion of more corporations and boards. In 2018, the average cost of a cybersecurity breach was $600,000—and over $9 million for large companies of $2 billion or more.

“Having a cyber insurance policy can help to offset the cost of incident response and damage recovery following a major cybersecurity incident,” said Jeff Welgan, who heads executive training programs for CyberVista, an IT and cybersecurity training and workforce development company. “However, insurance is not the ultimate catch-all solution for all of your cyber risk,” he explained—especially after January 2019.

It you’re not careful, your claim can fall through the cracks.

— Jeff Welgan, Head of Executive Training Programs, CyberVista

A pivotal exclusion—with potentially expensive implications

The future of cyber insurance may be determined by a global snack manufacturer. In 2017, Mondelez—the multinational corporation behind Oreos, Philadelphia Cream Cheese, and Nilla Wafers—was one of the many victims of the 2017 NotPetya cyber attack. Mondelez lost 1,700 servers and 24,000 laptops, saw a 5 percent drop in quarterly sales, and filed a claim with its insurance provider, Zurich American Insurance Company.

It was all business as usual until the U.S. and UK militaries determined the Russian military to be responsible for the NotPetya cyber attack. Zurich claimed that the attack was now an “act of war by a government or a sovereign power” and thus fell under an exclusion in the policy that denies coverage for such claims. It rescinded its claim offer of $10 million for property damage accrued during the attack. Mondelez responded with a $100 million lawsuit for breach of contract.

As the details of the lawsuit play out, what does this mean for boards? There is potentially good news for companies, according to Welgan: The burden of proof is on Zurich to show that Russia is responsible for NotPetya. “With attribution in the cyber domain an imprecise art, this may prove difficult.”

However, if Zurich wins the case, this loophole may allow insurance companies to “dodge payouts on damages caused by malware designed by nation states, leaving your organization on the hook to pay the full amount for any damages that may occur,” said Welgan. And this decision might set an expensive precedent in cases to follow.

What to Consider When Assessing Cyber Insurance

  • Consider a standalone policy. Boards should consider a stand-alone plan for cyber insurance rather than trying to file a claim for “property damage” under a property insurance policy, as Mondelez did. “Standalone policies cover any type of cyber attack and don’t rely on interpretive exclusions,” Welgan said.
  • Choose with care. Will you be allowed to use your preferred legal, forensic and public relations firms? If your preferred vendors are not covered by the policy, see if they can be approved at the outset.
  • Know your insurance policy’s start date. Is it retroactive? (Not all are.) “This is important because it can sometimes take months, or even years, for an intrusion to be discovered,” said Welgan.
  • Pay attention to exclusions and limitations. “The Zurich-Mondelez case illustrates just how important it is to read the fine print of any insurance plan,” said Welgan.

When vetted appropriately, cyber risk insurance can be an important fail safe for boards and companies—and potentially an important step in mitigating board liability in the event of a cyber breach. In a recent episode of Inside America’s Boardrooms, Christian Hoffman, President of Aon’s U.S. Cyber Solutions Retail sector, explains that in cases of D&O litigation, boards have been asked to demonstrate duty of care:

[Boards have] been asked what have you done to prepare, what have you done with your information security team, and ultimately did you buy a risk transfer, an insurance product, to address if all else failed?

— Christian Hoffman, President, U.S. Cyber Solutions, Aon

Don’t miss the full episode, What Boards Need to Know About Cyber Risk Insurance: