Ride the Lightning

Reporters Don't Understand Cyberinsurance and That is Driving Insurers Crazy

May 1, 2019

Risk & Insurance reported on April 25th that, with respect to the Mondelez/Zurich coverage dispute over losses from the NotPetya attack, reporters keep referring to Mondelez’s coverage as “cyber insurance,” when it is more accurately described as a property policy that had some cyber coverage bolted onto it. Otherwise reputable sources, including The New York Times, don't seem to be getting it right, to the frustration of insurance specialists who believe many media outlets are conflating terms and misrepresenting their products.

“Finally, as more (and more damaging) cyber attacks appear to be directed by national governments or their proxies, what is the point of having cyber insurance if such attacks are excluded from coverage? This is the question that many clients will ask themselves if the insurers win these two cases. In other words, a tactical victory for the insurers could spawn a strategic defeat,” said one Slate article.

Cyber underwriters are begging reporters to use correct terms to describe their product, but the reporters aren’t listening. The policy in question in the Mondelez case is a property policy with a bolted-on cyber element; it is not a stand-alone cyber policy, which carries a much higher premium and is more robust.

Insurers who have issued stand-along policies have in fact paid out on numerous NotPetya claims.

One commentator thinks that Zurich will end up paying on the policy: “Zurich provides cyber insurance policies and could have recommended that Mondelez buy one of them, which would have covered this type of NotPetya event,” he said.

“Mondelez decided to rely upon an addition to their property policy without really making it fully comprehensive. My guess is that Mondelez knew of the existence of cyber insurance policies but did not want to pay the additional premium. Zurich’s property underwriters wanted to keep a client happy and added cyber wording to their property policy without broadly understanding the consequences,” he added.

“Now that an unexpected claim has occurred, Zurich property underwriters have seized on a war exclusion. I suspect that Mondelez may actually get the benefit of the insurance, because the difficulties in proving that Russia is behind the attack are significant. If that is so, the premise behind the article that they did not get benefit of the insurance bargain will turn out not to be true,” he said.

“However, any insurance policy worth its premium should pay without the need for litigation and so insurers should be clear when they are extending their non-cyber insurance policies to cover cyber risks,” he said.

As a provider of capital to cover losses, insurance carriers are in the unenviable position of seeing their learning curve, and the learning curve of their insureds as it relates to cyber insurance, playing out in the court of public opinion. This has not gone well thus far for insurance carriers, particularly as the facts have been misrepresented.

It is estimated 30% to 40% of organizations do purchase a stand-alone cyber insurance policy, whose terms and definitions are far more clear with respect to the insurer's liability.

And yes, with respect to my own company, I made that expensive decision to ensure with clarity the coverage. But my wallet argued with me, so I understand the temptation to take bolt-on policies.

Hat tip to July Selby.

Email:    Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson