Exclusions in cyber insurance make preemptive measures critical

BY now the risk of a cyber breach or attack is well known. Numerous studies illustrate the potential damage in terms of business interruption, loss of valuable data, fraud and theft of intellectual property, among others.

Cybersecurity Ventures' annual cybercrime report for 2019 expects the cost of cybercrime to skyrocket from US$3 trillion a year in 2015 to US$6 trillion by 2021, making it more profitable than the global trade of all major illegal drugs combined. Corporates recognise the risk, but the state of preparedness is patchy at best. A global survey of 1,300 executives by Marsh and Microsoft found that two-thirds of respondents ranked cybersecurity among the top five risk management priorities. But slightly under a fifth expressed high confidence in their organisation's ability to manage and respond to a cyber event, and only 30 per cent have developed a plan to do so.

Standalone cyber insurance is one way to mitigate the risk, and there are indications that the market is growing. Annual premiums for cyber cover globally are relatively modest at US$3 billion, mainly concentrated in the US. This is expected to grow. But the truth is that cyber risk is evolving much faster than the insurance industry can cope with. Worse still, a policy is typically designed with exclusions that when activated, may well lead clients to question the protection they ostensibly paid for in the first place. This issue is currently playing out in the courts in the US, where insurers are being sued for refusing cover, citing the standard war or terrorism exclusion where losses arising from acts of war, terrorism or invasion are not covered. The plaintiffs are food group Mondelez which has sued Zurich Insurance for refusing to pay for the damage caused by NotPetya malware. Separately Merck has sued 20 insurers for rejecting claims also related to NotPetya.