Welcome
Privacy & Data Security Law News

Ransomware, Data Breaches Expose Gaps in Cyber Insurance Market

July 24, 2019, 8:46 AM

As U.S. companies grapple with cyber crime costs, indiscriminate ransomware attacks, and hundreds of millions of dollars in data breach fines, many seek protection in a normally predictable bet—insurance.

But some companies have discovered the hard way that policies can be filled with gaps and exclusions. Some don’t cover all regulatory fines and penalties. Others may cover ransom payments made to end certain attacks, but not all the long-term damage to systems caused by the attack.

And in two ongoing court cases, insurers are contending that “war’’ exclusions allow them to not cover cyber attacks linked to Russian state actors.

“It’s not like car insurance and house insurance and the flood industry,” Scott Shackelford, law professor and cybersecurity program chair at Indiana University Bloomington, said. “It’s too early for an industry standard.”

Reports from insurance broker Marsh and the Council of Insurance Agents & Brokers indicate that at least one third of companies have adopted cyber liability policies in 2018, up from around a quarter in 2016. Cyber insurance can shield companies from millions in losses if a plan is purchased with attention to each aspect of coverage, insurance experts and brokers said.

As cyber liability policies continue to develop, insurers globally see technology and cybersecurity as the first and second largest risks facing the industry in the next two to three years, according to a July report from the Centre for the Study of Financial Innovation and PriceWaterhouseCoopers.

“Really the issue now is that making sure the policies they are buying is mapping up to the risks they face legally should the incidents occur,” Ryan Sulkin, a cybersecurity attorney and partner at Michael Best & Friedrich LLP, said.

AXA US and and American International Group Inc. are among those leading the market in direct premiums written for pure cyber insurance, accounting for $488 million in premiums last year, according to a June report from credit-rating agency A.M. Best Co. Inc. The top policy writers for all types of cyber coverage are The Hartford Financial Services Group Inc., Liberty Mutual Group Inc. and Farmers Insurance Group.

Cyber premium volume exceeded $2 billion for the first time in 2018, and the total number of cyber insurance claims surpassed 10 million last year, according to the report.

So far, it’s been a highly profitable business. While losses have risen, the ratio of claims payments and related costs was less than 25 percent in 2018, though those margins aren’t expected to last, according to Best.

Pay or Not Pay

“Kidnapping” data and holding it hostage—known as a ransomware attack—has crippled some of the world’s largest companies, including AP Moller-Maersk A/S, the largest shipping conglomerate. In 2017, the FBI estimated that ransom payments had reached about $1 billion that year, and attacks have only increased in frequency since then, according to a December 2018 report from Cybersecurity Ventures.

The FBI recommends against paying digital ransoms because payments don’t guarantee successful data recovery and can make hackers more likely to attack again, according to its guidance for chief information security officers.

In an insurance policy, the decision whether or not to pay the ransom is usually up to the company, and a quality plan will cover the costs, according to Stephen Viña, a senior vice president and senior advisory specialist for the cyber practice at Marsh & McLennan Cos., Inc. , one of the world’s largest insurance brokerage companies. Viña is also the former Chief Counsel for Homeland Security on the U.S. Senate Committee on Homeland Security and Governmental Affairs.

But downstream cost coverage associated with ransomware attacks—like new hardware, data recreation, reputational losses, and some lawsuit costs—isn’t guaranteed under every plan, Sulkin said. The costs of recovery for a ransomware attack can vary depending on whether or not a company decides to pay the ransom. The decision to pay or not pay the ransom can then determine what’s covered under the plan, attorneys said.

Is This War?

Two landmark cases making their way through the courts center on whether insurance companies can refuse to cover the costs of a cyber attack linked to nation-state actors.

In 2017, a highly infectious strain of ransomware known as NotPetya swept across corporations in the United States, slamming Maersk, food conglomerate Mondelēz International Inc. and multinational pharmaceuticals company Merck & Co. Inc. When Merck and Mondelēz filed insurance claims for ransomware damages, the insurers refused to pay because the ransomware was linked to Russian-state hackers. So they took them to court, with Mondelēz suing Zurich Insurance Group AG for $100 million.

The two cases, which may take years to resolve, hinge on a policy provision known as the war clause or war amendment, which exempts insurers from claims related to “hostile or war-like action,” attorneys said. These cases will test how an exclusion like this can apply in a digital world where cyber attribution can be difficult and war in cyberspace is hard to define, Asaf Lubin, a cybersecurity policy fellow at the Fletcher School of Law and Diplomacy and an affiliate at the Berkman Klein Center, said.

These cases both involve property or general liability policies that the companies used to cover their cyber risks, rather than a standalone cyber insurance plan, Viña said. Insurers are increasingly dropping cyber liability coverage from broader liability policies, in part because of the complicated nature of the risks and attacks.

But some stand-alone cyber policies do include an exemption for “state-sponsored cyber attacks,” which is more specific than the typical war exclusion seen in broader policies, Lubin said. Attorneys specialized in this area believe the Merck and Mondelēz cases are important for defining the rules of the cyber insurance industry, especially because the biggest ransomware attacks often have some sort of state link.

“These determinations will have long-lasting impacts on our understanding of tailor-made exclusions in standalone cyber policies, such as state-sponsored attacks,” Lubin said.

As those cases play out, companies should look for standalone policies that cover state-linked attacks, attorneys said.

Rules Are Rules

Companies also need to be sure their coverage accounts for shifting privacy regulations internationally and in the United States, Erica Williams, a partner in the government, regulatory, and investigations group of Kirkland and Ellis LLP, said.

“Because of the rapidly evolving regulatory landscape, that it is a challenge for companies to make sure that they are obtaining cyber coverage that’s going to cover all the potential liability that they may face,” she said.

The EU’s General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) require companies get user consent to use personal data, Viña said. These requirements increase data protection and privacy legal burdens, meaning legal liability and related costs are also growing in scope.

Cyber insurance policies will adjust to cover new legal and compliance costs as regulations shift, usually before they go into effect, Viña said. But Williams and other attorneys warned that companies need to make sure their policies are up to date.

Indiana University’s Shackelford suspects some policies may stop covering large fines and penalties under these laws. The U.K.’s data protection authority recently proposed record-breaking fines against British Airways and Marriott International under the GDPR, which will likely increase premiums, attorneys said.

Companies can generally limit their cyber liability risk and improve relationships with their insurer by agreeing on risk mitigation levels in their policies and taking proactive security protections, Williams said.

“It’s definitely an issue that has been brought to litigation. Courts have been asked to construe cyber policies to determine if the company’s security was adequate,” she said.

To contact the reporter on this story: Anna Kramer in Washington at akramer2@bloomberglaw.com

To contact the editors responsible for this story: Keith Perine at kperine@bloomberglaw.com; Bernie Kohn at bkohn@bloomberglaw.com