Catastrophic risks such as natural disasters and indeed cyberattacks require insurance. Insurers can afford large payouts when one insured party is hit – by pooling risks and drawing on the insurance premiums from the insured companies that weren’t affected.
But for insurance to work there needs to be a sense of fairness – insurers need to make sure that insurance policies are not abused. For example, avoiding the situation where a company applies for a policy because they have pre-existing knowledge that they will rapidly claim on the policy.
These safeguards are written into the terms and conditions of a policy. However, with cybersecurity insurance, these terms and conditions – also known as the fine print – are becoming an increasingly contentious issue, so much so that there are now valid questions around the value of cybersecurity insurance.
In this article, we’ll cover the problems around what’s called war exclusions clauses – and explain why the fact that insurers are writing these clauses into the fine print of policies is rendering cyber insurance of much less value.
Understanding cybersecurity insurance
A cyber attack that succeeds can have truly catastrophic effects – costing millions in lost business, major reputational harm, and – at worst – closure of an entire organization. This class of disaster is a typical example of a risk that demands an insurance scheme. In return for a premium, companies that buy cyber security insurance should in theory be covered for their losses.
The increase in successful, damaging cyberattacks is what led to a clamor for insurance products. For example, one widespread ransomware attack – NotPetya – resulted in costs that were estimated at the $10bn level.
Demand for cyber security insurance is driven not just by the fact that the losses are potentially catastrophic. The difficulty in protecting organizations against attacks like ransomware is an equal factor. In essence, it can be almost impossible to provide airtight protection against attacks – the steady flow of new vulnerabilities and exploits is difficult to keep up with. In other words, a cyber attack is a catastrophe that can strike any organization – so it’s sensible to buy insurance against it.
Depending on your policy you may be covered for most of the damaging effects of a cyber attack – from the loss of valuable data to the loss of income that results from the disruption of an attack. Extortion can also be included in your cover, in which case you’ll get your money back if you do end up paying a ransom.
The insured amount and the conditions under which the policy will pay out are documented in the “policy document”, also called the fine print. It’s worth noting that the fine print also contains another important aspect of a policy – the circumstances under which the policy will not pay out, even if you suffered a loss.
Why the fine print is causing concern
If you think about it, it’s completely reasonable for an insurance company to put some limits on the conditions under which a policy pays out. The insurer needs to make sure that it is protected against fraudulent claims – and against opportunistic claims.
So fine print is not always something to worry about – it’s just something that ensures both parties in a contract are treated fairly. Fine print ensures both parties know what’s expected of them, including what entitlements the policyholder has under the contract.
It’s common, for example, for cyber insurance policies to require companies to make at least some effort to protect their workloads. Why? Well, unguarded workloads are an open target for attackers, and it’s not fair to expect insurance cover to pay out when simple precautions are not taken.
This brings us to an increasingly common item in the fine print that is cause for concern. Today, cyber insurance policies include a clause that states that the insurance policy will not pay out if the attack and resulting damage was the result of warfare, or war-related action. We’ll take a look now into why that matters.
War exclusions add to the complexity
Cyberattacks are now commonly a part of international warfare – state actors attack their enemies not just in the physical realm, but also through electronic warfare. In the past, war exclusions have commonly been included within the fine print of insurance policies on the grounds that war is such a catastrophic event that an insurer won’t survive as a business if all its policyholders claim for war-related damage, all at the same time.
Just like ordinary warfare, warfare in the cyber realm is indiscriminate – anything and everything can get destroyed, far beyond the original targets. So insurers have valid cause for adding an exclusion clause, but particularly under the current geopolitical climate, war exclusion clauses are leading to some issues.
Defining exactly what war is, that’s just the first problem. But there’s a more challenging issue. To whom do you attribute the damage caused by a cyberattack? Cyber criminals are not the most forthcoming – an attack occurs, and the perpetrators disappear into the dark. It is difficult to know who the true actors were behind a ransomware attack.
In other words, it’s not simple to decide whether the attack was an act of war, or due to something else. Was it a state group? Possibly – but it’s hard to pinpoint. Of course, if it was a state group that acted to achieve war aims, the insurer won’t pay out the claim due to the war exclusion clause.
Given the potential size of a cyber security insurance claim, it’s no surprise then that insurers would try to get out of paying the claim – by stating that there is cause to think the claim is the result of war-like activities.
Your contract may be scrutinized in court
An insurer can unilaterally refuse to pay a claim if they believe there are grounds to do so. Given the “chance” that a state actor is involved in an attack there is now a risk that an insurer would simply refuse to pay the claim – end of story. At least, according to the insurer.
As a policyholder, you could try to argue with the insurer, but with damages running into millions, chances are that the insurer will stand their ground. Your recourse: the courts. And that’s exactly what’s been happening to a number of ransomware claims as of late.
One example that recently made the headlines is Merck v. Ace American. Merck, a large pharmaceutical firm, fell victim to the NotPetya attacks which were linked to the Russian military. The insurer, Ace America, refused a USD 1.75bn claim from Merck by saying that cover was excluded because the actors behind NotPetya were after military gains in an act of war.
Merck didn’t accept the insurer’s argument and took Ace American to court. After more than three years, the court ruled in Merck’s favor, awarding the damages. In this case, the court decided that Ace American’s fine print was not sufficiently clear about the link between ransomware attacks and an act of war. It could have gone either way.
Good cybersecurity is the best insurance
While Merck won their case, the insurance industry also learned a lesson which is why the Lloyd’s Market Association published a document that contained several clauses that its members could use to tighten up war-related conditions around the payment of claims.
It may well be that future cases will be found in favor of the insurer and that the insured company would find it had no recourse for ransomware damage. In other words, there’s a real risk that the insurance you took out may not pay out.
While it’s worth thinking about ransomware insurance, and while paying the premiums may well lead to a big payout, it is important to understand that a cyber risk policy will only go so far. Protecting your organization against an attack is by far the most important thing you can do – insurance is just the very last resort.
You need to go well beyond the minimum cybersecurity requirements of policies. Our live patching solution – KernelCare Enterprise – is one of the many tools that should be in your arsenal. Getting airtight cybersecurity isn’t realistic but you want to get as close as possible, and KernelCare is a key step.
In essence – yes, take out cybersecurity risk insurance if the premiums are sensible. But beware that your policy will contain fine print which may catch you by surprise at a later stage.