Blog / The Evolving Realities of Cyberinsurance
The cyberinsurance industry is changing.
Cyberinsurance is proving to be a great source for topical cybersecurity newsletters. Recently I wrote about how cyberinsurance now includes physical protection of electronic data as a consideration. Then there was the case of the insurance company that lost a lawsuit for denying a ransomware claim with the excuse that the attack was an act of war, which in turn became a story about Lloyds of London’s (the inventors of cyberinsurance) started publishing advice on updating act of war clauses.
So why are we revisting the topic again? Well, there’s now a second lawsuit involving cyberinsurance. Like the pharmaceutical company that had to sue over NotPetya, Mondelez International suffered a NotPetya ransomware attack, and subsequently had their claim denied for the same reason. Clearly the decision to try and classify certain strains of Ransomware as acts of war is not unique to a single insurance provider.
Now in this case the amount of the claim was significantly lower, and the parties have managed to settle without a judge stepping in.
So, if the situation is settled, what’s the big deal?
Well, in this case the insurers act of war clauses weren’t actually tested in court against the rule of law. In Merck’s case the insurance company lost which meant they needed to update their act of war clauses so as to not lose a similar case again.
On the other hand, this case was settled between the two parties. Although the exact value of the settlement hasn’t been published, it was almost certainly for less than the original claim, letting the insurer pay out less than might have been required. Mondelez’s reasons for settling remain their own.
Even without knowing the exact reasons, it’s likely the insurer chose to settle because they didn’t feel they could win a court challenge. As a result, you can be almost equally certain they’re also updating their existing act of war clauses, even though they never came under judicial scrutiny. In fact I’m personally convinced Merck’s successful $1.4 billion claim was noticed by the industry and is driving this behaviour (and possibly why Lloyds of London released updated act of war clauses). They’re all likely going to try and settle out of court while they update their policies to reflect the new reality.
From one-off to ongoing trend.
With a straight up loss in court regarding act-of-war clauses, one of the leading cyberinsurance providers putting out guidance, and now a settlement payout to avoid putting current clauses in front of a judge, it’s clear insurers are adapting their long-term strategies as the industry evolves. The potential losses that organizations face due to cyber incidents are massive, and insurers are almost certain to invoke every contractual clause they can to limit payouts. As with vehicle insurance, cyber incidents resulting from your own negligence may not be covered and even if they are, certainly not entirely.
As Gloucester opines in King Lear: “These late eclipses in the sun and moon portend no good to us.”
If you’d like help with your cyberinsurance compliance, contact us and we’ll be happy to help out.
Be kind, courtesy your friendly neighbourhood cyber-man.