Expert insights reveal ‘not all cyber insurance policies are equal’

A recent Australian court ruling found automotive distributor and service firm Inchcape could not claim costs incurred in the clean-up and recovery after a cyber attack.

According to KordaMentha analysts, the Inchcape case is a clear example of a company failing to understand its policy's terms and conditions and the style of coverage provided, which resulted in the Federal Court judgement declared Inchcape’s financial losses were incurred due to its own decisions, not as a direct result of the cyber attack.

"The catch here was that the insurance policy contained multiple references to the phrase, "direct financial loss resulting directly from," which limited the insurer's liability," KordaMentha analysts said.

Lawyers for the victim pointed out that the way "direct" claimable and "indirect" claimable costs were described in the judgment would be of concern to organisations with similar policies, suggesting their coverage was potentially inadequate.

Inchcape tried to make this claim on its crime policy, according to KordaMentha analysts, as it didn’t have cyber insurance.

"Even if it did, however, there may have been many grey areas with which to contend as cyber insurance policy is an evolving space and one often viewed by industry insiders as in its infancy," KordaMentha analysts added.

Cyber insurance policies need to be regarded differently to their more stock-standard counterparts. As a rule, they should be reviewed by a legal counsel specifically, KordaMentha analysts further explained through the lens of cyber risk management.

"What is often misunderstood is the sheer extent of the exclusions that can be relied on by insurance companies to avoid paying cyber breach-related claims." KordaMentha analysts stated.

VIEW ALL

In 2017, another case illustrating this, is the data breach suffered by pharmaceutical giant Merck & Co. The company endured an estimated $1.9 billion in losses after a NotPetya ransomware attack, believed to have been initiated by state-sponsored Russian hackers.

Despite Merck’s "all-risks" policy, it was forced into a lengthy five-year high-cost court battle when insurer International Indemnity pursued an exemption after declaring the hack, "an act of war", due to the ransomware's believed origin.

Merck eventually won the case, but KordaMentha analysts asserts that it "sounded warning bells" for two reasons.

First, most organisations would not have had the resources to fight such a battle. Second, it prompted some insurers to add more robust cyber exclusions to their policies.

"For businesses, the significance of cyber insurance still evolving is that policies may not cover lost profits, even if they cover operational losses such as payroll and restoration costs."

"Cyber insurance policies also tend not to cover the tangible consequences of an attack, such as a breach causing a manufacturing firm to supply contaminated goods to customers which leads to illness. In such cases, a company would have to rely on other business and insurance policies."

"Similarly, most cyber policies do not cover new software in the case of damaged equipment, but instead only provide for software to be restored to the same version being operated at the time of the attack," KordaMentha analysts said.

According to The Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index, cyber insurance premiums increased by an average of 27.5 per cent in Q1 2022. Down from 34.3 per cent in Q4 2021, this was still a dramatic increase, while coverage limits were lowered, especially for specific industry sectors such as healthcare and education.

Reasons given by respondents to the council's survey indicated the number of claims as the primary driver, with one respondent noting cyber attacks can affect any business. High costs are especially worrying for smaller and medium-sized businesses which may not have the same ability or financial resources as larger companies to respond to attacks or challenge insurance company decisions in court.

Reputational damage and other losses will still have an impact on company performance due to a claim, long after the initial data breach due even if a company is financially compensated.

The Council of Insurance Agents & Brokers' Index data shows the average cost of a cyber claim in Australia, while still below the global average, is roughly $3.35 million – an increase of almost 10 per cent year-on-year. The top three industries impacted were finance, technology and services.

"It's important to note that cyber attacks are now widespread across all industries, and especially major infrastructure organisations," KordaMentha analysts concluded.

[Related: Enterprises increasingly prioritising budget for cyber security]