Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

Doesn't a war have to be declared by governments to meet the definition? Of course, now that we have a president who is allied with Russia, all bets are off.

Shameless insurance companies always looking for a loophole. They are great at accepting premium but when claims come in, they will fight you tooth and nail saying you're not covered by the policy.

The Swiss seem to never be affected by a war, usually they profit as did this Swiss insurance company.

We seem to be in a new era in which nations (e.g. North Korea, Iran, China, and Russia) can conduct cyber warfare Western targets with impunity. Obviously we cannot retaliate with air strikes or invasions but the US and other Western nations need to figure out how to impose some sort of economic or diplomatic penalties in retaliation. As others have commented, the situation is compounded by the shear incompetence of the IT departments at many large corporations. Maybe we need some sort of independent security auditing of major corporations... Then we as consumers and investors can decide whether we want to do business with or invest in company.

In the days when corporate control changes instantly with Boards of Directors replacing CEO's at the drop of a hat, four and six year terms for Presidents and Senators seems wildly anachronistic. How long will the general public accept such malfeasance? There is simply too much to lose. Modern day corporations will eventually replace outmoded governments. Amazon, Google, Apple and how many others are already big enough to build their own cities, and have virtually done so. It's only a matter of time until size dictates that reality follows realization. Each will have to defend itself. Mutual aid pacts will be negotiated, and the government of the USA may end up as not much more than a cop with portfolio or a hired gun...

Cyber crime - per se - is broadly, not insurable. Fortune 500 risk managers and CFO’s do not believe they can find proper cover.I know this through direct conversation.Why? It’s the complexity of the networked world in which their most important assets are vulnerable due to exposure through their vendors, their websites, their customer service portals and their own customers.Yet it is the state of play in all markets today. How can any company of any size immunize against direct attacks or attacks against infrastructure? Class action lawsuits by consumers and by investors are only a portion of the problem for today’s executives.Who is responsible when the nation’s infrastructure is at least partially crippled?What happens when a company’s most valuable assets are either held away by such attacks, or actually destroyed by a direct attack (such as the SONY attack)? What will stand up in a court of law? It’s untested and unproven. Is that the biggest problem corporations face in this environment? No. The issue is not insurance cover, it is all about corporate governance. If the cyber “Pearl Harbor” takes place it is a matter of resilience and which companies are prepared and can execute on quickest recovery.It’s a matter of survival and the ensuing competitiveness, against rivals who may not be able to recover. That’s the new reality and, uncomfortably, the truth. Frank Quigley Quigley was Publisher of Business Insurance magazine, CEO of CFO Publishing, and President at Thomson.

There is moral hazard in cyber insurance. Companies can just buy insurance instead of fortifying their networks. (How many more breaches of personal data are we going to tolerate?) Underwriters need to develop new tools to assess loss exposure. You can’t blame insurance companies for protecting their solvency, it would be unfair to other policyholders not to contest claims that are clearly born from international politics.

Cyberwarfare is a mash-up of Carl Von Clausewitz and Ho Chi Minh. It is politics carried on by other means that seeks to find the one vulnerability that a weaker force can exploit. This form of guerrilla warfare is only getting worse, partly because the nations that originate the attacks are not held to account. These are not Trump’s 400-pound hackers living in their parent’s basements. Yet, our government, fails to effectively counter these attacks. As the authors of the article note, the paradox is that war is no longer a formal thing. The last time the US formally declared war was in the 1940s. So, avoiding the term and the formal semantics of war is not a new thing. In the meantime, corporations and insurance companies will struggle in court over who is to pay. The reality is that ultimately all of us will pay in higher costs for products and services, economic disruption, and even injury when vital systems go off-line. The cyberguerillas are emboldened with every cycle of attack. The insurance companies are pointing the way, even with the basest of motives. The US needs to declare, formally, that we are being attacked and who the attackers are. No more hiding in the shadows, Vladimir.

This isn't war. It is a global industry wherein the so-called cyber security software companies make billions selling data security software that can't stop the theft and destruction of data. Of course, they know this. In fact, the security companies RELY on the hackers and attackers to help them carry out their business models. Were true cyber security to exist, the firewall, AV, endpoint and whatever else the cyber security industry sells would not be saleable. You wouldn't need it. Security would be baked into everything at the jump - as part of the deal. Therefore, billions would be lost in that failure of an industry. No other industry is allowed to get away with such a rate of failure. And without their hacker partners, they'd be finished.

I would not buy a policy unless it covered cyber attack, cyber warfare, and any and all commercial damages related to any malware placed on any company or employee computers without written permission of the computer owner. Just make the insurance policy so explicit that the insurers cannot squirm out of it. Other insurers force construction clients to close the street under an elevated crane. Maybe insurers should require companies to use high quality cyperprotection software and mandatory employee training against cyber-mistakes before insurance is active, but they should not be able to weasel out of paying.

"Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events. " From Chris Keegan: " In our view, you really should not be referring to cyberinsurance at all in this article because the policies that are not paying these claims are traditional property insurance policies." From the description, Mondelez had a dedicated cyber policy. Perhaps Beecher Carlson should adopt a more client-friendly position.

The most sensitive industries such as banking and defense have not been compromised. Instead of following computer security industry best practices, many companies choose to expand and connect their systems on the cheap. Software service providers often get exploited by big corporations. They are given a very short deadline to submit a proposal - sometimes only 48 hours. It is insufficient time to understand all the requirements. So, the customer has the advantage to force the software company to comply with every requirement. Even large software providers like IBM are not immune to losing money on a project. For example, at defense companies, each facility has its own computer system with built-in firewalls that cannot be accessed from another facility. Access is granted only by engineers or system managers at both facilities establishing a 'trusted' link. These companies should not be reimbursed by their insurers. A contract is only valid when both parties have the same understanding of its terms and conditions. Trial verdicts should be a wake-up call to corporations to secure their systems; train their system managers; and stop abusing the business relationship with their software providers.

It will be interesting to see how this plays out. Regardless, every company should be ensuring that its policies explicitly cover cyber warfare, or they should be signing a new policy. In light of this particular case, perhaps everyone insuring with Zurich Insurance should get an explicit coverage addition, or cancel and go somewhere else.

Interesting article. In our view, you really should not be referring to cyberinsurance at all in this article because the policies that are not paying these claims are traditional property insurance policies. Cyber insurance underwriters who issue tailored cyber insurance (a separate type of insurance intended to protect against these risks) have paid claims in situation where nation states have attacked. The Sony breach is one example among others. What these companies are doing are claiming against an property insurance policy that was never intended to cover cyber risks. Its like making a claim on your homeowners policy for a car accident because you did not buy an auto policy. Many companies, like the ones in your article, have been offered cyber insurance but decided not to buy it and now they are unhappy when other insurance policies they bought is not covering their loss.

The insurance company will lose the 'war' argument for it is quite obvious in order to qualify as a war, there would have to be at least two sides to the conflict over a third target or asset. The US and Russia are not officially at war, Switzerland and Russia are not officially at war. The 'war' has to be an officially recognised , if not legally declared war. Rather this is the standard operating tactic of insurance to delay payment for as long as possible, like they did in paying the Christchurch council the money they were insured for by almost six years from the quakes. They took the delay to earn the money on investments and only paid the original claims, not the cost of money the council had to borrow which has resulted in higher property rates for all of us. The laws need to be changed that all interested earned from the day an insurance claim is made until it is paid out needs to be peg to the derivatives and stock index in terms of interest paid to the insurance holder. This would end this kid of delay tactic and attempt to negotiate a reduced insurance claim payment.

I think it is about time some case law be generated and then it will move through the judicial system to where atleast the language is completely understood. And then everyone will be on the same playing field. The law is made from words. And without a clear understanding of those words, your message not likely to be understood. Thank God Trump is not a lawyer, he can barely understand 8th grade english.

Typical insurance behavior. They don't have any objections to taking your premiums. But if it comes to them paying out, send in the legal team. Insurance does not buy peace of mind. It just means that instead of worrying about a disaster you can instead worry about how you will have to haggle with the insurer after the disaster.

Perhaps these cases will illuminate what can actually be legally proven at law as opposed to what a government might "assess". Loose language by legislators should not carry weight in a court of law unless there is ballast beyond a government assessment.Of course a civil case requires only a preponderance of the evidence as perceived by the trier of fact, whether the bench or a jury. It is ironic that some are saying the courts must get it right whereas the insurance companies ought to be getting it right in advance of selling the insurance. Insurance coverage is not supposed to be based on a subsequent court action. Discovery in these cases may shed some light on the deliberations of relevant insurance companies since the first serious cybersecurity case.

A "war" on an Oreos distributor? Sounds more like a crime to me.

Excellent article. Ariel Levite's expressed fear "that cyberinsurance in the future will be worthless" is overblown. Insurance is the spreading of known risk broadly and efficiently throughout the economy. So much is not yet known about cyber risk. Expansive, poorly defined coverage will cost all of us, like asbestos and environmental exposures did. It is important for courts to get this right, so that "cyberinsurance in the future" can actually be drafted to cover that which is reasonably negotiated by the interested parties. The question of "war" is a legitimate context. The issues of drafting (and rating) policies in the US in the face of the dramatic (and often highly unpredictable) costs and effects of war go back to cases following the Civil War. The Lebanese case referred to in your article (wrongly decided, by the way) made a critical point of the involvement of State actors in the events in question, and even to a degree their particular motivations. Thus, the issues on cyber risks could easily depend, for example, on evidence of mischief committed by a private hacker, or of a premeditated attack by a sovereign entity for political purposes. It has often been said that the next war will not be fought with tanks and bombs but with computers and viruses. These realities creep up on us in many areas; business, including insurance, is one of them.

Similar to not relying on cyberinsurance when things go awry, the field as a whole is in an interesting shape where on one hand there is a dearth of skilled employees (1 million globally supposedly, according to reports), and on the other hand companies that do not want to train IT works with the necessary cybersecurity skillsets to fill the gap, and in turn rely less and less on the red herring of cyberinsurance. Talking to my colleagues who are looking to break in, even after taking training/seminars, which can be quite pricey, employers will tend to hire for junior roles at best.