Date: 21 September 2023
Why was Merck’s battle and subsequent win against its insurer in the $1.4 billion cyber insurance battle such big news? Was it because cyber insurance claims never get rejected? Absolutely not. It made news because it’s not often that an insurance company rejects a cyber claim and the client wins a hefty payout after a long-drawn court battle. The reality is that cyber insurance is becoming increasingly sought-after, expensive and complicated for the indemnifier and the indemnified both. It’s also not unusual for cyber insurance claims to get rejected. This is usually either on account of exclusions or poor cyber security hygiene on the part of the insured.
Let’s sample a few statistics that illustrate this point better:
- The cost of Cyber Insurance in the 2nd quarter of 2022 rose to 79% in the US and 68% in the UK as per this report.
- 81% of cyber insurance claims were caused by Ransomware Attacks in 2022-2033 as per some estimates.
- These estimates also suggest that around 27% of cyber insurance claims were not honoured or were partially paid due to exclusions within the cyber cover.
What the above few snippets of information illustrate is that Cyber Security Insurance is:
- Getting increasingly expensive because of the rise in number and cost of cyber-attacks and data breaches.
- Insurance companies are becoming increasingly stringent in providing cyber insurance covers and honouring claims.
- Indemnifying loss due to a cyber event or security breach is complicated and this landscape is going to become even more complex in the next few years.
So what can you do about it? How do you get insured at a cost that doesn’t break the bank? What fineprint should you pay attention to?
How can you try to get the best possible premiums? And is there hope that if you’re attacked your claim won’t be rejected?
Let’s answer these questions in a little more detail in the next two sections.
Why Your Cyber Insurance Claim Might Get Rejected?
There are plenty of reasons why your cyber insurance claim might get rejected and the most rudimentary of these is the inclusions in your policy. There could be certain clauses that the insurer doesn’t cover from the outset. Therefore, it is imperative to read and vet the policy document thoroughly with the help of cybersecurity advisors before signing on the dotted line.
In the case of the NotPetya attacks, global snack giant and owner of Oreo biscuits, Mondelez claimed $100 million from Zurich American Insurance Company and Merck claimed $1.4 billion from Ace American Insurance co. It’s important to note here that both organisations had ‘property insurance’ policies but cyber-attacks can and did cause physical damage to properties in this attack. Both companies’ claims were rejected by the insurers citing the ‘war exclusion’ clause in the policies.
Merck won the lawsuit as the New Jersey Superior court said that the damage caused by NotPetya wasn’t precisely an act of war - both countries weren’t actually at war then and no armed soldiers were involved. Mondelez, on the other hand, reached a private settlement with Zurich American Insurance.
The point here is that cyber insurance isn’t what it used to be in 2017 when NotPetya wreaked havoc across the world. It has developed rapidly and is no longer a filler in the product offerings of insurance companies.
Massive cyber disasters, expensive ransomware attacks and cases such as Merck have made underwriters become more cautious and has propelled insurers to tweak their terms and conditions in keeping with a volatile environment.
Several cyber insurers such as Lloyd’s of London have announced that their cyber insurance policies will no longer cover cyber events caused as a result of war or by nation-state actors. While this announcement is understandable from a business perspective, where does it leave an SMB who may be attacked by nation-state actors merely to steal sensitive customer data or cause disruption to business operations to make a point?
Cyber Insurers are scrutinising cybersecurity policies more strictly than ever and then there are clauses such as exclusions on attacks by nation state actors. This is why achieving cyber resilience has to become more affordable and accessible to businesses of all sizes - not just for being insured but for better overall protection. This was the primary vision behind Cyber Management Alliance's game changing Virtual Cyber Assistant service - making cyber resilience accessible to all businesses.
Here’s a look at some of the other reasons why your cyber claim may not be honoured:
- Inadequate Documentation
One of the primary reasons for rejected cyber insurance claims is inadequate documentation. Insurers require detailed evidence to support your claim and this must be submitted to them within the stipulated timelines. This includes records of the cyber incident, the steps taken to mitigate damages, and any expenses incurred.
Failing to provide comprehensive documentation can lead to claim denial. Hence, it’s imperative that you have a proper cyber incident response strategy in place. This includes all the actions and documentation you need to get in order as soon as you have been attacked.
- Poor Cyber Hygiene
If your organisation has not implemented reasonable cybersecurity measures, your claim can easily be rejected. Insurers often expect policyholders to adhere to specific security protocols and best practices. In case of an attack, if the insurer is able to attribute the compromise to your organisation’s negligence in implementing basic cybersecurity protocols and controls, you may not get paid.
- Pre-existing Vulnerabilities
Claims may also be denied if the insurer discovers pre-existing vulnerabilities that were not disclosed during policy issuance. It is crucial to be transparent about your organisation's cybersecurity posture at the time of taking the policy to avoid rejection.
- Policy Exclusions
Examine your policy carefully to understand the exclusions and ensure it covers the costs of your predominant threats and risks. Certain types of cyber incidents, such as those stemming from nation-state actors, as discussed above, may be excluded from coverage. Familiarise yourself with these exclusions to manage your expectations.
- Claims Fraud
Attempting to exaggerate or falsify a cyber incident can result in not only a rejected claim but also legal consequences.
- Navigating the Claims Process
When faced with a cyber incident, it's crucial to understand the claims process thoroughly. Engage with your insurer early, provide complete documentation, and cooperate with their investigation. A proactive approach can improve your chances of a successful claim. You may want to enlist services of a Cyber Incident Response retainer to help you manage the impact of the attack and also assist you with the claims process.
What Can You Do to Minimise the Chances of Rejected Cyber Claims?
There are a variety of steps you can take today to hopefully negotiate better cyber insurance premiums and minimise your chances of rejected cyber claims.
The foremost of these is maintaining good cybersecurity hygiene and protecting your business from reputational damage in case of an attack. Basic steps like updating and patching your systems, implementing strong security controls and having solid Incident Response Playbooks and Ransomware Response Guides are almost mandatory.
Human error is amongst the biggest causes of cyber attacks. Therefore, regular cybersecurity training and cybersecurity drills that help rehearse response to attacks is essential.
Our experts at Cyber Management Alliance have also created this comprehensive checklist of all the things you can do to negotiate a better cyber insurance premium. Embracing these steps and implementing them with agility can result in lesser chances of your claim being rejected in case of an attack.
Download this list today and make it a priority item in your business meetings. As we’ve seen through the cases discussed earlier, the omnipresence and high cost of cyber threats makes Cyber Insurance a business priority that simply cannot be ignored.
In addition, our Virtual Cyber Assistants can help you improve your cyber security posture over time at a budget and pace that suits your business. They can help you get all your cybersecurity documentation in order, implement an effective cybersecurity framework, assess your existing cyber health and assist you in achieving compliance with relevant regulatory standards and regulations.
Conclusion
Understanding why cyber insurance claims get rejected is crucial for businesses seeking financial protection in an increasingly digital world. By addressing common pitfalls, complying with security measures, and being transparent with insurers, you can enhance your chances of not only negotiating a lower cyber premium but also of having your claim honoured. Remember, cybersecurity should not be an afterthought; it should be an integral part of your business strategy and careful evaluation of your Cyber Insurance policy is a critical part of this strategy.
