All eyes are on a landmark ruling, as calls are made for customisation, writes Sarah Rundell.
Back in 2017, staff at US food group Mondelez watched helplessly as Russian malware turned their servers and computers to black. As the company struggled to replace equipment and resurrect supply and distribution systems to meet orders for its Cadbury’s, Milka and Toblerone brands in the ensuing weeks, it counted its blessings that it was insured. Yet its policy with Zurich, which covered damage and losses to Mondelez property from a cyberattack, may fall short.
Under a policy exclusion that applies to hostile or war-like action, Zurich is refusing to pay the US$100mn claim. The insurer is arguing that the NotPetya attack, a virus that freezes users’ computers and demands they pay a ransom in Bitcoin, came from Russian hackers attacking the Ukraine government. In response, Mondelez is now suing Zurich. The case’s resolution, still ongoing, promises an important milestone in the evolving cyber insurance market.
It strikes to the heart of one of its biggest challenges. Most companies believe they are covered for cyber risk in their non-cyber policies whereby, say, a crime policy will cover electronic theft. Yet these policies haven’t been written with cyber exposures in mind and often don’t pay out.
Fresh doubts about what is and isn’t covered is prompting a shake-up in the industry. On one hand, it is leading companies to tighten up their policies, checking if their property, crime, political risk or professional indemnity policies (the ones that tend to have most crossover with cyber) have evolved enough to safeguard against cyber risk, or if this element should be cut out and assigned to a separate cyber policy.
It involves careful analysis, explains Rob Smart, technical director and head of research at Mactavish, a consultancy specialising in insurance governance. “If companies reduce their cover, they need to be sure where their cyber exposures lie, what their existing programmes cover and what they haven’t got covered,” he says.
On the other, companies are looking to see if their cyber policies can flex to extend cover in a trend that involves cyber insurance beginning to cover tangible as well as intangible risk for the first time. Drawing on an example of a shipping company losing cargo to a hack of its GPS system, Sarah Stephens, cyber, media and technology practice leader at Marsh JLT Specialty, argues that cyber insurance is now starting to cover these types of tangibles. “At the moment cyber typically covers business interruption costs or the cost of rebuilding systems after a data breach. What cyber insurance hasn’t really covered is physical losses caused by a cyber incident, but this is the next evolution and there is already some appetite.”
Momentum is also coming from the industry. In a push for clarity Lloyd’s is requiring more details of coverage for cyber exposures in all insurance policies. “Lloyd’s is mandating that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage,” states the exchange.“To support the market in making the necessary changes, this requirement will be implemented using a phased approach.” In a first phase, all underwriters must clarify whether first-party property damage policies affirm or exclude cyber cover from January 2020.
But adjusting existing policies to meet the Lloyd’s deadline has raised concerns that cover could fall through the cracks. “There are a number of draft exclusions in property policies where we are afraid insurers may cut out losses,” says Stephens. “We are working closely to help find better approaches that don’t lead to gaps for our clients.” She points to the stock transit market where goods are stored in warehouses en route to their destination as one example. Given that warehouse and inventory management systems are all computerised, some insurers are shying away from offering property cover here, she says. “We have seen draft mandates that say ‘because we have to clarify cyber coverage, the policy doesn’t respond to anything that is directly or indirectly related to a computer’. It could leave clients with a major gap.”
Given the extent to which technology is now embedded in every corner of a business, under this scenario it follows that the only policy corporates will need to buy going forward is cyber cover. A development which she says is, of course, unlikely.
Instead the answer is tailor-made cyber cover. At the moment cyber cover is often presented as a one-size fits all but it needs to adapt to meet the individual risks companies face. For example, retailers’ cyber risk lies in compromised credit card records and the ensuing fines, compensation claims and reputational loss. For others, cyber risk manifests in their ability to provide services or costs around business interruption. Corporates need to understand where their particular risk lies, take an off-the-shelf product and adapt it to their needs, says Smart. “Our problem is that this doesn’t take place very often. This is why there are disputes when things go wrong: exposures need to be explained and products need tailoring.”
Tailoring requires the next step in the market’s evolution. Cyber insurance first emerged as cover for e-commerce businesses. From here it evolved to offer cover for data breaches and their aftermath as regulation began to bite firms that violated new privacy laws. “GDPR has bought much more enforcement and the downside is much greater,” says Stephens. “It’s not just about insurance policies responding if a company loses customer information. Insurance also covers companies’ correct collection and deleting of information.” In the latest manifestation she notes a shift back to coverage focusing on business continuity and disruption as cyberattacks worsen. Incidents like WannaCry, the ransomware that targeted computers running Windows, and NotPetya have given big firms that thought they were covered a new perspective on risk.
Once more companies take-out cyber insurance, tailoring trends will grow. Particularly industry, or sector-wide take-up, which helps build customisation and common definitions within a sector. “An industry approach gets you 80% there; the last 20% is then tailored to the particular organisation,” says Stephens.
In a recent initiative, Marsh and Beazley have tailored cyber insurance for manufacturing clients with a focus on industrial control systems rather than credit card breaches. The challenge here is that take up of cyber insurance is low in some specific industries, namely industrial sectors like manufacturing, energy and mining, which haven’t had to deal with regulation around privacy.
In many ways experts welcome the landmark Mondelez vs Zurich case. Unlike other classes of corporate insurance, cyber policies haven’t been tested because it’s a new product and claims are few. The sector will only become robust when more claims go through, and the wording becomes less ambiguous in response to real-life circumstances. “To-date cyber insurance hasn’t really been tested by the law and the risk is changing all the time,” says Smart. “Long-term we will end up with different types of exclusion for cyber which are more sensibly crafted.”
Other factors are also holding the industry back. The NotPetya attacks hit a swathe of different companies and geographies in a series of diverse and random attacks. Common hosting and cloud service providers, or shared payroll service providers are typical examples that could link seemingly unconnected companies. Yet modelling any concentration of risk across a large book is difficult because shared risk doesn’t obviously aggregate.
Wary insurers are now asking corporate clients for more details. Information on their outsourced service providers is now mandatory, and insurers are increasingly using service providers to help them rate cybersecurity amongst corporate entities to analyse their commonly held exposures to, say, Amazon or Microsoft. In some cases, it is leading to a more conservative approach.
In most insurance products, US$50-100mn from one insurer is a typical line size. Yet in cyber insurance it is “rare” to see one insurer put more than US$20-40mn into any one risk. It’s led to a capacity constraint in the market that is acting as a barrier to brokers, says Stephens. “We currently have some entities who would like to buy a billion dollars of cyber insurance but it’s not available yet. There’s just not enough actuarial certainty that such a large exposure would be a good bet.” However, she notes that the market is adjusting as more insurers expand their reinsurance capacity and look to reinsure their exposure via separate, dedicated cyber treaties. “In the US the insurers that write a lot of cyber risk now have dedicated cyber treaties. It will start to change in the European market too,” she predicts.
The hope is that new clarity and policies tailored to cyber will give corporates the confidence that cyber insurance will pay out. It’s a new line of business, only around for the last 20 years, without a long, historical performance. Moreover, many executives have a poor understanding of cyber risk themselves. Encouragingly Stephens recently saw one management team “do a 180” once they understood cyber could be customised. “They reduced their property insurance limit to buy more cyber cover. They’d come to the conclusion that their intangible risk was more dangerous than tangible risk,” she concludes.