The number of ransomware attacks soared over the past two years, and ransom demands did as well. In fact, the first half of this year saw a 151% increase in ransom demands over the previous year, according to Threatpost. For the same time period, Palo Alto Networks reports that the average ransom payment increased 82% to $570,000. At least one company has reportedly paid as much as $40 million in ransom.
With those escalating numbers, the cyber insurance industry has taken a hit. Now, as you may be keenly aware, insurers have increased premiums, increased deductibles, and decreased coverage. When renewing or shopping for cyber insurance, you need to understand what your cyber policies cover — and what they don’t cover, known as exclusions.
Cyber insurance coverage exclusion clauses in an insurance policy can include acts of war, failure to maintain standards, payment card industry (PCI) fines and assessments, and prior acts.
Acts of war
War, terrorism, and insurrection typically fall under an acts of war exclusion in a traditional insurance policy. However, a cyber insurance claim can involve nation-states making hostile attacks on U.S.-based companies and holding data and business operations hostage in exchange for large payouts. But, is that an act of war?
A New Jersey Superior Court judge recently ruled on an acts of war exclusion lawsuit. The case involved the 2017 Russian cyberattack on Ukraine, known as the NotPetya attack, that impacted U.S. businesses including pharmaceutical giant Merck & Co. Merck claimed it incurred $1.4 billion in damages and filed a claim with its insurer. The insurer denied coverage based on the acts of war exclusion, so Merck sued. In January 2022, the judge ruled that the insurer can’t claim the acts of war exclusion because the language in the policy applies to traditional forms of warfare, not a cyberattack. The insurer must pay the claim to Merck.
Also, Mondelez International filed a lawsuit against its insurer for denying its claim of over $100 million for the same NotPetya cyberattack. The case is ongoing.
Failure to maintain standards
Your company should have procedures and controls in place to protect against cyberattacks, and insurers want to know these protections are at work. Upon application, insurers may require that you answer questions about cyber risks to provide adequate underwriting on the cyber policy. This exclusion allows the insurer to deny claims if your company doesn’t keep up with adequate security standards or follow best practices during the coverage period.
The language of a “failure to maintain standards” exclusion varies widely. You should ask an insurer to remove any ambiguous language in a cyber policy to assure that the standards are clear. Does the insurer require use of basic controls like encryption or multifactor authentication? Are there specific regulatory obligations required for compliance? Does the insurer require periodic training, testing, or upgrades in technology during the policy period? Knowing the answers to these important questions and others can ensure that you won’t be denied coverage following a cyberattack or breach.
PCI fines and assessments
After a breach, fines and penalties can be assessed against your company from payment cards, such as Visa and Mastercard — and the fines can be costly. Most insurers will put some restrictions on coverage, so it’s important to carefully review your policy for adequate limits and deductibles. If your company is subject to PCI fines or penalties and the exclusion applies, it can be a hefty loss for your company.
As a real-world example, a national restaurant chain experienced a data breach where cybercriminals obtained 60,000 customer credit card numbers and posted them on the internet. Mastercard imposed three assessments on the restaurant chain’s credit card processor: $1.7 million for fraud recovery, $163,123 for operational reimbursement, and $50,000 for a case management fee. The restaurant chain paid the assessments and made a claim to the insurer, but the insurer denied coverage. The restaurant chain filed a lawsuit, and the court dismissed all claims based on the language of the exclusions. The restaurant chain didn’t receive coverage for any of the assessment amounts.
As the court ruling shows, PCI fines and assessments exclusions should be carefully considered and well negotiated on your cyber policy.
A prior acts exclusion prevents a claim for activity that happened before the retroactive date or the first date of a policy. This exclusion can be especially important in cyber insurance because breaches aren’t always detected until long after they first occur. In fact, the average time to detect and contain a breach is 287 days, according to an IBM report.
Your company should take proactive steps to make sure the cyber policy covers any possible breach. When changing insurers, you may want to buy an extended discovery period that offers additional coverage for claims that might have initially happened under the previous policy. Or you may want to choose a retroactive date that precedes the start of the new policy.
Cyberattacks are on the rise, and the price for a ransomware attack or data breach can be quite costly. Pay close attention to the exclusions when negotiating your cyber insurance policy to ensure that you won’t suffer greater losses than expected when filing a claim.
Don’t want to go at it alone? Working with a managed detection and response (MDR) provider can help you maintain cybersecurity standards that cyber insurers require and be your partner in case of an incident.
Learn more about cyber insurance coverage and how to get accepted by having a strong cybersecurity program in this blog: