Brian Jackson - stock.adobe.com

Why investment is needed in the cyber insurance market

The number of cyber insurance policies on offer is beginning to grow, but insurers still have a long way to go to develop policies that address market concerns

There has been a significant and important increase in the number of companies, both large and small, deciding to seriously invest in cyber security services over the past few years. However, certain areas of the cyber industry still need development to help companies be fully cyber prepared.

This is most evident when businesses experience a cyber incident and lack clarity on how to proceed with recovering any financial or commercial losses resulting from the incident. 

This grey area has meant that companies are using their standard commercial policies when claiming for damages that have resulted from a cyber incident. However, because these policies do not specifically exclude cyber matters, this process has been dubbed “silent cyber”.

While insurers are missing out on a considerable business market and will look to stop silent cyber, companies that use these commercial policies may also be putting themselves at risk of a complicated claims process that may be ultimately rejected. As such, businesses and insurance firms must work together to develop the cyber insurance market

The complexity of silent cyber

Insurance policies can be a lifeline for companies when unexpected events or issues occur, that lead to significant damage or loss to the company in some capacity or another. Standard insurance policies can cover several categories, including public liability and property. Yet when a cyber attack on a business damages property or stops business operations, it is unclear whether a company’s business insurance policy will cover the resulting claim. 

This lack of clarity has come to a head in the Mondelez vs Zurich legal battle currently taking place. Insurance firm Zurich is refusing to pay out a $100m claim from food conglomerate Mondelez following a cyber attack. The 2017 NotPetya malware attack harmed several global businesses, including Mondelez, Saint-Gobin and AP Moller-Maersk, causing mass outages and breakdowns in business operations. 

Under its property insurance policy with Zurich, Mondelez believed it was covered for “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”. However, suspected Russian government involvement in the cyber attack has led Zurich to dispute Mondelez’s claim under the exclusion of “hostile or warlike action in time of peace or war”. 

Both companies are suffering through this laborious and extremely costly process and it is crucial that companies and insurance firms work together to solve the silent cyber issue before it leads to similar scenarios in future.

Read more about cyber insurance

Insurance firms worldwide must first shut down this silent cyber loophole before they can capitalise on the new and developing market of cyber insurance. Not only are insurers missing out on the chance to earn more cash from clients, but silent cyber may force firms into entering lengthy and expensive legal battles with their clients over disputed claims. 

On the other hand, companies will question why they cannot use their current commercial business insurance policy if there are no explicit terms excluding cyber incidents. An insurance policy is a costly necessity for running a business, and companies will wonder why there is such ambiguity in a commercial policy around cyber issues – a matter that is becoming more frequent in the business world. 

Until this grey area is addressed by insurance firms, companies will continue to use silent cyber. However, this may prove detrimental to them because they may encounter a crackdown from insurance firms on such claims. It is up to insurers to decide how to act, either by explicitly excluding cyber from commercial business policies or investing in the cyber insurance policy space. 

Next steps for the cyber insurance market 

The number of cyber-centric insurance policies on offer is beginning to increase, but insurers still have a long way to go to develop policies that address concerns that they are untested and have been rushed to market. While cyber policies are rising in popularity, coinciding with serious investment in cyber security defences across a range of businesses and industries, the fast-paced developments in the cyber industry will make it harder for insurers to keep their policies up to date and ensure they are not lagging behind. 

Insurance firms working together with companies is the solution that can address these concerns. This must begin with the insurance firm participating in a full-scale evaluation of its client’s cyber security. It is crucial that insurers know the company’s level of cyber maturity and the threat landscape.

After this, insurers can then create a bespoke cyber policy based on the assessment and the company’s needs. This will help insurers to develop the cyber insurance market with robust policies, as well as allow companies to feel reassured that they are thoroughly covered for any cyber situation. 

As this partnership between insurers and clients develops, silent cyber will soon decrease as both parties choose better deals. Insurers will be able to access a whole new market and companies will be able to have personalised policies to cover any cyber-related claims.

Next Steps

Google forms cyber insurance pact with Allianz, Munich Re

Read more on IT risk management