We have been trained by the insurance industry that you buy insurance and if you have an event, you make a claim and get paid.
For the most part, with your auto insurance or your homeowners insurance, that is the way it works.
Rarely, but sometimes, you discover that you don’t have the right coverage (like not having flood insurance in New Orleans or not having earthquake insurance in California).
Insurance companies carve out exceptions to coverage to limit their liability and they would say, to make insurance more affordable.
But when it comes to cyber insurance, it is kind of like walking through a mine field with no mine detectors or maps.
AIG is being sued by a customer in New York because the client was suckered in by a series of business email compromise attacks where the customer lost almost $6 million.
AIG’s defense is that their policy doesn’t cover dishonest, fraudulent or criminal acts.
Isn’t that what most cyber insurance is designed to cover – crime?
AIG did provide legal fee coverage when their client was sued by its own client for losing its money. That was covered until they figured out that this was related to crime. But getting their $6 million back – that is not covered.
They say the language of the policy is:
alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission or any knowing or intentional violation of the law…
Since we don’t have a copy of the actual insurance policy, so we don’t know if this is really a cyber risk policy or something else.
In another case, Zurich Insurance is refusing to reimburse Mondelez for costs related to the NotPetya attack a few years ago. Mondelez, the company that owns Oreos, Ritz, Tang and many other brands, lost over $100 million as a result of the attack.
In the Mondelez case, they are trying to use an “all-risk property insurance policy” because, they say, NotPetya resulted in the failure of the Insured’s electronic data processing equipment.
In this case, Zurich says that they won’t pay [probably ‘cuz a hundred million dollars is a lot of money] because there is an exclusion for hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].
It appears – but I can’t be certain – that in both of these cases, the companies didn’t have legitimate cyber risk insurance but rather were trying to claim coverage under other policies that might have some possible overlap.
That being said, cyber risk policies in almost every state are non-standard form policies meaning that the state insurance department doesn’t approve the language of the policy.
Cyber risk policies are also considered “excess-lines” insurance in most states with a big warning about that in the front of the policy. This means that you cannot file a complaint with the state insurance commissioner if you don’t like how the insurance company is operating.
So does this mean that cyber insurance is worthless?
Not in my opinion.
It does mean that you should not try to claim coverage if you don’t have a cyber risk policy, although, I guess, you can try.
Most insurance companies will not pay cyber claims under other policies. Their actuarial data just doesn’t allow for that.
I am not sure what to do about AIG’s claim that their policy doesn’t cover fraudulent or criminal actions. Isn’t that a major reason why you buy insurance. That seems kind of like if you had auto insurance and your car was stolen, the insurance company says we don’t cover it if someone steals your car. BUT, if, for example, all you bought was liability insurance, then you really don’t have the right coverage and they won’t pay for your stolen car.
When it comes to lack of coverage due to hostile or war-like actions, well that is pretty nebulous. I would say almost all hacking is hostile. Is it done by a government or government agent? Maybe, but much hacking is done by governments.
I have worked with clients to get insurers to remove, restate or restrict that war-like nonsense.
What does all this say? When you buy cyber risk insurance – and I think you should do that – you need to have an expert on your side. One you doesn’t earn a commission from writing the policy.
You also need a broker who understands cyber risk insurance. One question I always tell clients to ask their broker is how many millions of dollars of cyber risk insurance like the type we are looking for did you write last year. Or how many policies did you write. And do not let them include general liability that has a useless cyber rider.
If they wrote 1,000 or 5,000 policies last year and wrote 20 cyber policies, how much of an expert do you think they are about those 20 policies.
Their world revolves around commissions. If they made $1,000 in commission from cyber policies and $100,000 from other insurance, where do you think their attention is going to be.
Get the right policy from the right broker underwritten by the right insurer.
P.S., if you need help, contact us and we will connect you with some great brokers.