Cyber Insurance is a relatively new form of insurance to protect against cyber threats. Because this is a new form of insurance, it is important to understand what you are purchasing. It seems that not many business owners like reading insurance policies (which is understandable).
There is a large court case pending between Zurich International and US food company Mondelez International. Mondelez International experienced a cyber incident, which allegedly cost them $190 million in losses. According to Doug Olenick of SC Magazine (scmagazine.com), “Mondelez placed a claim with its insurance provider, Zurich America, based on a clause in its contract that stated it was covered for ‘all risks of physical loss or damage’ to property, including ‘physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.’ Along with any loss or expenses incurred by the company for the period its business was interrupted.”
Doug went on to say that “Zurich eventually declined to make a payment, citing an exception to coverage because NotPetya was a ‘hostile or warlike action’ by a ‘government or sovereign power.’ So, Mondelez countered with a $100 million lawsuit.” This placed the burden of proof on Zurich. They must now prove that the incident was a “hostile or warlike action” by a “government or sovereign power,” which is an exception on their cyber-policy.
A few more words of caution when looking at cyber-insurance. Insurance companies are now requiring their clients to complete questionnaires when applying for coverage. Like all legal documents, it is critical that these questionnaires be answered to the best of your knowledge. Many clients are calling us for assistance with completing the questionnaires. The purpose of the questionnaire is for the insurance company to understand the risk they are insuring against. From my perspective, because this is a relatively new type of coverage, I’ve not seen any company denied coverage or had a rate significantly change based on the result of the questionnaire. I have seen language in polices stating that if the information you are attesting to is true and accurate though. So, if a company provides false information and there is a coverage question, I would not be surprised to see the claim is denied. This would put the burden of proof on the client to prove that they have the controls in place to protect against the threat.
If you cannot affirmatively answer a question, most questionnaires will have an area for additional information on what your plan is to meet the requirement.
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.