The number of ransomware attacks skyrocketed during the past two years, and extortion demands did, too. Over the first half of this year, there was a 151% increase in ransom demands over the previous year, as revealed by Threatpost.
As many know, those figures have risen, which means the cyber insurance industry profitability is declining. Purchasing and updating your cyber insurance policies regularly, checking for exclusions are innovative steps when renewing or shopping for cyber insurance. Cyber insurance exclusion clauses in an insurance policy may include:
Third-Party Bodily Injury and Property Damage
Because General Liability covers claims for bodily injury and property damage, there is no coverage for these within a Cyber policy. There may be first-party coverage for damage to systems caused by a cyber attack though.
Acts of war
Fierce wars, terrorist acts, and anarchist uprisings often fall under an act of war exclusion in the traditional insurance policy. However, cyber insurance claims can involve civilized states attacking U.S.-based companies and holding data and financial operations hostage in exchange for significant financial compensation. Is that an act of war?
A New Jersey Superior Court judge recently granted coverage in an act of war exclusions lawsuit. The cyberattack of 2017, known as the NotPetya attack, was responsible for damages of nearly $1.4 billion to pharmaceutical giant Merck Pharmaceurticals, which filed a claim for reimbursement with its insurer. The insurer, stating the acts of war exclusion denied the claim, so Merck sued them in January 2022. The court ruled in Merck's favor and held that acts of war exclusion must not be applied to cyberwar. The insurer settled in an out of court agreement with Merck. This may cause insurers to be more specific in exclusions in the future.
Failure to maintain standards
Your company's risk management should have active processes and controls to minimize cybersecurity risks. Insurance organizations want to know about them and that these policies are working. Upon application, insurers may doe a security check of your webiste and require answers to detailed questions concerning your company’s protocols and security safeguards that are in place to adequately underwriting and price the policy. This exclusion allows the insurer to deny claims if your cyber security programs are not updated to the latest release and in compliance with known cybersecurity best practices.
PCI fines and assessments
The Payment Card Industry Security Council, a representative body of many credit card companies like Visa and Mastercard, may assess the fines and penalties imposed due to credit card breaches when the required security standards are not met by your company. These fines can be high. Many insurers cover these fines but others may set restrictions on coverage, so review your policy carefully to make sure this coverage is included.
The credit card industry has an extensive and complex cyber security requirements which must be met.
Prior events occuring before the policy inception or the retroactive date on a claims made Cyber policy are excluded. This exclusion can be significant in cyber insurance because breaches are only sometimes identified long after they happen. The average time to detect and contain a breach is 287 days, as reported in an IBM report.
Your company should formulate a proactive cyber security policy that is distributed within the company that outlines the response to be taken and each staff members’ responsibility when an attack occurs. If switching insurance carriers, you should purchase an extended discovery period that provides an extension to report claims that may have happened before the start of a new policy. Alternatively, request a retroactive date that matches the retroactive date on your prior policy on the brand-new insurance policy.
Cyberattacks are on the upswing, and a ransomware attack or data breach can be quite costly. When negotiating your cyber insurance policy, note the specific exclusions to avoid undesirable financial losses.