November 15, 2022 | Policy Brief

Cyber Insurance Settlements Leave Big Questions Unresolved

November 15, 2022 | Policy Brief

Cyber Insurance Settlements Leave Big Questions Unresolved

Major snack distributor Mondelez reached a settlement this month with its insurer, Zurich, after a five-year legal battle over whether the insurance company would cover losses Mondelez suffered from the NotPetya cyberattack. The settlement in this landmark lawsuit is likely to result in cyber insurance providers’ expansion of “act of war” exemptions unless policymakers address the government’s reinsurance role in the case of large scale, costly cyberattacks.

In 2017, the Russian hacking group Sandworm launched NotPetya to inflict harm on Ukraine, but the malware quickly spread, causing $10 billion in damages globally. Mondelez filed a claim with Zurich, having suffered $100 million in damages. Zurich denied the claim on the grounds that the cyberattack was a “hostile or warlike action.” Mondelez countered that the cyberattack caused no kinetic damage and that Mondelez was not involved in the Russia-Ukraine conflict. Last month, the two finally settled after Merck & Co. won a similar battle against its insurance company, ACE American Insurance Company, for $1.4 billion earlier this year.

The increase in cyberattacks against companies of all sizes is causing greater demand for cyber insurance. A 2017 report from multinational financial consulting firm Aon estimated just five percent of small- and medium-sized businesses had cyber insurance. By 2022, 55 percent of small businesses and 75 percent of medium-sized businesses had coverage. The increased demand, coupled with the rising costs of ransomware, is leading to a dramatic rise in insurance premiums. Eighty-six percent of cyber insurance policy holders have seen increases in the past year. Meanwhile, half of surveyed IT professionals indicated their policies do not cover key areas of loss, including ransomware and data recovery.

Policy, legal, and cyber experts have followed the Mondelez and Merck court cases closely because of the effect they are likely to have on the industry. Rulings that current “act of war” exemptions do not cover cyberattacks would likely cause insurers to rewrite exemptions to try to reduce their exposure to claims resulting from nation-state-backed attacks. If providers had prevailed, companies might be less inclined to buy cyber insurance, since policies do not cover the very risks they are trying to mitigate.

Defining what constitutes an act of war in cyberspace for the purpose of insurance is an important question not only for insurance providers and their clients but also for the federal government. A 2021 report by the Government Accountability Office (GAO) concluded that while cyber insurance can “help offset costs of some common cyber risks,” the cyber insurance market cannot “cover potentially catastrophic losses from systemic cyberattacks.” The GAO urged the Treasury and Homeland Security departments to assess whether federal insurance is needed to backstop financial losses from catastrophic cyberattacks.

Treasury has taken a first step by requesting information from cyber insurance providers under the Terrorism Risk Insurance Program (TRIP) to understand the premiums, coverage limits, and loss information for insurance policies that may be eligible for TRIP coverage as a result of acts of terrorism. Unfortunately, Treasury says it has only received limited amounts of the requested data. GAO has also warned, however, that, as written, the federal government’s terrorism reinsurance program would likely not apply in cases where there was no violence, coercion of the civilian population, or immediate threat to human life.

Executive or congressional action is necessary to better align federal reinsurance under TRIP to the realities of cyberattacks by altering the definitions so that the program applies to cyberattacks. Alternatively, Congress could pass a cyber version of the Terrorism Risk Insurance Act, placing the federal government as a backstop in cases of critical infrastructure disruption or other qualifying incidents.

Jiwon Ma is a program analyst with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Michael Sugden is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on Twitter @jiwonma_92. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.