When a cyberattack leaves employees working off a "single clunky personal laptop," the case for property damage is clear. What isn't clear are a traditional insurer's exclusions.
Cyber-related assaults on companies are hard to navigate through traditional insurance policies, so businesses are looking for an additional layer of protection.
But the current status of cyber insurance adoption is underwhelming.
Only 38% of organizations in North America and Europe have an active cyber insurance policy, according to a Spiceworks survey of more than 500 companies. Of those companies, nearly 40% decided to adopt coverage because of the personal data they manage.
The research firm expects adoption rates to rise over the next two years but one-third of uncovered companies say it's because they aren't sold on the benefits.
"Some might blame this phenomenon on fear generated by overblown news reports, but my first thought, and hope, is that more companies are learning about and coming to terms with this emerging risk," Alex Purvis, partner at Bradley law firm, told CIO Dive in an email. "Cyber risk is unique."
Malicious activity and cybercriminals change habits and attack methods regularly, which makes protections that were reliable yesterday, less so today. Still, one-fifth of uncovered respondents haven't found "sufficient use cases for cyber insurance," according to the report.
Cyberattacks in the last several years have proven no company, no matter the size, is immune to cyber incidents. Maersk, FedEx, Mondelez, were victims of cyberattacks while Equifax, Uber and Marriott were sitting on unknown breaches for months. Marriott's breach left guests exposed for about four years.
Right now the cyber insurance market is competitive, which means companies can buy into a policy for a lower premium, said Purvis. Nearly three-quarters of covered companies are buying policies as a precautionary part of a greater IT strategy focused on security, according to the report.
All insurance isn't created equal
Traditional insurance providers are becoming more stringent on what qualifies for business coverage. The food manufacturer Mondelez just filed a $100 million lawsuit against its insurer Zurich American for failing to cover damages related to NotPetya.
Mondelez is challenging how a company obtains the money needed to resolve issues caused by a cyberattack. NotPetya left 1,700 servers and 24,000 laptops "permanently dysfunctional," according to Mondelez's court filings.
These damages, according to the company, should be covered under Zurich's property insurance policy, which includes loss inflicted by "the malicious introduction" of malware.
However, Zurich American said the losses are exempt from coverage because NotPetya occurred during a "time of peace" in a "warlike" fashion.
Mondelez has to make a case its damages apply to the policy. "Offsetting the risk of a claim denial starts during underwriting," said Purvis.
"Too many coverage battles arise out of a lack of attention during the underwriting process," but with guidance from a company's risk management team, outside advisors or coverage lawyers, coverage can be better understood, according to Purvis.
"A discussion about the policy and going through the underwriting forces many companies to think about security and implement improvements in process and procedures," Ronald Raether, partner at Troutman Sanders for Cybersecurity, Information Governance and Privacy, told CIO Dive in an email. "In other words, cyber insurance is used to help kick start a culture of compliance."
In Mondelez's case, the debate between the food manufacturer and its insurance provider has the potential to set the tone for similar cases. "There is little case law interpreting these policies to date, so there is still plenty of room for legitimate debate," said Purvis.
How to get cyber insurance
More than one-third of uncovered companies said there is insufficient understanding to pursue coverage. But as cybersecurity incidents become more catastrophic for companies, ignoring insurance is not an option.
Mondelez's case proves that using a traditional provider for something as relatively new as cyber coverage, may not always be reliable.
Companies will start to supplement traditional insurance policies with policies purely dedicated to cyber, Paul L. Janowicz, associate at Tucker Ellis, told CIO Dive. "If a company is thinking about buying cybersecurity insurance, it should see if its current insurer offers coverage either through an endorsement or stand-alone policy."
Companies should leverage insurance brokers when trying to procure coverage. There are also tools available, like the Federal Financial Institutions Examination Council cybersecurity self-assessment tool that can gauge risk profile during the underwriting process, said Raether.
Using companies like Security Scorecard can help cultivate a high level evaluation of a company's security posture and what kind of policies best fit its needs. It also helps insurance providers do evaluations.
Companies with a formal head of security, like a CISO, already appear to have a stronger case in the eyes of an insurer considering coverage. And over the last two years specifically, those assessments have become more in-depth, Jadee Hanson, CISO of Code42, told CIO Dive in an interview.
Insurers used to be more keen to give a company cyber insurance "without a lot of validation," according to Hanson, "but now you're seeing cybersecurity insurance companies spending weeks (investigating) a company."
Insurers want a firsthand view of how mature a company's security program is and may request proof of certifications. "Typically they're going to come in and evaluate the technology, the process and they're also going to evaluate the people," said Hanson.