Cyber Insurance: What it does NOT cover and recent trends in underwriting & payouts

Cyber risk is on the rise, with ransomware leading the charge. The FBI's Internet Crime Complaint Center reported 3,729 ransomware complaints in 2021—a 50% increase from the previous year. And with average ransomware payments increasing (reaching a staggering $812,000 in 2021), attackers have only become more emboldened. Cyber criminals know that many insurance carriers have payment provisions for ransomware payments, so they are launching more attacks, especially within critical infrastructure and supply chains.  

As data breaches have become more prevalent—and more costly—demand has spiked over the past few years for cyber insurance plans. Forecasts estimate the global cyber insurance market will double in size by 2025 to reach $22 billion. This has forced carriers to increase their costs and, in many cases, restrict or put heavy conditions on what they cover in order to manage their own risk exposure. 

While insurance plans hold lots of value, firms should not approach cyber insurance as a catch-all for potential ransomware attack damages. Not only do insurers cost more today, but they also have stricter underwriting policies—meaning, if you aren’t taking proactive steps to mitigate your cyber risk, you may find yourself without the coverage you expected when a breach occurs.

What Cyber Insurance Does and Does Not Cover

What Is Covered 

Cyber insurance primarily covers privacy risks, security risks, operational risks, and service risks. These are typically covered under three types of insurance: 

• Network security and privacy liability
• Network business interruption
• Errors and omission

Network security coverage protects your business in the event of a data breach or cyber attack like malware or ransomware. This can include costs such as expense reimbursement for ransomware negotiation and demand, breach notification, forensics, data restoration, and oftentimes public relations expertise. 

‍Privacy liability coverage defends organizations from lawsuits, such as class-action lawsuits, or regulatory penalties from state and federal governments following a cyber incident or privacy law violation. This is especially important for organizations that work with sensitive customer data, like healthcare, where a breach of private data could open the business to major liability exposure.

‍Network business interruption coverage insures against operational cyber risk. If a cyber incident occurs that shuts down your network or your provider’s network, cyber insurance can cover the costs of lost profits and other expenses during the disruption. 

‍Medical liability covers intellectual property infringement and liabilities related to online content or digital advertising.

‍Errors and omissions coverage protects you from damages incurred from breaches of contract due to performance lapses with customers or partners. So if a data breach occurs that impacts service level agreements, this cyber insurance can cover that risk.

What this coverage looks like

Cyber insurance generally insures organizations against cyber risks such as:

• Data breaches (including theft of personal information)
• Cyber attacks on your data held by third-party vendors
• Cyber attacks on your network

What is NOT Covered

Cyber insurance typically does not cover:

• Potential future lost profits (e.g., due to reputational damage following a breach).
• Decreased valuation of the company (e.g., as a result of intellectual property theft), resulting in the loss of potential investment opportunities, growth, and more.
• Costs to improve internal technology and systems after a cyber incident. 

Additionally, keep in mind insurance companies are tightening their coverage standards and policies. This means there may be gaps in coverage depending on what losses qualify under the insurance agreement. 

Recent Trends in Cyber Insurance Underwriting & Payouts

With the rising costs of cyber risks, insurance companies are tightening policy terms to minimize their losses. 

Cyber War Exclusion

One of the main ways insurers are mitigating risk is through increasing exclusions for “war and terrorism.” This cyber war exclusion basically says that the insurer is not responsible for damages resulting from cyber attacks connected with war or foreign enemies. 

The main issue with these exclusions is that they tend to be overly broad—leaving it unclear what incidents may or may not be covered. This is especially true today as cyber attacks can essentially be considered invasions, and most ransomware firms are located in Russia or eastern Europe. This leaves a “grey” area as to what constitutes terrorism, especially for countries with particularly fraught relationships with those countries. 

One of the most high-profile examples of this exclusion is the Mondelez case. Mondelez International, Inc., a snack food manufacturer, was infected by the malware NotPetya in 2017. The infection caused significant damage as well as disruption to global supply chains. But when Mondelez went to file a $100 million claim under an all-risk property policy, it was denied based on the war exclusion. 

This is a good example of the complexity of insurance coverage in the cyber landscape. The claim fell under a property policy rather than a cyber insurance policy—but it highlights just how interconnected cyber damages can be with other types of losses and insurance coverage. That’s why it is important for organizations to review their policies carefully to see where they are covered and what gaps and exclusions may apply. 

Stricter Requirements

The pandemic has also tightened underwriting and payout guidelines even further. Insurers now have more controls and requirements on security protocols, backups, and infrastructure as a condition for coverage and payout of damages. This means organizations are increasingly expected to maintain a minimum level of cyber health to qualify for the coverage they are paying for. 

How to Supplement Cyber Insurance with Preventative Risk Mitigation 

Relying solely on cyber insurance for your risk management isn’t enough. Due to the rising costs of coverage as well as the complex policy requirements and exclusions, it’s important to take proactive steps to mitigate risks upfront. 

In addition to improved security measures around your own network perimeters, organizations should evaluate their entire risk landscape across their supply chain. 

Here are a few ways you can do this:

• Use up-to-date, reliable, and objective third-party security-focused data— not just questionnaires—to evaluate your suppliers and assess their risks. Supplier surveys tend to be biased in favor of the supplier, which can lead to blindspots in your risk assessment. Plus, surveys take time, leaving you with gaps in information between surveys. Focusing instead on up-to-date security data from third parties can help you develop a more complete picture of your cyber risks and security posture. 

• Expand your focus to monitor additional risk factors beyond traditional security measures. For instance, tracking suppliers’ financial health simultaneously with cyber health can illustrate how much the company is investing in cybersecurity. Look at a variety of risk factors such as credit ratings, profit margins, and revenue to better understand where your suppliers are investing and put their security posture into context.
  
  
• Educate your suppliers on security best practices and set expectations for security standards going forward. Work with your suppliers to ensure they have the resources to adequately secure their data and protect against cyber threats. Building strong supplier relationships is key here. 

Underpinning all these risk mitigation steps is good data. Without it, you won’t have the context and insight needed to take strategic action. A robust supplier intelligence solution is essential for providing the depth and breadth of data needed to assess and monitor your suppliers’ cybersecurity risks at scale. 

‍