Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsCarriers Are Pushing Cyber Insurance, but Do Policies Pay Out?
An image showing padlocks and a keyboard representing cybersecurity and cyber insurance.
NEWS AND COMMENTARY

Carriers Are Pushing Cyber Insurance, but Do Policies Pay Out?

July 12, 2019 | Purdue Global Law School

Recent research from IBM and the Ponemon Institute suggests the average cost of a data breach is approaching $4 million, with some “mega breaches” costing nearly 100 times that amount. Faced with existential threats to their operations, businesses are increasingly purchasing cyber insurance to help mitigate their risk.

Most cyber insurance policies cover an organization’s liability for a data breach in which sensitive information is compromised, and may also help offset losses due to cyber extortion, fraud, and data loss. No industry standard yet exists for underwriting these policies, but they typically cover expenses related to conducting forensic investigations, notifying data breach victims, providing credit monitoring services, and defending lawsuits. Some policies also provide coverage for business disruption, crisis management, recovering systems and data, and regulatory fines and penalties.

However, some organizations are finding that the policies they purchased don’t provide the protection they expected. In a growing number of cases, claims have been denied due to exclusions and exceptions that are not well understood by buyers.

NotPetya Causes Billions in Damages

In the aftermath of the 2017 NotPetya ransomware attack, companies learned just how technical distinctions can nullify cyber insurance coverage. Generally considered the most devastating cyberattack ever, the NotPetya outbreak affected more than 2,000 companies and resulted in more than $10 billion in damages. Although Ukraine felt the initial brunt of the attack, it spread across Europe and into the U.K. and U.S.

Western governments were quick to accuse Russia of the attack. The White House issued a brief statement on Feb. 15, 2018, alleging that NotPetya “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” Russia was threatened with “international consequences” for launching “a reckless and indiscriminate cyber-attack.”

The malware is called “NotPetya” because it was initially believed to be a variant of the Petya ransomware attack. However, Petya is fairly typical ransomware that encrypts the victim’s data and demands payment in Bitcoin in exchange for the decryption key. NotPetya poses a far greater threat because it can spread from system to system without human intervention. Furthermore, security analysts have determined that there is no way to recover files encrypted by NotPetya, suggesting that the malware is designed to destroy data rather than obtain a ransom payment.

Was NotPetya a ‘Warlike Action’?

Among the companies hardest hit by the NotPetya attack was Mondelez International, the Illinois-based food conglomerate that owns the Nabisco, Cadbury, and Toblerone brands, among others. Mondelez reported that viruses in two separate locations permanently disabled 1,700 servers and 24,000 laptops and caused a variety of operational and supply chain disruptions resulting in losses exceeding $100 million.

Mondelez had purchased a cyber insurance policy from Zurich Insurance Group, with coverage for “physical loss or damage to electronic data, programs, or software” related to the “malicious introduction of a machine code or instruction.” The company filed a claim for damages suffered in the NotPetya attack.

After U.S. cybersecurity experts blamed the attack on the Russian military, Zurich denied coverage, citing an exclusion for a “warlike action” taken by any “government or sovereign power.” On Oct. 10, 2018, Mondelez filed suit against Zurich in Cook County, Illinois, seeking $100 million in damages for breach of contract, promissory estoppel, and bad faith.

Mondelez asserts that the “warlike action” exclusion was intended to apply to conventional warfare and that invoking it for a cyberattack is unprecedented. The company also emphasizes that Zurich bears the burden of proof to show that the exclusion applies.

Scant Evidence

Zurich faces a high hurdle in proving that the attack was akin to an act of war. The Western governments that accused Russia offered no real evidence, and Zurich will have to satisfy the court that the Russian government launched the attack for some military purpose.

Nevertheless, the ongoing litigation is roiling the emerging cyber insurance industry. Although such policies have been around since the 1990s, the market only really began to take off in 2005 following the DSW Shoe Warehouse data breach—the first breach to compromise more than 1 million records. According to data from the 2017 RIMS Cyber Survey reported by Insurance Journal, 83% of organizations have cyber insurance policies.

However, some signs show that cases such as the Mondelez-Zurich suit are having a chilling effect on the industry. In one recent study, more than two-thirds of companies with cyber insurance said they don’t believe the policies adequately cover their risks. Many complained about the lack of policy standardization, with terms, definitions, and exclusions varying from one insurer to another. To regain customers’ trust, insurers will need to clarify their cyber policies and conditions under which exclusions apply.

Learn More About Cybersecurity Law

As data breaches grow in prevalence and severity, cybersecurity legal experts will be increasingly needed to navigate this relatively uncharted field. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

EJD Program: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student who intends to seek admission to practice law should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence.

JD Program: Study at, or graduation from, this law school may not qualify a student to take the bar examination or be admitted to practice law in jurisdictions other than California. A student who intends to seek admission to practice law in a jurisdiction other than California should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence. 

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.