With cyberattacks on the rise, corporate victims find themselves battling it out with cyber insurance companies over protection from the damage done by security breaches.
The Financial Times reports that not only have sales of policies been growing by about 25 percent a year, but so have disputes between companies and the insurers.
For example, the National Bank of Blacksburg in Virginia sued Everest National Insurance Company earlier this year after the bank was hit by cyberattacks in 2016 and 2017. The bank claimed $2.4 million in losses under its cyber insurance policy, but the insurer disputed the claim and offered $50,000. The case will go to court next year.
“The mismatch between what people think they have bought and what they have actually bought is often very significant,” said Rob Smart, technical director of Mactavish. “The products are put forward as an all-singing, all-dancing solution to cyber risk, but the reality is more nuanced than that.”
“Most cyber policies are written in a fairly restrictive way and there are points of uncertainty over how far the cover will extend,” he added.
One issue is that coverage might only include malicious attacks, excluding issues caused by security errors. In addition, payouts for data breaches might be limited to the legal minimum, without anything extra the client may want to spend, such as keeping customers informed.
“The biggest area where the cover is not what they want is business interruption,” said Julia Graham, technical director of Airmic, which represents insurance buyers in the UK. “[Insurers] are not offering the breadth of cover that people would like.”
Warren Buffett even sent out a warning to investors about cyber insurance earlier this year.
“I don’t think we or anybody else really knows what they’re doing when writing cyber insurance,” said Buffett. “We don’t want to be a pioneer on this.”
He added that cyber insurance companies have about a 2 percent chance of a catastrophic attack, leading to fallouts of at least $400 billion in losses.
“The core issue,” explained Rotem Iram, CEO of industry company At-Bay, in a recent interview with PYMNTS, “is that cyber-risk is highly dynamic, and there is a limit to how well historical data of old technology can predict future risk. If underwriters can’t predict where security threats will come from, it’s very hard to reward companies for their security posture today.”