Hacks can cost businesses millions. Insurers may refuse to pay up

Cyberattacks are a nightmare for chief executives. To make matters worse, their insurers may refuse to pay u...

Posted: Jan 11, 2019 8:37 PM
Updated: Jan 11, 2019 8:37 PM

Cyberattacks are a nightmare for chief executives. To make matters worse, their insurers may refuse to pay up for damage the hackers do to their business.

A dispute between food and beverage giant Mondelez and Zurich Insurance (ZURVY) shows just how much is at stake. Mondelez has filed a lawsuit in Illinois that accuses the insurance company of refusing to cover losses it suffered as a result of the NotPetya cyberattack.

Digital security

Technology

Crime, law enforcement and corrections

Criminal offenses

Digital crime

Business and industry sectors

Business, economy and trade

Cyber attacks

Insurance

Unrest, conflicts and war

Continents and regions

Europe

Switzerland

Western Europe

Zurich

Cyberterrorism

International relations and national security

National security

Terrorism

Terrorism and counter-terrorism

Digital privacy

Companies

Mondelez International

Law and legal system

Lawsuits and claims

Trial and procedure

The attack swept across the world in June 2017, infecting networked computers at companies including advertising group WPP (WPPGF), drugmaker Merck (MKGAF) and global shipping company FedEx (FDX).

Mondelez (MDLZ) said in October 2018 that the attack cost it at least $114 million. But according to the lawsuit, Zurich Insurance has cited a "war exclusion" and refused to cover the losses.

The 'war exclusion'

The United States and the United Kingdom have blamed the NotPetya attack on Russia, suggesting that it was part of an effort to destabilize Ukraine.

In its lawsuit, Mondelez claims that Zurich Insurance subsequently refused to compensate it for losses suffered in the attack, citing a contract exemption for a "hostile or war like act" by any "government or sovereign power."

Zurich Insurance declined to comment on the dispute, saying it does not give details about individual policies. Mondelez also declined to comment.

The case could prove to be an important test for both companies and insurers, and help to establish when policyholders should be compensated for a cyberattack.

Rising threat

Executives in Europe, East Asia and North America say cyberattacks are the number one risk facing their companies, according to a survey published in November by the World Economic Forum.

Yet many companies do not have insurance that specifically covers cybercrimes, relying instead on general "all-risk" policies.

"Many of these all-risk policies may not even mention cyber, they were not designed to cover cyber," said Christine Marciano, CEO of insurance broker Cyber Data Risk Managers.

"They were written at a time when nobody could have predicted that these attacks would happen," she said.

Marciano said the insurance industry is closely watching legal actions such as the one filed by Mondelez to see whether more general policies should cover cyberattacks.

Contagious attacks

The nature of cyberattacks present real risks for insurers, as well as their clients.

Domenico del Re, an insurance expert and director at PwC, said insurers are most worried about systemic cyberattacks on the scale of NotPetya because they can simultaneously affect multiple clients across the world.

"This is what is different about cyber," he said. Other risks, like theft or kidnapping, are unlikely to affect multiple clients at the same time, he added.

The damage can also be extensive.

"There is a myriad of ways in which a cyberattack can cause financial loss — actual physical loss to the IT equipment, claims from third parties whose data was lost, fines, fraudulent transactions," del Re said.

That means that an insurance company could be on the hook for physical and financial losses, as well as damage to users and clients caused by data theft.

Data issues have become even more pressing after the General Data Protection Regulation (GDPR) came into effect last year in Europe. The law can mean huge fines for companies.

This could happen to you

"Companies that used to have the mindset of 'this can't happen to me' .... are now starting to realize this is something they can't be without," said Marciano.

Limited data on the damage caused by major cyberattacks makes it difficult for insurance companies to model and price policies.

Mondelez said its $114 million in losses were caused by property damage and disruptions to its business. It said in October that NotPetya had destroyed 1,700 of its servers and 24,000 of its laptops.

Equifax (EFX), which was also hit by a huge hack in 2017, said its damages exceeded $350 million. Insurance has so far covered $95 million, it said in its most recent quarterly financial report.

Article Comments

West Lafayette
Overcast
48° wxIcon
Hi: 56° Lo: 33°
Feels Like: 43°
Kokomo
Overcast
43° wxIcon
Hi: 54° Lo: 33°
Feels Like: 35°
Rensselaer
Overcast
45° wxIcon
Hi: 55° Lo: 30°
Feels Like: 38°
Fowler
Overcast
45° wxIcon
Hi: 56° Lo: 31°
Feels Like: 38°
Williamsport
Overcast
49° wxIcon
Hi: 56° Lo: 33°
Feels Like: 43°
Crawfordsville
Overcast
43° wxIcon
Hi: 55° Lo: 34°
Feels Like: 37°
Frankfort
Overcast
46° wxIcon
Hi: 53° Lo: 33°
Feels Like: 42°
Delphi
Overcast
46° wxIcon
Hi: 55° Lo: 33°
Feels Like: 41°
Monticello
Overcast
46° wxIcon
Hi: 55° Lo: 32°
Feels Like: 41°
Logansport
Overcast
43° wxIcon
Hi: 53° Lo: 32°
Feels Like: 37°
Lots of warmer, windy, wetter weather ahead.
WLFI Radar
WLFI Temps
WLFI Planner

Community Events