Why Mainstream Media Coverage of Cyber Insurance Is Driving Underwriters Crazy

It's proving just as challenging for reporters to cover the nuances of cyber insurance as it is for carriers to underwrite it.
By: | April 25, 2019

There’s a trend in recent mainstream media’s reporting on commercial insurance coverage disputes that is causing considerable frustration in the underwriting and brokering community.

In referring to the Mondelez/Zurich coverage dispute over losses from the NotPetya attack, for example, reporters keep referring to Mondelez’s coverage as “cyber insurance,” when it is more accurately described as a property policy that had some cyber coverage bolted onto it.

After a well-meaning insurance professional posted the mainstream media’s latest attempt to cover cyber insurance on LinkedIn, the messaging and networking platform lit up with comments from frustrated cyber insurance specialists who believe many media outlets are conflating terms and misrepresenting their products.

“Finally, as more (and more damaging) cyber attacks appear to be directed by national governments or their proxies, what is the point of having cyber insurance if such attacks are excluded from coverage? This is the question that many clients will ask themselves if the insurers win these two cases. In other words, a tactical victory for the insurers could spawn a strategic defeat,” said one Slate article.

Cyber underwriters are begging reporters to use correct terms to describe their product, but the reporters aren’t listening. The policy in question in the Mondelez case is a property policy with a bolted-on cyber element; it is not a stand-alone cyber policy, which carries a much higher premium and is more robust.

“I literally wrote the article’s author asking if I could educate him on what a cyber insurance policy is and explaining the importance of not conflating that product with traditional P&C products that may have some incidental coverage. No response yet. I think the media is in love with the byline that cyber insurance doesn’t work, accurate or not. This kind of coverage drives me nuts,” wrote one underwriter in a LinkedIn post.

“To me, these cases should bring to the forefront the difference between cyber liability insurance and ‘cyber as a peril’ on other lines of coverage (property, GL, auto, comp, etc.)” said another insurance professional.

“I think the cyber liability market is prepared for these attacks and is more than willing to respond (many carriers paid out numerous NotPetya related claims), conversely I think the other property and casualty lines are generally not fully prepared for fielding claims and paying losses for cyber as a peril,” he continued.

Graeme Newman, chief innovation officer for CFC Underwriting, gave us some of his time on May 10 and provided some valuable perspective.

“We paid out multiple NotPetya claims or at least claims attributed to the malware that has broadly been described as NotPetya,” Newman said.

“We paid one limit loss on a policy, not as significant as the Mondelez policy, but it was a reasonably significant limit all the same; multiple millions. Just like we do every single day.”

“I think the NotPetya piece is slightly overplayed because it is just yet another form of malware,” Newman said.

“We know full well that malware is spread by nation state actors, terrorist cells and organized gangs.  If you look at our claims profile, we receive roughly four to five cyber claims a day.  Out of those claims at least 30 percent of them relate to some form of malware or ransomware. And on all of those claims there will be a significant percentage that relate to rogue actors, specifically nation/state rogue actors,” he said.

In our March coverage of cyber risks and the cyber insurance market, we quoted Aon’s Stephanie Snyder on this confusion, which she referred to as the “bane of her existence.”

“What is interesting about Mondelez/Zurich is that it is a property policy. The issue at hand is a war exclusion,” said Snyder. “We have not yet seen coverage denials under cyber insurance policies related to war exclusions. We have seen over time certain denials, but those were due to basic insurance issues” either involving misinformation contained within the application or late reporting issues, she added.

Read More: Cyber Insurance Does Pay Claims. You Can’t Afford Not to Be Covered

“Even going back to 2018 there has been this ongoing challenge of misrepresentations about what cyber coverage does and does not do,” Snyder told Risk & Insurance® in a more recent interview.

And still the drumbeat of misinformation goes on.

Continued Mis-Coverage

Yet another piece, this time from the New York Times, similarly made a muddle of the difference between a property policy with a bolted-on cyber element and a stand-alone cyber insurance policy, which is generally a much more robust coverage.

Here is what one commentator had to say after reading that piece. He thinks, by the way, that Zurich will end up paying on the policy: “Zurich provides cyber insurance policies and could have recommended that Mondelez buy one of them, which would have covered this type of NotPetya event,” he said.

“Mondelez decided to rely upon an addition to their property policy without really making it fully comprehensive. My guess is that Mondelez knew of the existence of cyber insurance policies but did not want to pay the additional premium. Zurich’s property underwriters wanted to keep a client happy and added cyber wording to their property policy without broadly understanding the consequences,” he added.

Stephanie Snyder, cyber executive, Aon

“Now that an unexpected claim has occurred, Zurich property underwriters have seized on a war exclusion. I suspect that Mondelez may actually get the benefit of the insurance, because the difficulties in proving that Russia is behind the attack are significant. If that is so, the premise behind the article that they did not get benefit of the insurance bargain will turn out not to be true,” he said.

“However, any insurance policy worth its premium should pay without the need for litigation and so insurers should be clear when they are extending their non-cyber insurance policies to cover cyber risks,” he said.

“One of the problems is that for a long time cyber insurance was called cyber liability insurance and people see it as another form of liability cover,” said CFC’s Newman.

“The majority of claims that we deal with are actually first-party property coverages; and I think this is where some of the confusion comes from. I think the more that we think of cyber insurance as akin to a property policy, the easier it is to understand. Therefore, if clients are thinking of it as a liability policy the more mistakes they’ll make; the more they’ll miss,” he said.

“I think there is a different way to view cyber insurance and that is as an asset-based policy. I see it very simply. The property market looks at a physical tangible asset and that is the asset base that the market is designed to insure. I think we should see the cyber insurance market as the corollary of that,” Newman said.

“If you think of it as an asset-based policy that is protecting the intangibles, the data, there is a much easier way to view it. It’s not a peril-based policy that is triggered by some kind of event, it’s an asset-based policy. If you think of it like that, life becomes much, much clearer.”

Newman said carriers and others might be approaching cyber risk in the wrong way, in terms of how the exposure matches the cover.

“A lot of people start with the control environment. The security industry tends to look at the control environment,” he said.

“They look at the maturity of the control system, do they have good controls or bad controls, and that equates to a good risk or a bad risk. We might find that a business with a lot of exposure has a lot of controls. Well, does that make them a good risk or a bad risk? We try to see if the controls they have in place are equal to or greater than the exposure they have.”

“Cyber insurance is not necessarily an end-all-be-all for all things digital,” Aon’s Snyder said.

“It is really incumbent on risk managers to understand what their risk profile is and insure it appropriately. If they are concerned about cyber risk, a cyber insurance policy is the most robust type of coverage available to address cyber risk exposures,” she said.

“We are seeing a ton of interest in the business interruption components of coverage.”

The post commentator, who happens to work in the insurance industry, added, “Sophisticated companies like Mondelez might want to be wary of the bolt-on solution when a more expensive dedicated solution is available.”

As it relates to insurance in general, whether it be a homeowners’ policy, an auto policy or a property policy, the media’s take tends to be, ‘Insurance didn’t pay on the claim, therefore insurance companies are evil.’ But the truth is more nuanced than that.

The Takeaway

The issue here is perhaps one of perception, which also showcases the difficulties in providing coverage for a rapidly expanding risk capable of generating big losses.

As a provider of capital to cover losses, insurance carriers are in the unenviable position of seeing their learning curve, and the learning curve of their insureds as it relates to cyber insurance, playing out in the court of public opinion.

Tighter terms and a better understanding of how insurance can respond to cyber events will result. Carriers just need to manage a public relations challenge in the interim.

As to the take up of the stand-alone product, Snyder estimates that 30% to 40% of organizations do purchase a stand-alone cyber insurance policy.

“The remainder do not, they are still relying on these more traditional property/casualty policies, which may be silent relative to cyber risks, meaning that there is no affirmative coverage grant — or exclusion — relative to cyber,” she said.

Graeme Newman
Chief Innovation Officer
CFC Underwriting

“Bolt-on coverage doesn’t necessarily get you that affirmative coverage guarantee if there is no other clarifying policy language,” Snyder said. “When you look at cyber policies, cyber policies have indemnified for the NotPetya loss.”

Newman said the cyber insurance market at his firm is thriving.

“We happen to be in the hottest insurance market that there is right now,” Newman said.

“The cyber insurance market continues to grow and outpace any other line of insurance that you can think of. Our cyber insurance book last year grew over 63%. That is incredible growth. We are one of the largest writers in the world and seeing more and more demand,” he said.  

That said, Newman still sees an incredible imbalance in how risk transfer is being handled in our current economy.

“Eighty %-plus of the world’s assets are intangible assets and yet 90% of the world’s insurance spend is on tangible assets. And that cannot be right,” Newman said.

“We have all collectively lived through the most significant events in economic history.  The revolution that has played out in the last 20 years has been the most fundamentally emphatic impact on the economy in the world’s history and yet the insurance industry hasn’t changed that much.  The cyber insurance market is a relatively new market which is designed to address those changes.”

Overall, based on US sales, Fitch Ratings estimated that standalone cyber insurance premiums grew 12% in 2018. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance