The recent news regarding the relationship between Iran and the United States has been a major cause for concern amongst the U.S. populace. As a result of the heightened tensions, many businesses are concerned about an increase of cyber attacks. However, insurers are warning their customers that a cyber-risk insurance policy might not provide any coverage from an Iranian cyber attack.
Insurance policies are designed to provide coverage from common occurrences. Risks like hackers and criminals are what a proper cyber-risk policy is designed to cover. What those policies do not cover, is acts of war. Given the current state of Iranian and U.S. relations, many insurers are warning their customers that an attack from Iran can be viewed as an act of war, therefore a normal cyber-risk policy would not kick in. Naturally, this is alarming for many business owners.
Obviously, the crux of this whole issue comes down to the definition of “acts of war”. Unfortunately, that definition can change from policy to policy. If you are a business owner, be sure to read your policy very carefully. Most exclude acts of war, but some even exclude acts of terror. A terror exclusion can make claims even more tricky, because if there is any change that the cyber attack originated from an organization that the U.S. has labeled as terrorist, then your claim won’t be covered.
Mondelez is probably the best example of this predicament so far. In 2017, the company, which owns popular brands like Cadbury chocolates and Philadelphia cream cheese, was a victim of the NotPetya cyber attack. In total, the organization lost approximately $100 million as a result of the attack. To make matters worse, Mondelez’s insurer, Zurich Insurance, said they would not be covering the damages, citing the “act of war” clause. The two companies are still locked up in litigation.
Jake Olcott, vice president at BitSight Technologies, a cyber risk adviser, spoke with the New York Times about the Mondelez incident. “We still don’t have a clear idea of what cyberwar actually looks like,” said Olcott. “That is one of the struggles in this case. No one has said this was an all-out cyberwar by Russia.”
The nature of cyber attacks further complicates the issue. That’s because a proper cyber attack can spread so quickly that often companies that were not even the original targets can become affected. If that’s the case, is collateral damage also excluded by the “acts of war” clause?
There are a lot of questions surrounding cyber-risk policies that still need to be answered. The numerous cases currently in litigation will set an important precedent for the industry when they are finally resolved. For now, a cyber-risk policy is still probably a good idea for businesses, though they need to take the time to read the fine print carefully.
To learn more about your current coverage, or to inquire about new policies, we encourage you to reach out to the staff at TGS Insurance. They are experts in their fields and are always willing to work with you to find the right policy for your lifestyle. Visit www.tgsinsurance.com to learn more.