When Hackers Strike, Property Insurance May Not Offer Protection

(Bloomberg Businessweek) -- When Mondelez International Inc., the maker of Oreo cookies and Cadbury chocolate, suffered a malware attack in 2017, it thought the property insurance policy it had taken out years earlier with Zurich Insurance Group AG would help cover the more than $100 million in losses Mondelez estimated it had suffered.

Zurich saw things differently. The insurer classified the attacks, which also hit servers of several other big companies, including Merck & Co. and A.P. Moller-Maersk AS, as an act of war. Since the Mondelez policy has a clause that excludes acts of war, the insurer denied the claim. Mondelez is suing Zurich for $100 million, claiming the coverage is warranted and calling the insurer’s response “unreasonable,” according to court documents.

Many companies have long-standing property insurance policies that offer a payout if a cyberattack results in physical damage, but they may not cover financial damage. Many of those policies were bought years ago, before cyberattacks became almost routine, and the terms and conditions haven’t been updated, according to Lori Bailey, Zurich’s global head of cyber risk, talking about the overall market for cyber insurance. That creates uncertainty for insurers and policyholders.

Mondelez’s complaint isn’t an isolated case: According to a report in the Times of London, law firm DLA Piper is disputing insurer Hiscox Ltd.’s denial of a multimillion-pound claim for losses incurred because of a 2017 cyberattack. DLA Piper declined to comment. A spokesman for Hiscox says the dispute with DLA “is not in relation to a cyber policy.”

Insurers are seeing an increasing number of claims for damage inflicted by hacks under general property policies. American International Group Inc. said it received as many cyber-related claims in 2017 as it did in the four previous years combined. Financial-and professional-services companies topped the list of those filing claims. Businesses with large databases of clients, such as lawyers and accountants, have become important targets for criminals given the quality of the data they hold.

Insurers are encouraging customers to take out separate cyberpolicies or add clauses to existing property coverage. The market for cyber insurance will expand to $9 billion in annual premiums next year, more than double the level in 2017, according to insurer Munich Re. Fewer than a third of U.K. companies have a specific cyber insurance policy, according to Mactavish Group, which reviews policies on behalf of insurance buyers. Other companies like Mondelez believe they’re covered for cyberclaims under their property policies, only to face rejection.

Cyberassaults pose a greater risk than terrorism or the collapse of a nation-state, according to a January report from the World Economic Forum. Only nuclear war, climate change, and natural disasters have the potential to cause more damage, the report says. The insurance industry expects cyber insurance to get a boost from regulation in Australia, Brazil, and Europe. The European Union’s General Data Protection Regulation, which took effect in May 2018, requires companies to disclose when they’ve been hacked. Insurers expect greater acknowledgment of cyberattacks will lead to bigger premiums for cyberpolicies.

Aluminum smelter Norsk Hydro ASA bought several cyberpolicies years ago, including one from AIG, and is “very happy” it did, says Chief Financial Officer Eivind Kallevik. In March, Hydro suffered a cyberattack that forced it to turn off automated systems and handle molten metal through its facilities manually. It said the damages were about 350 million Norwegian kroner ($40.8 million) in just the first week; the final bill could be much higher. Hydro has delayed its next earnings report by more than a month because the attack also took out the computers used to calculate the losses.

To contact the editor responsible for this story: Dimitra Kessenides at dkessenides1@bloomberg.net

©2019 Bloomberg L.P.