When Does Insurance Cover Cyberattacks?

This article was first available to subscribers of Accounting Quality Insights by Audit Analytics on Bloomberg, Eikon, FactSet, and S&P Global.

In 2014, global life sciences technology company Medidata Solutions [MDSO] fell victim to a “phishing” attack, losing nearly $5 million to overseas wire fraud. The company’s insurer, Federal Insurance Co, denied Medidata’s claim that the attack was covered by its commercial crime insurance policy.

Medidata sued Federal Insurance Co, citing wrongly denied coverage and won its suit in 2018. In a 10-K filing, Medidata said it recorded charges of $4.9 million and $900,000 to its operating costs and expenses in the third and fourth quarter of 2014, respectively, for the loss and related investigation costs incurred. Medidata won its initial case and the verdict was affirmed on Federal Insurance’s appeal, resulting in a $5.9 million judgement, which included $1.1 million in interest income.

With cybercrime becoming a significant problem, the role of the insurer in covering losses from cyberattacks is coming into question for many companies. Will general insurance cover direct business losses from cyberattacks, or is a specific cybersecurity policy necessary? What attacks are never covered, even if the insured holds a cybersecurity policy? Since cybercrime is a new area, the answers to these questions remain murky.

Cybercrime on the Rise

In 2018, the Federal Bureau of Investigation said business e-mail compromise, which includes scams like phishing, has caused $12 billion in losses globally. Between December 2016 and May 2018 there was a 136% increase in identified global exposed losses.

We’ve also seen a rise in publicly traded companies reporting cyberbreaches, with companies of all sizes falling victim. In 2011 there were 28 reported breaches, and by 2018 there were 126. So far in 2019, 26 breaches were reported. Over the years, 14 firms disclosed proceeds from insurance, although litigation costs weren’t disclosed.1

One of the costliest data breaches was in 2017, when Equifax [EFX] said breach-related costs could reach over $500 million, with $125 million covered by insurance.

There’s little consistency to when an insurer pays out claims related to cyberattacks, and some insurers are pushing back, saying some cybercrime falls under acts of war, rather than acts of crime. If an attack is considered an act of war, an insurer can deny coverage.

The recent NotPetya attack is an example of insurers’ mixed actions. In June 2017, a ransomware virus called NotPetya wiped data from computers. The malware was circulated through Ukrainian tax software, infecting computers when downloading automatic updates from the maker’s website. The bug was designed to cause as much damage as possible. It did not simply encrypt data like typical malware; it was designed to wipe out infected hard drives. The U.S. government pinned the attack on Russia.

Five publicly traded companies disclosed NotPetya attacks: FedEx Corp [FDX] subsidiary TNT Express, Merck & Co., Inc. [MRK], AP Moeller- Maersk A/S [MAERSK B], Mondelez International [MDLZ] and WPP plc [WPP]. Of those, four disclosed costs and only Merck disclosed insurance recoveries.

The act-of-war proclamation for the NotPetya attack gave some insurers an out to avoid payments. Food company Mondelez International spent $91 million on responding to the attack and lost over 2% of second quarter revenues in 2017, which took information technology teams weeks to fix. Mondelez’s insurer, Zurich Insurance, denied the claim based on the war-exclusion clause. Mondelez is suing Zurich, and the case is ongoing.

General Business Insurance Risk Factors

If a company wants to fall back on general business insurance that covers business disruptions from a cyberattack, they may find insurers denying coverage. London-based multinational law firm DLA Piper suffered a NotPetya attack in 2017, which took 15,000 hours of overtime for IT workers to recover systems. DLA Piper is also suing its insurer, Hiscox, for denying the NotPetya claim. According to news reports, Hiscox says the suit is not related to a specific cybersecurity policy and doesn’t fall under the act-of-war clause. In the DLA Piper case, it’s not clear what type of insurance the company had, and that may make a difference.

In another phishing case, community bank Orrstown Financial Services [ORRF] said the attack cost the bank $765,000 to fix. Orrstown filed a $615,000 claim with its cyber insurance carrier, Westco, which denied the claim. In April 2019, the bank filed an 8-K form stating the claim was completely denied.

Originally, Orrstown considered the expected reimbursement as a receivable on its balance sheet but needed to switch that to a pre-tax expense.

The Company believes that the basis for Wesco’s denial is improper and intends to assert its rights to coverage of the expenses. There can be no assurance, however, that the Company’s position regarding coverage will prevail or, if it does prevail, that the coverage will be sufficient to reimburse the Company for the entire amount of the receivable.

Pending resolution of its insurance claim, the Company has recorded a pretax expense of $615,000, or approximately $0.05 per diluted share, in its first quarter results for 2019.

Orrstown may have some legal precedence on its side as federal appeals courts twice upheld policyholder’s coverage claims for cyber fraud. In addition to the earlier Medidata example, tool-and-die company American Tooling Center won a case on appeal against Travelers Casualty & Surety Co. when the company fell victim to a phishing scam and wired $800,000 in funds to a fraudulent account. The appellate court said business email compromise scams can cause firms direct financial losses from computer fraud through email. The ruling was the first time that email scams fell under a crime insurance policy.

Rulings in favor of companies like Medidata and American Tooling Center could give companies hope their claims eventually will be paid.

It isn’t clear whether general business policies will cover direct losses from cybercrime. Merck is testing those boundaries. While Merck was paid by insurers for its losses in the NotPetya attacks under its cybersecurity insurance coverage, the pharmaceutical company is suing insurers, seeking further payment under property policies.

What Can Companies Expect?

It’s hard to know what companies can expect when it comes to insurers paying for cybercrime, but companies should expect insurers to get stricter over what they’ll cover. Act-of-war events could trigger war-exclusion clauses, which are a standard part of most insurance policies.

Whether these crimes are covered under general business insurance or if companies need specific cybersecurity policies is also unclear, as many companies affected by malware or phishing haven’t said what type of insurance they have or provided the policy specifics. Even if policies come into effect, they often only cover direct business losses; direct legal costs may not be covered. Further, indirect costs such as inability to conduct business, coming under SEC scrutiny, and reputational losses during cyberattacks can’t be quantified and aren’t reimbursable.

Cybercrime remains a new risk – something companies and insurers will grapple with for a long time. There won’t be clarity about what events will be covered under cybersecurity insurance policies anytime soon.

For more information on this article, or for subscription information, please contact us at info@auditanalytics.com or (508) 476-7007.

1. For a list of companies that disclosed reimbursement from insurance following a cyberattack, please contact us.