The Cost of War

by Hank Berkley
Contributing Editor

Last week we discussed some conclusions that one could form based on a data breach report from the Ponemon Institute. One number we did not highlight was the impact of cyber insurance on losses. Taking that information together with activities taking place in the current marketplace suggest that it may be time to reexamine your insurance coverages and assumptions.

In the US, the average data breach included in the report had a cost of $7.9 million. Of that amount, $4.2 million was related to what they refer to as “customer churn”. Essentially this represents is the loss of future revenue and varies significantly among different industries. For instance, lost future business was higher in healthcare and financial businesses, presumably caused by the greater expectations of privacy that consumers have in those fields. As insurance policies don’t provide any recoveries for customer churn, more than half of a cyber loss is immediately off the table.

Of the average $3.7 million loss that might be covered by insurance, the report proffered that the average insurance benefit was only $400,000 or roughly 11%. This recovery rate is even less if you subtract the cost of the insurance (which Ponemon did not do).

More recently some insurance carriers have taken a new tack when settling large cyber claims. As more of the attacks are originating from foreign governments or people working for those states, carriers are have begun to invoke the exclusion of acts of war that is part of almost every policy. While the “war” may not be directly aimed at the company that suffers the damage, insurers are attributing it to collateral damage and thus denying the claim.

In 2017 when Mondelez, the manufacturer of Oreos, Cadbury chocolate and dozens of other well-known brands, lost in excess of $100 million to the NotPetya malware their insurer, Zurich, denied the claim, citing the war exclusion. Merck’s insurers similarly denied a $700 million claim for NotPetya damages. Apparently neither of these companies were the direct targets of NotPetya. The US government identified the source of the code as the Russian government. It was written to disrupt business in Ukraine, but later found its way “into the wild” and infected a broad swath of enterprises around the globe. But the fact that the US government pointed the finger at Russia provided justification to deny claims.

Considering that the most dangerous cyber risks originate with state-sponsored actors, this direction could have a considerable impact on the financial protection offered by insurance. The jury is still out as to how the courts will look at the applicability of the war exclusion clause for Mondelez. There is no word as to whether Sony’s insurance carrier covered any or all of their estimated $35* million 2014 business loss that was caused by North Korea.

As we have mentioned previously here, insurance policies are complicated, legal documents. Add the complexities of information security to that and throw in what can be a huge premium charge and it is apparent that cyber insurance can require a fair amount of analysis. Considering that the carriers only paid out about $0.32 in claims for every $1 they took in last year (compared to about $0.62 for auto insurance), there is clearly some room for negotiation. But as the Ponemon study demonstrated, cyber insurance itself did not have a big impact on reducing the total costs of a data breach. Caveat emptor.

If you agree that the real benefits of cyber insurance are overstated, you should also conclude that the investment in other steps to avoid a loss are relatively more valuable. In terms of financial benefits, the Ponemon report concludes that preparedness is among the most important steps you can take. Having an incident response plan, knowing where your most significant data is stored and encrypting information all resulted in lowering the total cost of a breach more than most elements they examined.

Organizations like Gartner discuss how much companies should spend on cyber security. But just as this Ponemon report only uses averages, looking at average spending doesn’t necessarily mean much. At the end of the day your safety really depends upon how wisely you spend your security budget.

* The $35 million estimate for Sony’s loss was just direct expenses and does not include lost revenue, reputational damage or the impact on employee and business relationships that were caused by the release of private emails. Some estimates have the total loss number close to $200 million.