The latest report from GlobalData looks at the T&Cs surrounding acts of cyber warfare. It isn’t just Ukraine, all sorts of States could take action against an enemy’s supply chain, food distribution systems, energy supply, comms etc. But how can insurers and clients agree on a definition of State actors vs rogue individuals in such cases, plus assure policyholders that such events are covered?
Cyberattacks instigated by Russia could be set to cause more disputes between businesses and insurers following the Zurich-Mondelez case, found GlobalData. According to the leading data and analytics company, nearly one in 10 small and medium sized enterprises (SMEs) that bought cyber insurance in 2022 did so as a precaution against the Russia-Ukraine conflict, meaning many new customers will take payouts on cyber claims for this reason for granted.GlobalData’s 2022 UK SME Insurance Survey found that 9.0% of SMEs in the UK that purchased cyber insurance in 2022 said the Russia-Ukraine conflict was a key trigger for their purchase. Ben Carey-Evans, Senior Insurance Analyst at GlobalData, comments: “While it ranked behind several other key factors, businesses that cited this factor will certainly expect to be paid out if they are victims of a cyberattack for this reason”.
The leading factors were increased working from home during the pandemic (27.0%) – which is believed to have increased the cyber risk businesses face – and media reports about cyberattacks (26.0%) – which has increased awareness of the dangers posed.
Carey-Evans continued: “It is critical that insurers are very clear over what is and is not covered, as a stream of high-profile cyber legal cases would be very damaging for the industry – especially following the recent business interruption cases arising from the pandemic. Such cases would risk increasing the view that insurers look to get out of paying claims, which will make retaining customers even harder than it is already due to the cost-of-living crisis.”
In a recent high profile case, Zurich and Mondelez International (owner of Cadbury) agreed a settlement of $100 million following a legal dispute over whether Zurich could avoid paying out a cyber claim over a war exclusion. The cyberattack attributed to Russia took place in 2017, after the annexation of Crimea in 2014. Zurich believed the cyberattack being attributed to Russia made it an “act of war,” meaning it did not need to pay out.
Carey-Evans adds: “The resolution of the case could create a legal precedent that means insurers will have to pay out on claims coming from Russia going forward. However, the escalation of the conflict since this attack happened could strengthen insurers’ arguments for ‘act of war’ exclusions for future cases.”