Cybersecurity and Insurance
Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.
The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.
It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.
That’s a Lot of Money
By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.
You might argue if that number is really accurate. Hard drives could be reformatted, but then again that takes time so in the age of $80 hard drives, does that really make sense? If a supermarket got Oreos a week late, was that really more than an inconvenience? Were there penalties in their contracts with the customers or are they assuming that a huge number of store-brand cookies were sold when the Oreos ran out? We don’t know.
However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.
As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?
Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters. The theory is if a tornado comes and destroys 100s of cars it would be a burden on the insurance company to replace them all, so they’d have to charge you more. Since you don’t think that’s likely, you’ll take the force majeure exclusion and save a bit.
If you have a homeowner’s policy, you probably don’t want a …read more