Thursday 17 January 2019 6:36 pm

Flawed cyber insurance policies could lead to years of litigation

The majority of cyber insurance policies on the market are riddled with flaws and may not pay out in the event of a data breach or hack, according to new research.

A review by insurance governance company Mactavish of dozens of off-the-shelf cyber policies identified a litany of flaws.

Mactavish chief executive Bruce Hepburn said: “Very few claims have been made on these new cyber insurance policies, but my bet is that many will be disputed, or settlements will be much lower than clients expected.”

Confectionery company Mondelez is currently fighting a legal battle against its insurer Zurich after the latter refused to pay out following the NotPetya attack in 2017 that also affected companies such as shipping giant Maersk and law firm DLA Piper.

Mondelez made a $100m (£77m) claim, but Zurich refused to pay, arguing that the hack was an act of war by Russia targeting Ukraine.

The research said that common flaws in cyber policies include limiting cover to events triggered by attacks or unauthorised activity, excluding cover for incidents caused by omissions or errors and limiting data breach payouts to a strict legal minimum and providing system interruption cover only for the time the systems are down.

Robert Smart, technical director at Mactavish, said that cyber was such a new insurance line that many policy clauses had not yet been tested in court.

“Cyber is a new product, the wordings haven’t been tested and it has been pushed out very quickly and some of those rough edges haven’t been litigated out,” he said.

Smart warned that policyholders making large claims after cyber incidents could face major difficulties.

“I think most people that have a big claim in the next couple of years will be in for a nasty shock,” he said.