It’s time to shift the market dynamic in cybersecurity coverage

In addition to claims for business interruption and remediation costs, insurers may also expect to defend costly lawsuits and face insureds seeking coverage for administrative fines related to cyberattacks. (Photo: Shutterstock)

The cost of cybersecurity incidents to insurers has continued to skyrocket, reflecting the rapid pace and growing sophistication of cyberattacks. The financial stakes also are unprecedented, with as much as $21 trillion of worldwide economic-value creation at risk over the next five to seven years, according to McKinsey research.

Insureds’ claims for business interruption and remediation costs alone are already significant. Following the 2017 NotPetya ransomware attack, Zurich American received a $100 million claim from international food conglomerate Mondelez, and American International Group (AIG) received a $1.3 billion claim from pharmaceutical giant, Merck. In both cases, insurers denied coverage based on the “act of war” exception, and ongoing litigation will determine if cyberattacks perpetrated by state or state-linked actors are subject to that exception.