When Hackers Strike, Property Insurance May Not Offer Protection By Will Hadfield and Nate Lanxon

Some policies written before cybercrime became rampant have outdated terms that can leave companies exposed. Companies used to rely on property insurance for cyberhacking claims. Insurers are balking at paying out claims for hacks and encouraging customers to take out separate cyberpolicies.

When Mondelez International Inc., the maker of Oreo cookies and Cadbury chocolate, suffered a malware attack in 2017, it thought the property insurance policy it had taken out years earlier with Zurich Insurance Group AG would help cover the more than $100 million in losses Mondelez estimated it had suffered. Zurich saw things differently. The insurer classified the attacks, which also hit servers of several other big companies as an act of war. Since the Mondelez policy has a clause that excludes acts of war, the insurer denied the claim.

Insurers are seeing an increasing number of claims for damage inflicted by hacks under general property policies. American International Group Inc. said it received as many cyber-related claims in 2017 as it did in the four previous years combined. Insurers are encouraging customers to take out separate cyberpolicies or add clauses to existing property coverage. The market for cyber insurance will expand to $9 billion in annual premiums next year, more than double the level in 2017.

Many companies have long-standing property insurance policies that offer a payout if a cyberattack results in physical damage, but they may not cover financial damage. Many of those policies were bought years ago, before cyberattacks became almost routine, and the terms and conditions haven’t been updated, according to Lori Bailey, Zurich’s global head of cyber risk, talking about the overall market for cyber insurance. That creates uncertainty for insurers and policyholders.