When it comes to cyber-attacks, does blame always equal a claim?

With a spate of high-profile cyber-attacks continuing to be reported and the arrival of new transparency rules such as GDPR, companies have been rushing to take out insurance against a breach.

The US market for cyber policies grew by more than a third in 2016, according to Fitch Ratings, hitting $1.35 billion, and looks set to continue expanding at a furious rate.

However, not all of these insurance customers are happy, and over the last year or two there have been a number of high-stakes disputes about whether or not the insurer is liable to pay out.

Earlier this summer, the National Bank of Blacksburg in Virginia, US, sued Everest National Insurance Company stating it should have paid out when the bank was hacked in 2016.

The claim was denied on the basis of two riders in the insurance contract. The first was a C&E rider covering losses which ‘result directly from an intrusion’, with a single loss limit liability of $8 million.

The second was a debit card rider covering losses resulting directly from the use of lost, stolen, counterfeit or altered cards, with a single loss limit of liability of just $50,000 and an aggregate limit of $250,000.

And despite the ‘fact’ that the losses didn't derive from stolen cards – according to the bank, anyway – the insurance firm opted to pay out under the second rider alone, and also claimed that the two attacks amounted to a single event.

The bank’s total coverage, the insurance company argued, was $50,000.

Other companies that have failed to achieve the payout they expected include bitcoin payment processor BitPay, accounting firm Taylor & Lieberman, and debit card processing company InComm Holdings.

These cases, and the many more like them, illustrate the murky state of cyber insurance, and pose the question – who is liable?

“Regarding the lawsuit, it wouldn’t be the first bit of litigation,” Heidi Shey, a senior analyst at Forrester, told The Daily Swig.

She believes that organizations need to be more savvy about exactly what their policy does and doesn’t cover.

“I don’t think it’s a case of insurance firms being sneaky,” she said. “Cyber insurance is one way to manage risk, and it doesn’t mitigate all of an organization’s cyber risk.”

Some are concerned that the insurance industry has created a model that would be unsustainable in the event of a significantly larger breach.

Back in 2015, a report by Lloyd’s and the University of Cambridge calculated that if malicious hackers took control of the power grid from New York City to Washington, DC, the damage could be anything from $20 billion to $70 billion, costing the economy between $243 billion and $1 trillion. Payouts could exceed insurance companies’ ability to pay.

It’s no surprise, then, that insurers are doing their best to minimize the amount they pay out – and organizations should read the fine print very carefully.

“Surveys suggest that cyber is an under-insured risk,” comments Lloyd’s director of performance management. “Many more organizations believe that their existing insurance would respond in the event of cyber-attack than is likely to be the case.”