• Eirini Efstathiou

Covid-19, Malware & Cyber Insurance: shielding against cyber attacks

The digital environment turned into a safe haven for all once the pandemic hit, forming as the only conduit for a sense of normality, while the world was ploughing through unknown territories. This safe haven, however, also led to an inevitable rise in cyber threats; the threat of malware, ransomware, and cyber hacking has become more prominent in the digital landscape. IBM reports that the average cost of a data breach amounts to £2.8 million, as of 2020. In a swing at creating a shield against the unknown, companies turn to cyber insurance.

Via Getty Images

The threat: Malware, ransomware, and cyber hacking

Any one person or company may fall victim to a cybercrime. Cybercrimes range from malware and ransomware, to hacking. Covid-19 showed the world how criminals can actively take advantage of any vulnerability which society may face, while the pandemic exacerbated the overall threat landscape even further. As an example, cyber security company Barracuda Networks, observed an immense growth rate in phishing emails using the pandemic as a theme, from just 137 in January 2020 to 9,116 by the end of March 2020.

Malware is often encountered through phishing scams. It is a form of malicious software which can install itself on a computer’s system, and often finds itself a system to serve as its host by exploiting software vulnerabilities. The caveat of malware is that once installed, the perpetrator has the freedom to spy on online activities, and even steal private data. Shifting the focus to the past year, cybercriminals have taken advantage of the widespread global communications on Covid-19, by embedding malware, spyware, and Trojans in interactive coronavirus maps and websites.

Ransomware is a more ‘niche’ malware, which attacks a computer system and encrypts data. Following this, the perpetrator blackmails the victim by demanding a ransom payment, in exchange for the return of the victim’s data. The past year saw a trend in the theft of data and threats to leak sensitive information by cybercriminals. Ransomware attacks have become more sophisticated, targeting public and private organisations through ‘victim reconnaissance’.

Cyber hacking is different from both malware, and ransomware. It involves the partial, or complete acquisition of a computer system or certain functions within it, with the purpose of gaining access to important data. With 5G increasing the bandwidth of connected devices, devices across the board are even more connected, and it is hence predicted that they will become more vulnerable to cyber attacks in 2021.

The victims: Hospitals and insurance companies

From Twitter suffering a breach which targeted 130 accounts, including US past presidents and Elon Musk, to Marriottt hotel suffering a security breach in 2020, which impacted the data of more than 5.2 million hotel guests.

In the case of hospitals, medical centres and public institutions, cybercriminals observed an opening to target them in a series of ransomware attacks, with the hopes that the overwhelming health crisis would not allow them to afford being locked out of their systems. Ransomware may be deployed to enter systems through emails containing infected links or attachments, compromised employee credentials, or by exploiting a vulnerability in the system [1]. The highest loss suffered as a result of ransomware in the past reached a cost of £36.5 million, as reported by Hiscox.

Interestingly, a recent anonymous interview with the ransomware gang REvil, revealed that the ransomware group specifically targets firms who have taken out insurance against ransomware attacks, with the presumption that the corporate victims are more likely to pay the ransom payment as a result. The interview revealed that in a series of hacks, the group first hacks insurance companies to reveal their customer base, and then moves to the customers themselves.

The shield: what is Cyber insurance?

As cyber threats have increased, so has investment in ‘cyber readiness’. The Hiscox Cyber Readiness Report 2020 indicated that firms increased their cyber security spending by 39% compared to the previous year, landing at an average £1.5 million. Turning to the highest recorded annual loss for any one company as a result of a cyber security incident, the figure sits at $87.9 million suffered by a UK financial services firm, while total cyber losses by affected firms from cyber security breaches amounted to $1.8 billion.

Business insurance is used to cover a company for financial losses, in the case where anything goes wrong as a result of the business’ activities. The insurance can help towards the cost of compensation claims and legal fees, and may also help in the case of damage to property or employee-related issues. When it comes to protecting information within the cyber space, companies have the choice to either rely on the cyber cover within a general policy, or take out a standalone cyber policy.

Cyber insurance policies insure a business from cyber threats, including threats such as data breaches, or malicious cyber hacks. Most cyber insurance policies operate by covering first-party and third-party financial and reputational costs, in instances where data or electronic systems are lost, damaged, stolen or corrupted, as a result of the cyber-attack. Most importantly, cyber insurance often provides services such as IT forensic response, crisis communication, legal advice, and even credit card monitoring.

Such policies are particularly useful for businesses which use, send or store electronic data. In the case of ransomware attacks, a caveat of cyber insurance is that although it may cover costs, it does not guarantee that data stolen will be destroyed once a ransom has been paid. What is more, cyber-insurance providers may encourage victims to pay ransoms, with the hopes that the costs will be later claimed through their policies [2]. It is therefore easy to fall into a vicious cycle.

The intricacies of cyber-attacks are reflected in that companies are called to scrutinise the drafting of insurance policies, along with any exclusions within them. For example, some policies do not cover financial loss as a result of email compromise fraud. It is essential for companies, to adopt an information security perspective to capture any risks which may be encountered down the line, and which apply specifically to their business model, processes and systems [3].

A cyber-insurance policy does not, therefore, protect against cyber-attacks, but instead it minimises business disruption and provides financial protection before and after an incident.

Case study: the Mondelez International, Inc. v Zurich American Insurance Co. case

In the ongoing case of Mondelez v Zurich, Mondelez International Inc brought a claim against Zurich American Insurance Co. for refusing to pay out on a claim for losses sustained due to the 2017 NotPetya cyber-attack – considered the ‘most devastating’ cyberattack in history. While Mondelez held an all-risk property insurance policy with Zurich, the policy included a “war exclusion”. Such exclusion is often included in policies to avoid immense losses as a result of war, and in this case, the insurers disputed the coverage based on the war exclusion, claiming that the ransomware attack was an “act of war”.

The NotPetya attack is believed to have been an action by a government agent, with some sources linking it to Russia. Mondelez, the policyholder, believing that it bought broad coverage for ransomware attacks, found itself suffering losses of $100mn, and an insurer who refused coverage [4]. Although the case is still in its early stages, it highlights the challenges that may be faced by policyholders, in aptly capturing potential risks in their policy, and in ensuring that their intentions are clearly communicated to the insurance broker when purchasing cyber insurance; in a legal landscape, small changes in wording can have a crucial role on coverage.


Accenture reported that almost 80% of organisations are introducing digitally fuelled innovation faster than their ability to secure it against cyberattacks. With new cyber threats emerging on a daily basis, cybersecurity has become a commodity for companies and businesses across the world. Regulations such as the GDPR have aided in keeping data classification and governance up to par, nonetheless, the focus now turns to companies and whether they will act smartly in investing in secure systems, and a strong shield of cyber insurance.