An interesting article from the New York Times recently, noting that some insurance firms are declining to cover damages from cybersecurity breaches — under the logic that those breaches were acts of war by foreign governments, rather than criminal acts by individuals; and therefore not covered by a corporation’s cyber insurance policies.
The article cites the example of food business Mondelez International, which fell victim to the NotPetya cyber attack in 2017. As the article recounts:
Laptops froze suddenly as Mondelez employees worked at their desks. Email was unavailable, as was access to files on the corporate network. Logistics software that orchestrates deliveries and tracks invoices crashed. Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents.
Then came insult after injury: Mondelez’ insurance firm, Zurich Insurance, declined to cover the losses. Zurich cited the “war exclusion” — a standard clause in the insurance world that exempts insurers from covering damages caused by war. When the Trump Administration declared Russia responsible for the NotPetya attacks last year, that allowed Zurich and other insurers to cite the war exclusion and deny coverage to NotPetya’s victims.
Not surprising, Mondelez was displeased with this decision and took Zurich to court in Illinois. Merck, another victim of NotPetya, filed a similar lawsuit against its own insurers in New Jersey.
Those are the titans of Corporate America sparring over this issue, but smaller businesses can’t avoid the headache either. Just last week, Orrstown Financial Services, a community bank in the middle of Pennsylvania with $1.9 billion in assets, reported that it had been victim of a phishing attack in 2017, which ultimately cost the bank $765,000 to remediate.
Yet when Orrstown filed a claim of $615,000 with its insurance company, Westco—
[T]he Company has been notified by Wesco that the claim has been denied in its entirety. The Company believes that the basis for Wesco’s denial is improper and intends to assert its rights to coverage of the expenses… Pending resolution of its insurance claim, the Company has recorded a pretax expense of $615,000, or approximately $0.05 per diluted share, in its first quarter results for 2019.
Orrstown typically has pretax earnings of $4 million to $4.5 million per quarter, so that phishing attack hurt. The insurance dispute will hurt too.
Planning for Disappointment
Ultimately questions about sufficient insurance coverage are more the responsibility of the CFO, corporate treasurer, or the general counsel; rather than the chief compliance officer or the internal audit function. Moreover, questions cybersecurity attacks as acts of war rather than acts of crime are destined for review in courts and Washington, far above the CCO’s pay grade. Still, two points come to mind about how the risk of insufficient coverage might spill onto your plate.
First, this risk drives up the importance of assessing potential damage correctly. For example, at an upcoming conference on cybersecurity where I’ll be moderating a panel on governing cyber risk, we include a polling question for the audience: How long could your company survive a critical systems outage before experiencing financial loss?
That’s a great question. In our panel, we offer answer choices of anywhere from less than an hour to more than one week. Within your own organization, you need to be able to answer that question at a theoretical level before an attack comes; and also at a practical, dollars-and-cents level after the attack strikes. Without that ability to assess potential and actual harm, the company can’t even begin to have spats with its insurance firms about who covers what.
So audit, IT security, and compliance functions need to understand how strong their capabilities are on this point. The company will need that capability eventually.
Second, some internal control issues arise from the higher risk of denied coverage. Audit teams should anticipate that.
For example, when Orrstown filed that claim of $615,000 with its insurance firm, Orrstown assumed that claim would be paid, and therefore carried it as a receivable asset on its balance sheet. When Westco denied that claim, Orrstown had to reclassify the item as a $615,000 cost on the income statement.
So if I were a sleazy executive looking to fudge the company’s numbers to meet quarterly expectations — this would be one way to do it. I’d keep that claim on the books as a receivable, even if I knew a denied claim was looming, to inflate company assets and lower costs.
After all, fiddling with accounts receivables is a time-honored way to commit fraud. Management has considerable discretion with estimates about what’s truly receivable and what should be written off. In a small business like Orrstown, killing off that single $615,000 receivable can be material to earnings. Heck, even the $100 million Mondelez is seeking from Zurich Insurance is 3.5 percent of Mondelez’s 2018 pretax income, which strikes me as material too.
Auditors need to appreciate what’s happening here: the changing nature of cybersecurity risk is also changing the fraud risk you might face with unethical company executives.
To what extent? That’s hard to quantify, and likely depends on each company’s own circumstances. But auditors should be aware of that shifting cybersecurity landscape, and its implications for your fraud risk assessment.
That’s the new way that cybersecurity is driving us all crazy today. Something tells me it won’t be the last.