Cyber insurance: safe in the knowledge
17 July 2017
In the digital era, virtually every business relies on IT infrastructure to manage core business operations, engage with customers and suppliers, protect and control assets and manage finances. If IT systems fail or are compromised, the business could be exposed to risks of business interruption, income loss and reputational damage, as well as claims and/or penalties.
As the number of cyber attacks escalate across the globe, many organisations are considering the extent to which such risks can be transferred into the insurance market. At the same time, the increasing number of incidents blamed on state-sponsored or terrorist groups, puts increased focus on exclusions for “acts of war” or “terrorism” and other potential restrictions on accessing insurance coverage for the consequences of cyber attacks.
In this briefing we provide guidance on common questions raised by businesses thinking about cyber insurance.
Is there now a developed insurance market offering insurance products covering cyber related risks?
The insurance market has responded to the growing number of cyber incidents by providing standalone cyber insurance products. The first cyber policies began to emerge from the market circa 2013. Various insurers now write cyber insurance – the wordings vary from insurer to insurer. Many wordings have been updated in recent times to reflect new risk exposures identified in the cybersecurity and cybercrime fields and claims experience.
Are we already covered under our existing suite of insurance policies?
It is possible that coverage may be available under existing insurances. For example, computer fraud is typically covered under crime policies. Some liability insurances may cover claims arising from infringement of rights to privacy over personal data. However, traditional forms of insurance were not designed to cover cyber risk. Many will either entirely exclude coverage for cyber-related incidents or limit the scope of coverage which is available for this type of occurrence.
Can you provide an example of why traditional insurance coverage may not respond to a cyber event?
A good example is a Property Damage/Business Interruption policy. This will typically be subject to a proviso whereby no coverage is available (including under the business interruption section) unless property of, or in the custody of, the insured has been “physically” damaged. In most cases this will not extend to data, software or other intangibles which are stolen, corrupted, deleted or inaccessible due to a systems failure or incident.
What are the basic components of coverage under a standalone cyber insurance policy?
It is important to reiterate that the coverage position will vary from policy to policy. Even small differences in the wording can have a material impact on the scope of coverage provided. However, most policies will feature a blend of first-party loss coverage (coverage for direct losses sustained by the business following a cyber event) and third-party liability coverage (coverage for claims and costs of regulatory action which follow an event).
Can you expand on the categories of loss covered under the first-party component of a cyber policy?
This will typically include coverage for direct costs within the following categories:
- Data breach notification and response costs -costs in complying with customer and regulator notification and other requirements under applicable data breach laws (and associated legal costs), costs in maintaining customer contact centres and costs of credit
- monitoring services following a data breach incident
- Forensic investigation and security costs – costs in engaging forensic consultants/security experts to investigate the root-cause of the incident and implementing recommended enhanced security measures, including movement of data to separate hosting platforms where susceptible to further attack
- PR/Crisis Management Costs – costs of managing media response
- Remediation and Rectification Costs – costs to repair, restore or replace affected IT infrastructure and data.
Often, if requested when negotiating the policy, insurers will be prepared to pre-approve the retention of preferred specialists and advisors. This avoids delay in having to agree rates with insurers following a cyber event when there are other priorities.
To what extent can the impact of a cyber event on our business revenues be covered under a cyber policy?
Most policies include ‘standard’ business interruption coverage, that is compensation for the decrease in anticipated profits or revenues during the indemnity period which are directly traceable to the cyber incident. This normally involves an adjustment process looking at the forecast financial information provided to insurers before the coverage is provided and other factors that may have affected the business during the indemnity period (but please refer to our comment below on other consequential losses).
Are there limitations on consequential losses which can be covered?
Most cyber policies are unlikely to cover indirect consequences of a cyber incident such as loss of share price, loss of future business opportunity, bodily injury or property damage where, for example, an explosion follows a failure of IT systems. Losses arising purely under contract (i.e. where there is no concurrent liability in tort or other legal basis) are also typically excluded from coverage. It may be possible to negotiate bespoke coverage for such additional exposures where this is requested from cyber insurers and as such it will be important to assess the specific requirements of your business in negotiating coverage.
Will the liability component of a cyber policy cover costs of pursuing those at fault for the incident?
Normally coverage is limited to costs of defending the insured from claims by employees, customers/consumers, trading partners and others affected by the data breach. Generally additional coverage for costs in prosecuting those at fault is not necessary. This is because, once insurers have paid out under the policy, any rights of the insured to seek compensation for losses reimbursed under the policy will transfer to insurers. It is then for the insurers to decide whether to pursue any claims to recover such losses.
Will fines and penalties be covered?
Fines and penalties, along with the costs of defending regulatory investigations and other proceedings, will usually be covered. However, it is common for a cyber policy to cover fines and penalties only to the extent insurable in the relevant jurisdiction. For example, in the UK, for public policy reasons, the Financial Conduct Authority has prohibited insurance against fines which it has imposed. Finally it will be important to ensure that financial limits (including sub-limits which reduce the amount of coverage for certain categories of loss) do not preclude the business from recovering the full amount of a fine or penalty (noting significantly greater sanctions under EU GDPR).
Does coverage extend to ransoms and cyber extortion?
Recent updates to policy forms incorporate coverage for payments made in response to threats of cyber interference or the introduction of ‘ransomware’ into systems. However, there may again be local law restrictions to consider. For example, in the UK recent amendments to the Terrorism Act 2000 make it an offence for an insurer to pay a claim where it reasonably expects that the proceeds of the payment may be used for the purposes of terrorism. This may mean that a UK insurer would refuse to make a payment where the ransom threat was linked to a terrorist organisation. Insurers may also seek to include express ‘War’ or ‘Terrorism’ exclusions in their cyber policies, although often the scope of those exclusions can be narrowed through negotiation. As payments will generally only be covered when pre-approved by insurers, in practical terms there will be a need to consult with insurers, as well as relevant authorities (e.g. the National Crime Agency/Police), before responding to any form of extortion.
Are there standard exclusions which limit the scope of coverage?
Exclusions are often included to avoid ‘double insurance’ (that is two different types of policy responding to the same loss). For example, a cyber policy may exclude all claims relating to Directors & Officers liability. Care must be taken that this does not create a gap in the overall coverage position (i.e. in the example provided, to check that the D&O policy does not contain a blanket cyber exclusion).
Can insurers refuse to pay claims on the basis that the organisation failed to maintain proper protections, procedures and controls?
Insurers have sought to introduce exclusions into their policies to this effect. Usually this type of exclusion can be removed or narrowed in negotiating the policy wording provided that insurers can get comfortable with the adequacy of systems of controls in the period before the policy comes on risk. As such it will be increasingly important to ensure that robust systems and controls are not only implemented but regularly tested, monitored and updated to respond to evolving threats.
Will insurers perform their own review of systems and controls?
For larger risks, insurers will seek to conduct their own audit or risk assessment of the proposed insured’s IT system and related procedures before offering terms for a policy. This may also lead to the insurer making its own risk improvement recommendations, compliance with which may become a condition of the provision of on-going coverage. In some cases it may be helpful to point to existing, industry recognised security standards (such as ISO27001 and SSAE16).
In outline, what is involved in the process of arranging a cyber policy?
This normally involves a phased approach. The first phase is to evaluate the cyber risk profile of the business – which can involve input from legal counsel and other experts. It is then usual to consider the adequacy of existing insurances to respond to risks identified. If the assessment is that there are gaps in coverage, consideration should then be given to a standalone cyber policy.