During the recent bank holiday weekend and what heralded, for many, the start of the half term holidays, British Airways (BA) suffered a catastrophic IT failure forcing it to cancel thousands of flights over the course of a number of days.
It is estimated that the compensation bill alone for customers’ expenses and rearranged flights could be as much as £150 million.
The airline blamed events on a power supply failure at a data centre near Heathrow Airport. When power was restored to the centre, a huge and uncontrolled power surge caused physical damage to BA’s servers, power units and distribution panels.
This particular incident was not a cyber-attack like the recent WannaCry ransomware attack experienced by organisations worldwide. However, the losses arising from either a cyber-attack or an IT system failure, such as that which affected BA, are similar and can include damage to reputation, business interruption losses, the associated costs of rectifying physical damage to servers and systems and compensation to those affected. If personal data is lost or exposed as a result of a cyber incident a business may face fines from regulatory authorities such as the Information Commissioner’s Office (ICO) and will be responsible for the cost of defending any data breach investigations.
Indeed it is not just BA which has experienced large losses arising from IT system failures. In August 2016, Delta planes around the world were grounded when a transformer providing power to the airline’s data system failed. It is suggested that Delta lost USD$100 million in revenue as a result of the outage.
In July 2016, Southwest Airlines also suffered a system outage as a result of a failed network router. In the case of Southwest it is understood to have been able to claim its losses, estimated to be between USD$50m and USD$85m, on its cyber insurance policy with AIG because the wording did not specify that a system outage would have to be caused by a cyber-attack.
It is easy to see from BA’s experience how quickly vast losses can accumulate and yet it has been reported in the insurance press that BA had no cyber insurance in place.
Indeed it seems the same is true for businesses across the board which either are ignorant as to the existence and potential benefits of cyber insurance or are uncertain about the nature and extent of their purchase as they struggle to understand the complexities of cyber related exposures and the variation of products on offer.
However, any business, whether large or small, which utilises a network is vulnerable to both cyber-attack or system failure and it is clear that most of today’s businesses would suffer losses if their own or their supply chain computer networks failed.
The traditional property and liability policies require physical damage before business interruption losses are covered. As a result of which, those policyholders who rely on their existing general insurance policies for cyber cover will find large coverage gaps in the event of a loss.
To date, the majority of stand-alone cyber insurance policies have offered cover for data breaches including the cost of forensic mitigation and rectification, associated third party liability costs and the cost of regulatory investigations. However, more insurers are now offering stand-alone products providing cover for cyber business interruption events where there is no physical loss. Such policies will usually cover cyber business interruption losses, privacy breach costs (i.e. the costs associated with notifying customers and dealing with regulatory investigations) and also the cost of forensic incident response.
With the introduction of the General Data Protection Regulations (GDPR) in May 2018 and, of course, the constantly changing face of cyber threats, businesses will become vulnerable to ever greater losses and should ensure that they engage the services of specialist brokers who understand their business, the scope and extent of cover available and the implications of a cyber incident.
The right insurance broker should be alive to the increasing need for organisations to consider cyber risk insurance and should encourage organisations to carry out a full cyber risk assessment which will assist in quantifying the potential losses from a cyber-attack or incident and identifying what kind of insurance product or coverage is optimal.
It is clear that the wording and exclusions of any existing general insurance policy should also be carefully scrutinised to determine the level and extent of the protection it may offer in the event of a cyber loss. The interpretation of policy wording and exclusions in both general insurance and stand-alone cyber policies may well become the subject of litigation in the event that insurance providers refuse cover and until such time as insurers adopt standard form wording for cyber policies, businesses may also wish to seek legal advice in an effort to negotiate appropriate terms with insurers or to determine the potential extent of coverage in the event of a loss.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.