The rapid growth of mobile internet devices and the use by organisations across all industry sectors of information technology infrastructures to handle electronic data gives rise to an ever-increasing risk of data breaches caused by malicious attacks, human error or accident.
Indeed the potential for physical damage (damage to property, equipment, supply chains, etc.), bodily injury and business interruption stemming from cyber attacks or incidents seems ever more likely.
A very recent example of a cyber attack with the potential for physical damage and/or bodily injury was the successful breach last month of Fiat Chrysler’s in-car systems, uConnect, which allowed hackers to take control of a Jeep on the highway, prompting the recall of 1.4 million vehicles in the United States. Remote hijack vulnerability can result in a hacker remotely operating the brakes or even shutting off the engine, the consequences of which are potentially extreme.
Cyber threats change rapidly making it almost impossible for individual organisations to keep their defences ahead of the game. Part One of this blog, published in June 2015, noted that approximately 52% of CEOs of large organisations believe that they have cyber cover whereas the reality is likely to be closer to 10%.
However, despite these statistics, and the considerable risk posed by cyber breaches, the UK insurance market has yet to catch up with the current risk and coverage can be limited and is often inconsistent.
- Conventional Insurance Policies
Coverage of cyber risks can be problematic under conventional policies which have not traditionally been designed to protect policyholders against cyber risks and indeed in light of the increasing threat from cyber breaches, some conventional insurance policies have introduced cyber exclusions.
The recent Government Report on Cyber Security identified a number of cyber exclusions and gaps in traditional insurance policies including:
|Insurance Product||Main Type of Loss Covered (Primary Objective of the Cover)||Potential Gap of Cover for Cyber Perils|
|Property||Physical asset damage (First-Party)||Exclusions removing cyber attacks and explicit coverage triggers for physical-asset damage.Damage to software and data not covered (as deemed intangible form of property).|
|Business Interruption||Lost revenues and additional costs incurred (First-Party)||Traditional policies are not triggered by cyber attacks that do not cause physical damage.|
|General Liability||Third-party liabilities for physical property damage, bodily injury, and advertising injury (i.e. liability claims arising from published content, including violation of privacy)||Exclusions relating to unauthorised disclosure of personal information.|
|Errors and Omissions / Professional Indemnity||Third-party liabilities arising from the performance of professional services||Cover may be restricted to liability claims from customers only, hence why claims for disclosure of employees’ data are often not covered. Several exclusions might apply (for example, computer virus transmission).|
Source: UK Cyber Security Report HM Government
Traditional property and business interruption policies offer First Party insurance providing payment when property suffers damage or loss. First Party cyber risk exposures can include:
- Loss and damage to digital assets/networks
- Business interruption from network downtime
- Cyber extortion
- Reputational damage
- Theft of money, digital assets or intellectual property and restoration costs.
Third Party liability policies cover the assets of others including:
- Security and privacy breaches – associated investigations, defence costs and civil damages
- Multimedia liability to cover investigations, defence costs and civil damages arising from breach of privacy, defamation or negligence in publication of electronic or print media
- Loss of third party data
- Regulatory fines and penalties.
Whilst a company’s property and general liability policies may well indemnify some or all of the First and Third Party losses following a cyber event it should be borne in mind that such policies are not naturally designed to give true cyber cover and the scope and nature of any such coverage may well depend upon the construction of policy wording. Indeed the question of whether damage to data constitutes property damage remains uncertain although some U.S courts have held that data does constitute tangible property.
An added issue is often the fact that traditional policies will not usually provide the level of cover required to deal with losses arising from a large scale cyber peril and in the event of a loss, organisations will simply find themselves either underinsured or without cover altogether leaving them exposed.
- Cyber Legislation
The introduction of legislation in a number of US States, making notification of a cyber breach mandatory, has contributed to the growth of cyber liability cover.
Whilst such legislation does not yet exist in the UK, the proposed EU Cyber Security Directive which, if implemented, will force larger companies to notify their insurers and/or regulators every time a significant data breach/incident occurs, whether or not there has been unauthorised access to or loss of data. It is proposed that any breaches of data laws will attract fines and such regulatory changes are expected to increase demand for stand alone cyber insurance policies with insurers paying even more attention to an organisation’s risk profile when offering cover.
- Specialist Cyber Cover and Insurance Considerations
Whilst there are now a number of stand alone cyber insurance policies on the UK market, the development and uptake of such products has been slow and even now, although stand-alone policies offer more robust coverage, risk managers should be alive to the fact that there is no standard policy cover and some policies continue to expose policy holders to certain types of cyber breaches.
The recent Government Report on Cyber Security reported that pricing for cyber cover is three times higher than for general liability cover and six times higher than for property. It is thought that the current pricing structure may be driven by uncertainty over the risk and the fact that this is an emerging market.
What is clear however, is that prices will be pushed down as the market for such products develops and underwriters begin to benefit from a growing pool of relevant data.
That said, and with the right advice from a specialist insurance broker, it is possible to identify policies which cover most risks including:
- Business interruption from network downtime resulting in loss of income, increased cost of operation and/or costs incurred in mitigating the loss
- Physical asset damage (at the moment there are a limited number of insurers providing stand alone cover for this type of cyber risk)
- Reputational damage – crisis management, PR costs
- Loss or damage to data – costs of expert reconstitution if data or software is deleted or corrupted
- Cyber extortion
- Investigation costs of third party privacy breaches
- Regulatory fines and penalties.
Uninsurable risks include death and bodily injury, which may be covered to a degree by general liability and employer’s liability products, and losses associated with intellectual property theft and espionage which are deemed to be extremely difficult to prove and quantify.
- Cyber Risk Insurance Terms and Quantification – Getting it Right!
As with any insurance product it is important that a broker assesses an organisation’s demands and needs with a view to placing adequate insurance. With this in mind I outline several issues pertinent to cyber insurance which risk managers and brokers should be alert to:
- As noted in Part One of this blog any regulatory requirements and the implementation of the Government Cyber Essentials Scheme are likely to be taken into account by insurers when assessing an organisation’s risk profile and businesses should start to establish credible risk assessments and management of cyber risks to ensure they are eligible to apply for the appropriate insurance products.
- When assessing the level of cyber cover required, and to avoid under-insurance, risk managers need to consider the entire financial impact that any cyber peril will have upon business operations taking into account associated forensic investigations, restoration of data and systems, corrective IT measures, notification costs, legal fees, downtime for operations and reputational damage.
- Particular attention should be paid to “waiting periods”. A waiting period is an amount of time which must elapse before insurers will begin to pay any business interruption losses incurred. In conventional policies waiting periods can range from 24 to 48 hours and yet some businesses may experience significant losses within minutes of a data breach occurring because of the immediate nature of data transactions.
- The rapid evolution of cyber risks means that risk managers and insurance brokers should also ensure that policy definitions do not limit cyber cover to named cyber risks thus excluding different forms of future breaches.
- It should also be noted that if acts of terrorism are excluded from cyber policies this could potentially give rise to coverage issues when determining whether acts such as “hacking” attacks constitute terrorism.
- Advising insurance brokers should be alive to the increasing need for organisations to consider cyber risk insurance and should encourage organisations to carry out a full cyber risk assessment which will assist in quantifying the potential losses from a cyber attack or incident and identifying what kind of insurance product or coverage is optimal.
Whilst it is possible, with the right assistance, to cover cyber risks adequately the fact that the cyber industry is rapidly developing and highly complex means that it is still likely that disputes over policy wording and the arrangement of appropriate cover when claims arise will be prevalent over the coming years.
For further information on this issue please contact:
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.