Cyber insurance – are you covered?
Locations
With all this in mind, it is worth having appropriate cyber insurance in place. Cyber incidents can have a large financial impact, ranging from the costs of investigating and remediating the breach, through to regulatory notifications, investigations and fines, and even (in some extreme cases) ransoms that might need to be negotiated and paid.
Clearly there are benefits to having a comprehensive cyber insurance policy in place. Businesses are under huge financial strain due to the current pandemic. It will remain crucial for businesses to have access to the resources required to respond to a cyber incident and to have insurance for the liabilities that may arise.
But cyber insurance does not cover everything. The scope of cover and exclusions in insurance policies are usually very carefully drafted and can often contain a number of pitfalls for the insured.
Here are some of our top tips on cyber insurance:
1. Make sure you have specific cyber cover
There have been a number of high profile cases involving insurance cover that did not expressly cover or exclude cyber risks. This so-called 'silent cyber' or 'non-affirmative' cyber cover has made the headlines on various occasions, including in Mondelez International, Inc v Zurich Insurance Company, in which a dispute arose as to whether or not property damage resulting from a Notpetya cyber attack was covered. In the UK, the Prudential Regulation Authority wrote to all general insurance firms' Chief Executives in January 2019 expressing the need for firms to manage unintended exposure to non-affirmative (or silent) cyber risk. Businesses should have specific cyber insurance in place, if they expect to have cover at all.
2. GDPR-related liabilities are not thoroughly covered
Cyber policies tend to provide cover for liabilities that arise out of personal data breaches. However, cover rarely extends to regulatory fines and does not always extend to the costs of handling and managing regulatory investigations. Often only compensation due to data subjects arising out of a personal data breach is within the scope of cover. Other privacy violations are typically excluded. It is essential to understand what GDPR-related liabilities are and are not covered by insurance so that practical mitigations can be adopted where required. Particular consideration should be given to regulatory fines that may arise under the GDPR, as their potential scale is often the very reason why businesses seek cyber cover at all.
3. Cloud services are often not included in the description of the computer networks and systems that are covered
Most insurance policies will provide cyber cover for the insured's computer networks and systems. However, the definitions do not always extend to cloud-based services that the insured might use. For a data controller, a data breach will be serious whether or not the data is compromised on its own systems or on a third party's system. It can, however, make a difference to cover. It is critical for businesses to consider carefully how their cyber insurance policies will be interpreted on this issue and that additional endorsements are sought from the insurer if required. Many cloud vendors accept very limited liability for failings associated with their services and so insurance cover is vital for cloud security failures. This is perhaps more important than ever given the extensive use of cloud services during the pandemic.
4. Consent is often required before expenses are incurred
Where insurance cover is provided for expenses, including those that might be required to recover from an incident, consent from the insurer is often required before they can be incurred. This can cause problems when insureds are focused on trying to recover from a cyber incident. So it is preferable to provide notice, rather than to seek consent, when dealing with cover for recovery expenses. If insurers insist on their consent being required, then diligence should be conducted into their ability to respond quickly when consent is requested.
5. Sums payable under contractual indemnities (for example, in customer contracts) are typically excluded
Most insurance policies exclude coverage for liabilities that are voluntarily assumed by the insured. This includes liabilities assumed under contractual indemnities that would not have otherwise arisen at law. It is important to identify where this risk may arise in supplier and customer contracts and, if necessary, to seek endorsements or confirmation of cover from insurers for specific indemnities, if possible.
6. Beware of the level of cover and the value of excesses or deductibles
Clearly the maximum cover is critical for an insurance policy. While liability policies are usually covered on a 'per claim' basis, often cyber insurance contains aggregate annual limits on cover. This can often mean that a policy may only respond fully for one major event, leaving the insured exposed to other incidents that might arise within the same period of cover. In addition to aggregate limits, there are sub-limits on specific cover that are usually lower than the overall aggregate limit. For example, the costs of replacing IT systems might have a specific cap that is only a fraction of the aggregate limit on cover under the policy. Likewise, costs of recovering from an incident might be limited by the amount of business interruption loss that has been avoided or prevented. Finally, the value of excesses or deductibles that the insured must incur itself before the policy will respond is important to understand. Often real cover will only be offered for material incidents, leaving other liabilities on the insured's balance sheet. It is important to work with your broker to ensure that you have an appropriate level of cover.
7. Terrorism cover often excludes cover for cyber incidents, but cyber cover excludes liability for terrorism and war
There have been various high profile claims that have arisen out of cyber incidents in which insurers have raised a 'war' defence. This is understandable with so much state-sponsored cyber crime. Insurers also offer cover for terrorism, but those policies typically exclude cyber incidents in order that cyber claims are channelled via cyber policies. While some acts of cyber-terrorism may be covered in cyber policies, often the cover is very specific, leaving gaps where the more general exclusions for war and terrorism might enable insurers to wriggle out of paying claims. Seeking specific endorsements for threats that might otherwise be excluded might be necessary to ensure that comprehensive cover can be obtained for cyber incidents.
These are just some of the key issues to consider when purchasing cyber insurance. While there are a number of pitfalls, having cyber cover is usually worthwhile. It helps many businesses to recover from cyber incidents and, anecdotally, we often hear that the majority of cyber insurance claims relate to costs of recovery. Likewise, the majority of cyber insurance claims are paid out by insurers. That said, cyber insurance is just one component of protection that businesses should have in place as part of their cyber preparedness. Insurance will not cover everything and taking the right practical steps to prepare for and respond to cyber incidents is more important than ever.