Cyber Insurance – getting to grips with the challenge
Go BackCyber risk is real
Cyber breaches unfold within the hyper real time of our globally networked environment.
Your entire businesses can freeze in an instant, its revenue streams stopped dead.
Your customers, used to everything “on demand”, may walk away if you don’t fix things fast.
Your regulators will demand instant responses to leaks of confidential information.
Are cyber policies up to the challenge?
The cyber insurance market has been described as “like the Wild West” (“Insurance Business”, 1 November 2017).
You need to navigate the market, and its products, with care.
The dedicated, specific, cyber insurance market is in its infancy.
There are no agreed market wide definitions or terminology.
The risks to be covered keep evolving, daily.
Your cover needs to match, and anticipate, these evolving risks and their potential consequences.
A short (and by no means exhaustive) list of issues to consider
Your specific cyber policy doesn’t exist in isolation
When considering the specific cyber cover you might want to buy, don’t forget that your existing policies might respond to a cyber event. Many crime policies refer to “electronic” and “computer” crimes and so may be triggered. You don’t want to pay twice for the same cover. Further, overlaps in coverage between policies may cause real problems when there is a claim. Which policy responds first? In the event of an overlap do the policies contain a provision that the highest of the potentially applicable retentions applies, whichever policy responds?
Your insurance protections ought to operate as a seamless, integrated whole. It is your job, not the job of insurers to ensure that.
Mind the gap
This is the other component of the integration issue. If your specific cyber cover excludes, say, D&O liability then it is essential to ensure that any D&O policy you buy will protect against, for instance, a derivative claim against the board for failing to have adequate cyber security in place (directors have been repeatedly warned that cyber risk is a business critical issue, and not just an operational chore for the IT department, so will be a potential target for claims in the wake of cyber incident).
But its important not just to look at exclusions. How do the relevant policy definitions compare and should they be harmonized? By way of example, does your civil liability cover treat outsourced back office services as part of “your” services covered by “your” policy? If it does, but that policy contains a cyber exclusion, then what if the definition of “insured” in your cyber policy is not as wide: who picks up the tab for a cyber liability derived from the back office operation?
Look the gift horse in the mouth
There is a lot to be said for policies which combine first party cover (your losses) and third party cover (your liability to compensate other people for their losses) as both aspects can easily be engaged by a cyber event.
However, the two forms of cover tend to be written on different bases.
First party cover is usually for incidents occurring or losses discovered during the policy period. Third party cover tends to be triggered by claims made during the policy period.
There is potential for a time lag between your discovering a cyber breach and a third party telling you that they have some claim against you because of that cyber breach. What if that time lag bridges two policy periods and the second policy excludes claims arising from prior known incidents? That may be fatal to cover for the subsequently made claim.
In short, it can’t be assumed that these two forms of cover will sit perfectly side by side in the same policy. They need to be harnessed together by careful drafting. Questions of aggregating losses derived from a cyber incident, not least to avoid problems with exclusions under a subsequent policy, need to be addressed.
Hidden conditions of cover
Agreed definitions of key terms are a standard feature of insurance policies. However, they can sometimes become more than a helpful source of clarity as to the subject matter of the policy. They can be a surreptitious source of hurdles that any claim has to overcome.
Imagine a policy that provides cover for “cyber attack”. Also imagine a definition of that term that not only identifies the nature of a cyber attack, but also requires that it be undertaken by a third party with “the specific intention of injuring the business of the insured”. Can that intent simply be inferred from the attack? If not, how do you set about establishing this fact given that you are unlikely to be able to append an affidavit from the hacker to your proof of loss. For all practical purposes such a hurdle may negate the cover you believe that you have.
For betterment or for worse
Insurance operates to provide an indemnity for what you have lost, it is not intended to be a source of cash for upgrades. One of the most contentious areas in insurance claims can be to what extent insurers have to pay to replace something when the replacement enhances what the insured previously had. When it comes to IT systems, which develop at a bewildering rate, the potential for arguments over betterment becomes intense: any upgrade or replacement system installed following a cyber incident is at the very least going to be an improvement by not being so vulnerable to whatever took down the prior system.
Prevention better than cure
With experience, many of the difficulties that might affect an insurance claim can be anticipated well in advance: simply reading the policy will identify a lot of them.
It is far easier to seek to negotiate those problems away at the time of entering into the policy – when the insurer is still keen to earn their premium – than once a claim has arisen and you, and potentially your insurers, are facing large losses.
This is true of any insurances but, given the uncertainty surrounding both risk and cover, is especially so in the case of cyber.
This post is intended to provide guidance of a practical nature but does not contain legal advice or advice as to what action you should or should not take specific to your insurance needs or those of your business, or with regard to any particular situation.