Cyber insurance has been with us now for more than 20 years and is so front of mind these days, for most people and organisations, that it is easy to forget that it is still an emergent and evolving class of business. It’s also one of the fastest growing markets in the global insurance industry's current business book – and the hardest of hard insurance markets and unlikely to soften any time soon.
A key cause of this has been the recent growth in so-called "double extortion". In a traditional ransomware attack, criminals encrypt and copy a target company's confidential data, then charge ransom for the encryption key. Criminals have now extended their model to charge another ransom for not publishing the sensitive information at large. Backup files are also often compromised by the activation of previously introduced malware at the same time as or immediately after the primary attack trigger.
That combination of fluid, evolving parameters, inventive criminals and a hard market makes assessing your particulars needs from cyber risks insurance, and what you must consider, particularly challenging but not impossible. Here’s what you should be thinking about.
Do I even need cyber risks insurance?
The first two questions are:
- what are the primary loss events to which your cyber risks insurance responds; and
- does any of them constitute such an existential threat that if it actually occurred, the business would not survive anyway with or without insurance?
If the answer to the second question is “yes”, then unless you have a legal reason to have cyber risks insurance, it is not worth trying to insure against the risk in question and the money you would need to spend to do so could be better employed in mitigating it. Even if that answer is “no”, you will still have to make a commercial decision about the costs of the premium plus risk reduction measures, and whether they make the insurance uneconomical.
What does (and should) cyber risks insurance cover?
The recommended touchstone for evaluating a cyber insurance contract is that it provides business interruption coverage as wide as that available under first party property policies in cases of damage or disruption to a critical piece of insured property or business infrastructure owned by:
- the Insured;
- a customer of the Insured; or
- a utility supplying an essential service.
It is not necessary that the same policy language be used but from an accounting perspective, the basis of settlement needs to be similar.
Insurance contracts can vary widely even within line and business class, but most will have these main heads of coverage:
- privacy/data breach, notification, remediation and compensation obligations;
- regulatory reporting and effect mitigation requirements.
Direct financial loss
- extortion (ransomware);
- embezzlement or external crime;
- data recovery costs;
- business interruption.
Emergency incident response
- social engineering and funds transfer fraud;
- contingent business interruption;
- Payment Card data breach liability.
Each of these covers will usually have a separate insuring clause or sub-clause, along with its own suite of definitions, specific exclusions and operational requirements.
Am I already covered with my other business insurance policies?
In practical terms there are two broad, recognised categories of Cyber insurance: Embedded Cyber and Standalone Cyber.
"Embedded Cyber" can refer simply to the extent to which coverage for communication, data-processing and storage-related losses may already be provided, intentionally, under a business's property, liability and financial insurances (for example, the physical damage to computer hardware caused by a fire). But this only goes so far; if there’s no physical damage, it might not respond to losses caused by (for example) hacking.
By contrast, Standalone Cyber is the suite of dedicated insurance products which the industry has evolved, and normally purchased as free-standing insurance products. Consistently with the insurance industry's usual penchant for fostering confusion through loose usage of terminology, the adjective "embedded" can often be found applying to a "standalone" cyber cover insuring clause, which does not in fact stand alone but is packaged up with other line insuring clauses as part of a bundled contract. Either way, this will have two parts:
- First Party (Direct Loss) – the direct, out-of-pocket costs the Insured wears when its systems are breached by a malicious actor, but there is not physical damage; and
- Cyber liability cover – this indemnifies against claims for damages or other compensation made against the Insured arising out of a covered event, for resultant third party losses not made good by restoration of access and data, including the legal and associated costs of investigating, defending and resolving them by judgment, award or negotiated settlement.
The critical thing is that insurer and Insured both understand and clearly agree just what types of events and losses are being covered under the cyber insuring clause, for what amount(s) and on what terms, and therefore are presumptively excluded from all the other heads of cover. A vital consideration is the policy’s definition of Computer Systems – whether it extends to personal electronic devices of the Insured’s employees or contractors used in connection with the business, and cloud servers not actually owned or leased by the Insured.
What must I do to mitigate my cyber risk?
A common feature of insurance contracts generally has some complexities in a cyber context: “risk mitigation terms”. These, assuming they are complied with, presumptively diminish the probability and/or magnitude of covered losses. They may be expressed as “so-called” "conditions precedent" or “warranties”, purporting to mean that if they are not complied with by the policyholder, the insurer may refuse a claim outright regardless of the effect or otherwise of the failure on the likelihood or magnitude of a loss.
There are some complex issues with how these can play out which are beyond the scope of this article, but given the importance of risk mitigation obligations especially in cyber class policies, it is likely that as the market hardens insurers will try to exclude, to the fullest extent legally possible, any statutory provisions which might diminish their effectiveness. Insureds will be well advised to proceed, therefore, on the assumption that all of the cyber risk mitigation measures which they are required by the policy to have and maintain over the period of insurance constitute fully enforceable obligations, breach of which may compromise their insurance coverage and/or ability to recover a claim in addition to any other consequences it may have.
Cover for business interruption
The policy's definition of "business interruption loss" should encompass revenue lost due to the breach, fixed costs to the extent they are not abrogated as a result of it, the forensic costs of restoring full productivity and any additional operating expenses imposed as a result. As indicated above, the method of calculation of income lost due to the breach is critical.
Key exclusions from cyber risks insurance
In addition to the usual range of exclusions found in most insurance contracts, there are some exclusions commonly found on cyber policies that appear to be specific to the class:
- unlawful gathering and/or distribution of information, especially Personally Identifiable Information, where it is done deliberately by or on behalf of the Insured and not the result of a Cyber Breach event;
- unlawful surveillance, wiretapping, spamming or telemarketing; Intellectual Property Infringement (again not the result of a covered event);
- claims brought by or on behalf of governments or government agencies other than enforcement actions by regulators in response to Privacy Breaches etc;
- media and public relations-related losses except to the extent covered under the Media Liability extension;
- any money or other value transferred from or to the Insured’s accounts, fluctuation in the value of accounts, securities, choses in action or other intangibles or the value of coupons, prizes, awards or other consideration from or to the Insured, affected by a cyber threat or incident, along with any trading losses or liabilities;
- all loss and/or liability arising from widespread outages or failure of systems not under the Insured’s direct operational control, such as satellites, power utilities, internet services and similar infrastructure, including cloud storage facilities; and
- war exclusions which also catch cyber attacks by state-sponsored actors; and
- all costs incurred to patch unknown but pre-existing vulnerabilities, or to enhance security to preclude another attack.