Cyber insurance is no longer a niche product
Written by Alexander Wiesner Barg, partner at Ræder Bing law firm
Only a few years ago, cyber insurance was often regarded as a niche product for very large companies or for businesses with a particularly strong technology focus. Today, the picture is different. The question is not whether digital risk exists, but how significant that risk is, and what an interruption or loss of data will actually cost when it occurs.
Cyber insurance has moved from being “nice to have” to something businesses must consider as a natural part of their insurance programme. Modern cyber insurance terms are often designed to address more than a classic hacker attack, and frequently include incident response, business interruption loss, data restoration, third-party liability, regulatory orders, payment card-related claims and, in some cases, media handling.
What is at stake without cyber insurance?
When a cyber incident occurs, costs often arise simultaneously and on several levels, with a need for rapid and effective assistance: Disruption or shutdown of operations with associated business interruption loss, the need for IT assistance to identify and remedy the situation and restore systems, reconstruct data, notify affected parties, handle media and crisis management, and obtain legal assistance.
In addition, the business may face claims from customers, business partners or public authorities as a result of data loss, security breaches or failure to notify.
For the board and management, this is thus not merely an IT issue, but a question of risk management, preparedness and sound corporate governance. The board and management may also face personal liability if cyber risk is not handled adequately. Consequently, directors’ and officers’ liability insurance should also be in place.
What does cyber insurance cover?
There is no standard cyber insurance policy, but certain main features often recur.
First, cover is often provided for incident response. This typically includes IT technicians, legal assistance, assessment of notification obligations, notification to affected parties and authorities, contact centres, credit monitoring and PR or crisis management.
Second, business interruption loss is often a central form of cover. Several policy terms cover loss of income, ongoing operating costs and additional expenses during a specified indemnity period, but often only after a qualifying period. Significant losses may arise if, for example, production in a company is put on hold because machine functions or computer equipment are blocked through a cyberattack. Difficult quantification issues may also arise: What is the actual amount of the loss which may be claimed under the insurance?
Third, many policy terms cover data restoration or reconstruction, meaning reasonable and necessary costs to restore data, systems and software following a security breach.
Fourth, many products include liability towards third parties, particularly in cases of data loss, security breaches, failure to notify or alleged breaches of the business’s privacy policy.
Some policy terms also contain specific covers relating to regulatory orders, payment card-related claims and cyber extortion, but such covers are often specifically regulated and limited.
What does cyber insurance not cover?
Understanding what cyber insurance does not cover is at least as important as understanding what it does cover.
As with other forms of non-life insurance, a recurring feature is that cyber insurance is not intended to place the insured business in a better position than it was in before the insured event, nor to cover expenses for ordinary “maintenance”. Costs relating to upgrades, improvements, general closing of vulnerabilities and restoration to a higher security level than before the loss are therefore typically excluded, either wholly or partly.
It is also common to see exclusions for indirect loss, loss of market share, loss of goodwill, contractual liability and various forms of fines or sanctions.
Furthermore, exclusions are often seen for personal injury and property damage, damage or loss resulting from failure of external infrastructure such as electricity and telecommunications, and incidents linked to war, cyberwar or state cyber operations. One should also not expect to be covered for losses arising from previously known circumstances.
As a policyholder, it is therefore important not only to assess whether the sum insured is sufficient, but also to consider the terms governing cover, exclusions and other limitations, such as deductibles, qualifying periods and any specific sub-limits for different types of damage and loss.
The important safety requirements
In practice, safety requirements are highly central in cyber insurance. It is typical for specific requirements to be imposed for instance regarding updated systems, antivirus software, firewalls, backups, password regimes, multi-factor authentication, encryption, physical security, VPN, segregation of duties related to payment instructions and PCI compliance.
Breach of such requirements may result in the cover being wholly or partly lost, with potentially very significant financial consequences. It is therefore crucial not only to purchase cyber insurance, but also to have a conscious approach to whether the insurance is suitable for the business, and whether the business is in fact organised and equipped to comply with the various requirements set out in the safety requirements.
The interface between cyber insurance and crime insurance
Another practical point is that cyber insurance and crime insurance do not provide the same cover, even though the risk landscape partly overlaps.
Many cyber insurance terms exclude fraud, scams, CEO fraud, loss of money, attacks on bank accounts and transaction losses.
At the same time, crime insurance is often directed at direct financial loss resulting from criminal acts committed by employees, but often with exclusions for losses caused by hacking, extortion and cryptocurrency.
The point is simple: a business may have cyber insurance and still be without cover for a fraud loss, and it may have crime insurance without being sufficiently covered for cyber incidents.
When a dispute arises
As with all other insurance, one should also be aware in relation to cyber insurance that disagreements may arise between the policyholder or insured and the insurance company regarding the interpretation of the insurance contract. Disagreements may arise, for instance as to whether the main requirements for cover are satisfied, or whether a loss was caused by an excluded peril. Other practical points of discussion include whether the insured has complied with the notification deadline, or whether the insured has breached one or more safety requirements, and whether the insurer therefore has grounds to reduce any compensation, and if so by how much.
In the event of disagreement or dispute regarding cover, it is wise to seek expertise in insurance law. Although significant responsibility rests with the policyholder or insured, such as notifying the insured event and an insurance claim within applicable deadlines, mitigating the loss and complying with safety requirements, it should be recognised that the dividing line for compliance with the various rules, and the consequences of any breaches, are not always obvious. It should also be borne in mind that the Insurance Contracts Act imposes several duties on the insurance company, including a duty to provide information to the policyholder, a notification duty when invoking reduction of compensation, and several formal requirements that must be met in order for the insurance company to rely on various objections. Navigating correctly and protecting one’s own interests in such a landscape can have significant financial importance.
