The Cover That Cyber Insurance Should Provide
The risk of loss arising out of data breaches or cyber crime is now widely appreciated. Such events are increasingly common. Well-known recent examples include where:
- Users of the internet facilities of a leading airline (BA) were diverted to a fraudulent website which collected the personal details of approximately 500,000 individuals. The Information Commissioner’s Office (ICO) issued a notice of intention to fine the airline some £180m on the basis of the airline’s allegedly poor security arrangements.
- The computer system of a mining company (CMOC) was hacked and significant sums paid out in separate transfers to unknown bank accounts, which sums were then dissipated into other accounts, thereby becoming impossible to recover, or to recover cost-effectively.
- The Colonial Pipeline, being part of the USA’s national infrastructure carrying fuel in the south eastern USA, had to be closed down following a ransomware cyber attack on the computerised equipment managing the pipeline. The ransom demand of bitcoin was paid in full, although the FBI was reportedly able to recover much of the ransom payment.
‘Silent’ cyber coverage – The UK regulator has been seeking for some years to steer insurers away from unwittingly providing ‘silent’ cyber coverage, that is, where the insured is able to argue that, although cover for cyber risks is not expressly referred to, the wording of a general insurance policy is sufficiently wide to cover such losses. The consequence is that it has to be sensible to consider buying specific cyber insurance.
Points to look for when taking out insurance covering against cyber risks – Essentially, cyber insurance should provide cover against risks associated with data protection, information privacy, information governance and internet-based risks.
Crisis management – The cyber loss of greatest concern to many insureds is that arising from a breach of data protection obligations, whether this results from operator error, the deliberate act of a disaffected employee or the criminal activity of a third party. A comprehensive cyber insurance will cover all three possibilities.
If such an incident occurs, the organisation affected may wish to have cover for retaining a specialist data breach response team to manage the problem and lead the response. The main areas that need to be covered are regulatory compliance, containment of the problem, protecting, securing and restoring the computer system, retrieving personal data, conducting a forensic investigation into the network failure, securing evidence, protecting the brand, notifying third parties whose data has been affected and dealing with the regulator over the incident and any penalties that may be threatened.
No doubt it is sensible to agree with the insurers a panel from which specialist advisers can be retained, in the knowledge of their charges and depending on the severity of the incident and availability.
The insurers’ agreement will normally be required before such advisers are instructed. However, to cater for an urgent incident occurring when the insurers’ representatives cannot be contacted, the policy should allow the insured to incur emergency costs, up to a stated percentage of policy limits.
It is also necessary to clarify whether the cover is limited to restoring and replacing programs as they were at the time of the incident or whether it extends to replacing the system so that it complies with the latest standards of technical and resilient security, albeit for an equivalent computer device.
Ransoms and fines – The insured may wish the insurance to extend to cover any fines imposed by the authorities, to the extent that it is permissible to insure against such penalties.
For cases of extortion, the insured will no doubt wish to have cover for the charges of specialist advisers to guide the parties as to credibility of the threat, the position on sanctions, the best way to resolve or mitigate the loss and to conduct any negotiations with the criminals.
However, the policy will probably reserve to the insurers the decision whether to pay the criminals’ demands. If the decision was not to pay the ransom, and the criminals then took the threatened action, the insured could thereby find itself incurring substantial expense in defending claims, paying damages, dealing with the regulator and rebuilding the business. Here, it may be worth taking out legal expense insurance against the need to pursue the insurer for its decision not to provide the policy benefit.
Defence of third party claims and regulatory investigations – The insured may wish the cover for defence costs to be available from the date of notifying the insurers of circumstances which may reasonably be expected to give rise to a claim, rather than from the date of any subsequent proceeding, particularly since the skilful handling of a matter at an early stage may lead to the matter never getting as far as proceedings.
Business interruption loss – It is possible to obtain business interruption cover for cyber risks even if there is no interruption to, or degradation of, the insured’s system. This would be particularly helpful for the insured for breaches relating to third party personal information, since such events could very well expose the Insured to prolonged reputational damage or a downturn in sales even where there was never any interruption to the insured’s processes.
Whether the policy should indemnify the insured for loss of gross profit or alternatively for loss of turnover is likely to depend on the nature of its business and the premium the insured is willing to pay. Where cover is on a loss of gross profit basis, the issue for the insured would be how it would fund its fixed costs in the event of a prolonged loss of turnover.
Exclusions based on failure to maintain required security practices – Clauses in a policy wording that impose a general requirement to take reasonable precautions have been construed only to relieve insurers of liability where the loss is caused by actual recklessness on the part of the insured. The rationale for this is said to be that, unless some restriction is placed on such clauses, the insurers would be able to escape having to pay a claim whenever they can establish negligence on the part of the insured, which will usually be the very conduct that the policy is desired to cover.
However, clauses excluding cover if specific security practices are not followed may be upheld as drafted, particularly if the court considers such clauses to define the scope of cover.
The proposal, assessing the underwriting risk and premium rates – Specialist organisations monitor the internet, including dark web forums and markets, for new strains of malware and criminal techniques. Subject to considerations of confidentiality, the information thus obtained is capable of being used during the period of an insurance to strengthen the security of an insured’s network and its products. Use of this type of analysis could enable the insured to negotiate a lower premium.
For further information, please contact Wendy Miles, Chris Earl or William Sturge at Lovetts.