Cyber-Insurance myths & misconceptions

Cyber-risk and cyber-security have taken centre stage in both the media and company boardrooms around the world. We have seen the continued rise of computer fraud and massive data breach revelations as well as business-crippling network events.

Yet, despite the obvious need, the take up of cyber-insurance in the UK remains stubbornly low. Lyndsey Bauer at Paragon, a cyber-insurance specialist, says this should change.

We read a lot in the press that cyber-insurance cannot, or will not, cover cyber-losses, but in our experience the policies do what they say they will do - as long as you choose them judiciously. In our view it ultimately boils down to a lack of understanding. There are plenty of worthwhile cyber-products out there provided the buyer knows what to ask for.

Cyber - what does it mean?

In a world where technology is embedded in practically everything, 'cyber' is an overused term. This lack of a precise definition often leads to situations where people misunderstand each other because they don't realise that they are talking about different things.

Cyber-risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. There are a number of threats and layers of vulnerabilities, and a cyber-incident can lead to many different types of losses for affected companies (see chart at bottom of article).

Because cyber-risk is so pervasive, people sometimes think it may already be addressed in existing insurance policies. This at best may be partially true, but because each policy covers a specific purpose, there will almost certainly be gaps in coverage.

Cyber as a risk factor touches on many aspects of a business and facets of the risk will also touch on other insurance products. So, without specialist guidance, it would be quite easy to get the wrong impression about the availability or efficacy of coverage. Worthwhile products do exist. Lloyd's in particular is at the cutting edge of this new insurance frontier and has a track record of over 17 years of paying cyber-claims.

Furthermore, by speaking with a specialist insurer or broker, buyers have the opportunity to run through potential loss scenarios, prior to inception, to gain a better understanding of how a proposed coverage might respond in each of those scenarios and then make any adjustments necessary to avoid disappointment. The exercise can also flush out some issues that are better addressed under other insurance coverages.

Some uses of cyber-cover in practice

Cyber-security represents different things to different corporate stakeholders. Securing a cyber-insurance policy that satisfies everyone requires someone to take the lead who understands the concerns of each stakeholder. For example:

A chief information security officer (CISO) may be concerned with the attack surface and will want to show continued improvements in Key Performance Indicators (KPI's). Cyber-insurers have a unique view on what makes a cyber-incident expensive. The questions insurers set in the application, or indeed any restrictive terms on a quote, can help a business prioritise security initiatives, as well as helping to fund an existing cyber-incident response plan.

A chief information officer (CIO) may want to balance spending with technology needs; they are looking for return on investment. A cyber-policy can dovetail with cyber-incident business continuity planning to help achieve this.

The general counsel may be focussed on the company's compliance with privacy regulation while the CEO may be looking for confirmation that the business has defences and plans in place to survive an attack.

The European Union's General Data Protection Regulation (GDPR) provides a requirement that businesses have an incident response plan in place and must notify any data breach within 72 hours of becoming aware of the event. Cyber-insurance can be an important part of this process. It can help busissness be prepared before, during and after a cyber-incident.

How reliable is cyber-cover?

Cyber-policies can and do pay out - provided you successfully navigate the complexities of this class of business. Because it includes both first and third-party clauses, cyber-insurance is open to misunderstanding. Often where an insurer is heavily criticised for refusing to pay a cyber-claim, there may be legitimate reasons for their decision, such as the insured's failure to follow policy procedures.

For example, the cyber-incident response section often requires the policyholder to involve the insurer in the loss much earlier than in other types of insurance and to obtain the insurer's consent before incurring any incident expenses which they want insured. As well as being a requirement of the policy, early notification provides an opportunity to benefit from the insurer's experience. If called in early enough they may be able to help keep a bad situation from getting worse.

This highlights a distinctive benefit of cyber-insurance; you are buying more than just cover since the policies will also offer access to expert consultancy and support at a time of significant pressure, confusion, uncertainty and concern. This can help insureds to make good decisions and so mitigate reputational harm and economic loss.

Getting a cyber-claim accepted follows a familiar pattern. Organisations must check if there is a procedure to follow, not just activate the incident response plan and expect to send an invoice for reimbursement. Sometimes the insurance company will make all the arrangements for you. File the claim to your insurer or broker as soon as possible. Give details clearly, document the damage and keep lines of communication open.

In other words, understand and follow the rules. Do this, and you will find a typical cyber-insurance policy can provide broad coverage and is highly negotiable - and premiums are competitive.

Lyndsey Bauer is a Partner at Paragon International Insurance Brokers Ltd

Common types of cyber incidents

Example

Potential Losses

Typical Cyber Policy

Privacy Breach

Unauthorised disclosure of personal data

  • Incident response costs*
  • Breach of privacy compensation
  • Privacy fines & penalties
  • Payment card fines & penalties
  • Legal fees associated with any of the above
  • Data and software loss / reconstruction costs
  • Business interruption
  • Yes
  • Yes
  • Yes, where insurable
  • Yes
  • Yes
  • Yes
  • Yes

Hacking attack

Authorised access prevented, loss of confidential data (not personal)

  • Incident response costs*
  • Liability compensation
  • Fines & penalties
  • Legal fees associated with any of the above
  • Data and software loss / reconstruction costs
  • Business interruption
  • Yes
  • Yes
  • Yes, where insurable
  • Yes
  • Yes
  • Yes

Cyber-fraud

Illegitimate financial transfer as a result of social engineering

  • Loss of 1st Party financial assets
  • Loss of 3rd Party financial assets (due to system intrusion)
  • Loss of 3rd Party financial assets (without system intrusion)
  • Incident response costs* (if system intrusion)
  • No, see Crime policy
  • Yes, also see Professional Liability policy
  • No, see Crime policy
  • Yes

Cyber-extortion

Ransomware impedes access to data or network until ransom is paid

  • Incident Response costs*
  • Ransom payments
  • Data and software loss / reconstruction costs
  • Business interruption
  • Yes
  • Yes
  • Yes
  • Yes

Any of the above

 

  • Reputation
  • Shareholder
  • Damage to physical assets
  • Bodily Injury, illness or death
  • Yes, in terms of loss of income
  • No, see D&O policy
  • No, see Property policy
  • No, see General or Public liability policy

Yes = Generally covered (sub limits may apply). No = Generally excluded from cover

* Incident response costs includes: digital forensics, data breach notification, credit monitoring & related public relations expenses