Cyber security is amongst the leading risks for organisations around the globe but relatively few (outside the US) have purchased standalone cyber insurance policies. That appears about to change as organisations give serious consideration to whether the financial cost of cyber attacks can be transferred to insurers.
What can be covered?
- Indemnifiable first party losses including, for example, crisis management costs (such as legal and public relations costs), data privacy and security breach notification expenses, forensic investigation costs, network business interruption (which would not ordinarily be covered under traditional property/business interruption insurance), reputational damage (although this may be constrained to public relations costs), reconstitution of damaged digital assets/software and cyber crime/extortion (which may be covered under traditional comprehensive crime insurance).
- Indemnifiable third party liability exposures (where someone else has suffered the loss) including, for example, third-party liabilities for data privacy and security breaches, multi-media liability from published content, defence costs, regulatory investigation costs and potentially some fines and penalties.
How is the landscape changing?
In the US, take-up has been relatively high amongst large organisations driven by laws mandating notification of data breaches. These notification requirements can give rise to significant potentially indemnifiable costs of, for example, large-scale customer contact exercises, setting up call centres, forensic investigations and credit/identity-theft monitoring – as well as third party liabilities and regulatory fines/penalties.
Given the increasing threat, sophistication and profile of cyber attacks, we believe that the take up of cyber insurance is likely to increase quite markedly outside of the US as organisations develop a better understanding on the nature and severity of the risk and what insurance can (and cannot) do for them.
There are already signs of this happening, not least in Asia.
Another real driver in the short to medium term is likely to be the introduction of privacy laws mandating notification of data breaches, which are on the cards in Europe, some Asian countries and Australia.
If the US example is anything to go by, these changes are likely to fuel an increased understanding of the cyber risk, and an improvement of internal policies and controls, leading to a substantial uptake in cyber insurance around the world.
However, more needs to be done to overcome some common hurdles.
Firstly, understanding the full range of cyber risk – Some large organisations, such as banks, tend to invest heavily in cyber security. But others are simply not geared up to deal with cyber risk, carriage of which often rests with IT departments (who may not be thinking about insurance). As such, the organisation is left ill-equipped to evaluate and quantify the potential impact of a security breach, let alone engage in stress testing or recovery planning.
In these circumstances, substantial work may be required before the organisation is ready to consider the pros and cons of insurance cover and be seen by the market as insurable.
Secondly, understanding insurance policies – Many senior managers are unaware whether or not the organisation has bought cyber insurance or have misconceptions about whether such insurance is required and what it may cover.
Further confusion may arise from the fact that aspects of cyber cover can be found in various traditional classes of business (such as comprehensive crime and professional indemnity insurance), which may result in a misunderstanding or overestimation of what is covered – in reality, there are many gaps (the costs of dealing with data privacy breaches or network business interruption are good examples).
Thirdly, issues with the coverage presently available – There is a degree of scepticism about the efficacy of standalone cyber insurance policies, which are often complex and lack uniformity across the industry. Underwriters are also struggling to get a real handle on cyber risk and how to quantify it. This is not helped by a dearth of underlying claims data to model the risk.
Large policyholders in particular may face market capacity limitations, not least given concerns about systemic aggregation risks – for example, exposure to multiple policyholders using the same Cloud service provider to store data. The result is that cover may be expensive (relative to other classes of business) or not as extensive as the policyholder would ideally like.
Cyber security risk will continue to evolve and so organisations must continually do all they can to protect their valuable assets and those of their customers. Cyber insurance is a tool in that arsenal and should not solely be relied upon in the fight against cyber crime.
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2019