Over recent years cyber security has risen up the board room agenda. New ways of working during the pandemic have exacerbated the risks and we have also seen examples of cyber criminals seeking to exploit the current situation. Susannah Fink and Helen Davenport look at whether organisations should have a specific cyber insurance policy as part of their cyber security strategy, what is covered and common myths.
Jocelyn Paulley: Hello and welcome to the third in our IT Masterclass webinar series, developed specifically for in-house counsel. My name is Jocelyn Paulley, I am a Partner in the Commercial, IT and Outsourcing team at Gowling WLG, I'll be chairing our session today on mitigating cyber risks through insurance. I am joined by Helen Davenport, who heads up our Cyber Security team in the UK, and Susannah Fink, Legal Director who specialises in insurance. Helen, I will hand over to you now.
Helen Davenport: Thank you Jocelyn, good morning everyone. The focus of this session is cyber insurance, as you will know from the invitation but before I handover over to Susannah to talk to us about cyber insurance I want to take a few minutes to put what she will say in context.
What do we mean by cyber security. To take the National Cyber Security Centre definition it is the protection of devices, services and networks, and the information on them from theft and damage.
Over the last decade, cyber security has become a vital part of corporate culture.
Protecting individuals - personal data and privacy.
Protecting organisations - to protect trade secrets/assets and ensure business continuity, regulatory compliance and to avoid adverse publicity and fines, penalties, claims and litigation.
Whilst businesses have bolstered their security measures, cybercrime has also become increasingly sophisticated over the years and the threat difficult to predict. There are now greater opportunities and far higher losses that cybercrime can cause.
The Department for Digital, Culture, Media and Sport carries out an annual survey of the experiences of UK businesses and charities, and is now in its 5th year. It released its most recent report in late March 2020. It found that cyber security threats have not diminished and have in fact evolved and become more frequent.
Almost half (46%) and a quarter of charities (26%) reported having cyber security breaches or attacks in the last 12 months. Like previous years the incidence is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%), suggesting that not surprisingly the more assets a company has the more likely it is of interest to potential cyber criminals.
Among the 46% of businesses that identify breaches and attacks, more are experiencing these weekly compared to previous surveys.
COVID-19 has added to this. In these strange and uncertain times, a significant number of employees have now been working at home for some time and look set still to be working from home for the foreseeable future. For many that will has been a new experience and for others, at least, a significant change in working pattern. Many businesses have had to change the way they operate and may be operating more online, or since March of this year may have started operating online for the first time. For many employees, and businesses, the right infrastructure and measures may remain a work in progress, or if they are in place, they may not be relatively new and not have been properly tested. Many organisations and their owners are facing difficult decisions in challenging trading environments. Cyber and hacking criminals do not care and are already taking advantage.
With cyber criminals looking to exploit public fear over the pandemic with coronavirus-related online scams, the NCSC and the City of London Police also launched the Suspicious Email Reporting Service earlier this year, and that has received 2.3 million reports from the public in its first four months - resulting in thousands of malicious websites being taken down.
The DCMS survey that I mentioned identified arise in businesses experiencing phishing attacks (from 72% to 86%). Further, the NCSC Annual Report released earlier this week highlighted the threat of ransomware and disclosed that the NCSC handled more than three times as many ransomware incidents in the last 12 months compared to the previous year.
From a business perspective, cyber crime and cyber security failures can of course give rise to a range of risks, such as:
- Loss of assets/data
- Business interruption and lost revenue
- Recovery costs
- Reputational damage
- Regulatory action, including fines
- Complaints/claims from data subjects
Susannah is going to look at how these risks may be covered (or indeed may not be covered) under a cyber insurance policy so I will leave the detail of those to Susannah but to provide
Some recent high profiles example of the potential scale of the risks in this area aside from business interruption issues.
In October 2019 the Court of Appeal heard the caseLloyd v Google and granted the appeal, a significant case in the continued evolution of the UK class action and data protection regimes. Whilst a case involving action being taken against Google in respect of the Safari Workaround, and therefore not a cyber breach case it is a decision that it is fair to say has given some considerable encouragement to claimant lawyers more widely, pending the outcome of Google's appeal to the Supreme Court expected next year.
We've also had judgment given by the Supreme Court in the group claim against Morrisons covered in a previous webinar. However, whilst good news for Morrisons for reasons I explained then other organisations would be wise not to take too much comfort from the judgment.
More recently, ICO's decision in British Airways case, British Airways fined £20m for failing to protect the personal and financial details of more than 400,000 customers and just last week Marriott fined £18.4m for failing to keep millions of customers personal data secure. Much reduced from the amounts that the ICO said last year it intended to fine BA and Marriott (£183 and £99m respectively) partly on the grounds of points made by BA and Marriott in response but also significantly the public health emergency also the economic consequences of the pandemic. Nevertheless still significant amounts particularly in context of the difficult trading conditions and these sums will be just part of the losses experienced by these organisations.
Managing the risks is a combination of:
- Appropriate technical and organisational measures
- Managing supplier risks - due diligence and audit
- Incident response planning
- Contract - before and after
- Appropriate incident response
As regards measures identify and manage cyber risks, the DCMS survey found that organisations have maintained but not necessarily enhanced technical controls and governance processes introduced for the GDPR. So whilst overall trends since 2016 are positive and significant, the changes since the 2019 survey relatively modest. So there is likely that more than can be done.
Further, many of the other steps may mitigate the risks but not entirely avoid them altogether. Even where organisations have taken steps to prevent incidents, they can still arise given the prevalence of the threat. Incident response planning and response are vital to manage the risks of an incident if it arises but may not be able to avoid all of the consequences. Contracts, particularly where the risks have been considered at the pre contract stage, may provide an opportunity for recourse, but claims may still not be straightforward or quick and a consideration will also be whether the counterparty is good for the money. So insurance can be a vital part of an organisations cyber security defences. Of particular relevance to our session today in the DCMS survey reported that only a minority of organisations reported being insured against cyber risks (31% of businesses and 31% of charities)
In the next part of the session Susannah will provide an overview of cyber insurance then we'll cover some common myths and frequently asked questions and provide you with our view on those.
The cyber insurance market is continuing to grow, in the context of some of the largest cyber losses globally being seen in the UK market. According to the Hiscox Cyber Readiness Report for 2020, one UK financial services firm suffered losses from a number of cyber incidents totalling £69 million in the past 12 months, and the largest loss from a single cyber event in the past 12 months also originated in the UK, costing the professional services company in question some £12 million. At the same time, companies both in the UK and globally have voted cyber incidents to be the most important business risk which concerns them, according to the Allianz Risk Barometer for 2020. Yet despite this, the market penetration for cyber insurance in the UK remains relatively low, as Helen has mentioned.
So why should you be telling your Board that cyber insurance is important?
Well, comprehensive insurance is usually a key ingredient in many risk management strategies. It enables a company to transfer a large part of its risk to a third party provider and protect its balance sheet.
In a nutshell, cyber insurance cushions your business from the costly, widespread and long term consequences of a cyber-attack. It can't prevent the business from being hit in the first place, but it can provide the forensic help to bring a halt to the cyber attack, get its systems back up and running again quickly, cover many of the costs of the inevitable fallout and help mitigate loss to your client's reputation.
What are some of the benefits?
Before companies can obtain effective cyber coverage, they need to understand their own exposure to cyber risks. It's therefore an effective way of compelling management to identify their possible loss scenarios, understand where they are most vulnerable, and then seek to quantify the financial impacts of such exposure. This will help them manage their business more effectively.
Having cyber insurance also encourages businesses to mitigate their risk by way of analysing their controls and seeking to improve them. This is because most insurers will offer a reduced premium if a business can demonstrate that it has recognised cyber security defences in place (such as Cyber Essentials), and has implemented effective risk management programmes.
If your business is a supplier of services, then you can also use cyber insurance as a proxy form of accreditation, as its something that you can advertise to your customers so as to demonstrate you have undertaken due diligence on your own cyber risks.
What should you do before taking out a policy?
I can't emphasise how important it for each organisation to think through how widespread the impact might be of some common scenarios such as systems failure, or ransomware attack, which could affect you in multiple locations. Consider the volume of sensitive data held by your business and the value of it; what are the different security protocols that the company observes (e.g. adherence to ISO quality standards around security); question whether there are potential motivations for attack; consider the jurisdictions in which the company operates and the vulnerability of its supply chain; and the profiles of the executive team.
Once you have analysed the financial impact of business interruption, and the associated cost and time of recovery and response, you can start to identify the amount of cover that you need, and the sorts of incidents that are the most vital to be covered.
You then need to review your cyber coverage programme as a whole, to establish where any gaps in coverage might be. It may be that there is some coverage for cyber risks on other policies that you may have, such as property all risks, public liability, directors and officers' liability, crime, and kidnap & ransom policies. I will come on to talk about this more about this later.
If you've decided to take out a cyber policy, it's often better to procure a bespoke cover that suits your organisation, rather than relying on an off the shelf / one size fits all policy, which might be inappropriate for you. Basically, the more information that you can give to Insurers about your cyber risk profile, the more likely you are to achieve an accurately priced and effective amount of cover.
Think through what amount of excess your organisation is willing to pay in the event of a cyber incident, bearing in mind the effect upon premium.
So what does it cover?
Business interruption losses resulting from an interruption to your own computer systems - this covers both loss of revenue and increased costs of working, as well as other additional costs such as an IT forensic expert investigating the extent of the problem. You should be aware that cover is often limited to events triggered by cyber attacks or unauthorised activity, so any network downtime caused by accidental errors or omissions may not be covered.
Be careful if you have any systems delivered by outsourced service providers - coverage for interruption of such systems vary significantly, and can be excluded. Some policies also cover business interruption losses incurred by the Insured as a result of a supplier's systems going offline as a result of an attack unauthorised activity.
It should be noted here that these business interruption losses will usually be limited to the period of actual network interruption, for a maximum period of time such as 90 or 120 days. Some policies can also provide cover in the period after IT systems are restored, but the business is still disrupted, when actually there may be a more significant knock-on revenue impact.
Then there is cyber extortion cover, which is when third parties threaten to damage or release your operational or personal data if money is not paid to them. There is cover for the ransom amount paid (with insurers' prior written consent) and services of special consultants to overseen ransom negotiations and the transfer of funds. This clause is growing in prominence as more businesses move online and the use of ransomware proliferates;
In the event of a security or privacy breach, there is cover for customer notification expenses, when there is a legal or regulatory requirement to notify such customers. This can include the costs of manning a call centre to handle customer enquiries, and the cost of credit monitoring services. Legal costs to advise on how to respond to a breach will also be covered There will be cover for the cost of a PR firm to handle crisis management and 24/7 press office, available to mitigate reputational damage arising from a breach of data that results in loss of intellectual property or customers
There is usually, but not always, cover for loss, alteration or corruption of data and software programmes, as well as damage to computer equipment, for example caused by a hacker. Also the costs of data recovery services will be covered in this eventuality.
Third-party insurancecovers the assets of others, typically your customers. This may include:
In the event of claims made against you for failing to keep personal data secure, or for allegations of non-compliance with GDPR., there is cover for legal defence costs and damages associated with privacy and security breaches. This form of cover is especially relevant for businesses that handle or store any personal information from their customers, or for the healthcare sector that stores patient data.
Moving on now to regulatory investigations, Where the Insured is subject to an investigation by regulators such as by the Information Commissioner's Officer, there's cover for legal defence costs and to settle civil penalties levied by regulators where allowed (more about that later)
Multi-media liability, which might only be an optional cover, addresses the eventuality that your digital media presence leads to a party bringing a claim against you for defamation or IP infringement. It covers business investigation costs, defence costs and civil damages. This would be a useful benefit for companies that rely on the transmission of digital data via email or a website, rely on a large social media or digital content creation business model, or have significant advertising on their site that may lead to a liability.
Financial crime. Some policies will have as part of their standard cover, or perhaps an optional cover, specific coverage for electronic theft or transfer of money, and for loss arising from social engineering fraud. Social engineering fraud is where funds are transferred erroneously by an employee to a third party due to fraudulent transfer instructions. The most frequently notified social engineering event is impersonation of a supplier or vendor, and the costliest events are typically those that involve impersonation of a CEO or senior manager. You should make sure you understand exactly what's covered here, as social engineering fraud can sometimes be restricted to scenarios where the insured's network is also compromised, which is not always the case.
What does it not cover?
Loss of business caused by reputational damage (but as I said, there is cover for PR experts to mitigate loss of reputation).
Fall in share price following bad publicity.
Personal injury is generally excluded, as is damage to property (unless its damage to computer hardware specifically covered).
Other standard exclusions such as:
the failure of service provided by an internet service provider, telecommunications or utilities supplier, or; Loss attributable to physical perils such as fire, flood, storm etc.
GDPR - whether it is possible as a matter of law to insure regulatory fines such as those that imposed under the GDPR is currently a bit of a grey area. The current position is that, for public policy reasons, an indemnity is not available for regulatory fines arising out of illegal or quasi illegal acts., which the law has determined should be imposed upon a party personally. This was the law following the leading 2010 Cof A case, in which Gowling WLG acted, Safeway Stores -v- Twigger, which held that fines imposed by the Competition & Markets Authority were irrecoverable under D&O policies. The FCA have subsequently made clear that fines imposed by them are not insurable, and the ICO have rather unhelpfully commented that they don't know if insurance is available for their fines, but in any event, organisations should focus on good data practice. In the meantime, the Organisation for Economic Cooperation and Development (OECD)'s insurance and private pensions committee has considered the question of insurability of fines and issued a report this year stating that Governments should provide a clear statement on the insurability of fines, penalties and ransoms in their jurisdiction. If the UK Government are ever not too busy with COVID-19 and Brexit, then maybe we'll see some progress on this issue. Certainly there are a lot of cyber insurers out there who would be happy to provide such cover, if it were to be clarified that it was lawful to do so.
Often an exclusion for criminal/ fraudulent acts by a director or partner; Exclusion for theft of money or securities - If the funds were stolen (as opposed to transferred, even as a result of a deception), then this may be deemed a crime loss, and therefore excluded. This type of loss might however be covered in crime policies, or it can be specifically covered in standalone cyber policies as we've discussed instead.
War and terrorism exclusions - An interesting example of the problems that can be caused by such exclusions is the case of Mondelez and Zurich America. This case arises out of the NotPetya global cyber attack in 2017. The NotPetya virus used hacking tools so as to take control of computer systems and demanded ransom from their owners to regain access. It caused havoc across the world, damaging the systems of many private multinational companies, as well as the National Bank of Ukraine. According to the intelligence agencies of the UK and US amongst other countries,, NotPetya was thought to be a Russian state-sponsored act of terrorism, primarily aimed against the Ukraine government and businesses, although it inadvertently spread much beyond that.
One of the companies which was most affected was US confectionary giant Mondelez International. The cyber attack rendered 1700 of its servers and 24,000 of its laptops permanently dysfunctional. Following weeks of remedial action, Mondelēz recovered their systems. It therefore made a USD 100 million claim under its property all risks policy, which was issued by Zurich American Insurance company, for damage to its software and hardware, loss of revenue due to unfulfilled customer orders and reduced margins, and operational disruption.
Zurich American declined to pay out, in reliance on an exclusion for "hostile or warlike action in time of peace or war…by any government or sovereign power " on the basis that the cyber attack was an act of war by Russia. This was the first time that an exclusion such as this had been relied upon by an Insurer in the event of a cyber attack, as it historically had only been relied upon in cases of conventional armed conflict.
The case is currently still proceeding through the Illinois Courts. However, given that the onus of establishing that the exclusion applies is on Zurich, it seems that it will be difficult for them to prove that Russia was behind the anonymous cyber attack; as any evidence of Russia's involvement is likely to be highly confidential classified information. Furthermore, even if Zurich could prove who was responsible, the question remains as to whether they would be able to rely on the exclusion to deny coverage for unintentional losses in cyber space such as Mondelez's, which go beyond the original intended Ukrainian targets.
If Zurich were to succeed in relying on this exclusion, then it could widen the ability for insurers to trigger the war exclusion in their cyber policies, in scenarios where, for example, certain authorities may consider individual hackers in North Korea and Iran to be executing attacks on behalf of those countries, whether or not they were actually directed by government authorities. If specific cyber policies didn't pay out in such circs, they would become essentially ineffective.
Policyholders therefore do need to ensure that an exception to such war exclusions is carved out for specific cyber terrorism attacks. Likewise, policyholders should check their wordings to see if cyber terrorism cover would apply in the event of an act which is not formally attributed to a state, but only alleged to have been committed by it.
It's worth noting, finally, that Mondelez and Zurich is a case of a property insurer trying to avoid coverage for a cyber risk. We know that other companies have successfully claimed under their standalone cyber policies for losses arising out of the NotPetya attack, and indeed losses arising from other cyber incidents committed by state backed agents. [For example, Marriot Hotel Group revealed in November 2018 that it had been subject to a cyber attack for the past four years, whereby its databases were hacked, resulting in millions of guests records being improperly accessed by the perpetrator. Despite the fact that this attack was carried out by Chinese state hackers, it managed to recover over $100 million from its cyber policy.
I'm now going to discuss some common coverage issues for cyber risks which policyholders have experienced Insurers relying on, so as to either decline a claim, or not pay out a claim in full.
As I touched upon earlier, cyber policies cover both first party and third party cover. So first party loss is that type of loss which the policyholder experiences first hand i.e. business interruption loss. Some policyholders may not have taken out such cover, and relied on only third party cover i.e. liability for data protection / privacy exposure. It's obviously quite a fundamental error to be claiming for a loss covered under a section of the policy that you decided not to take out, thinking that such a scenario would never occur in your business. So it is important to ensure that you have the broadest possible coverage that you can afford and can find.
Another common error is notifying a claim under a cyber policy which is excluded and should really have been notified under another policy, such as a crime policy. So for example, electronic theft of data by an employee, might be best notified under a crime policy (although some of the best cyber policies will cover such incidents).
Likewise, all insurance policies, including cyber policies, will include clauses that require Insurers' prior consent to be obtained in other circumstances, such as before making settlement offers to third parties, before admitting liability and before incurring legal defence costs etc. Cyber policies will also require Insurers' consent to be obtained before policyholders incur remediation expenses and cyber extortion expenses. If the policy terms are not followed, then Insurers will have a right to either reject the claim or reduce the amount paid.
Many policies require the Insured to instruct particular forensic IT consultants, PR consultants and lawyers that they have approved. Using claims/incident response suppliers who have not been approved by insurers in breach of policy conditions will result in a claim being declined. Make sure you read and understand the way the policy works in the event of a cyber incident, and note the list of approved suppliers who can be consulted in compliance with policy terms.
Betterment is another reason why claims are declined,. If computer equipment is rendered unusable as a result of a cyber attack, then Insurers will pay the costs of repairing or replacing the unusable part of the equipment. If, however, the policyholder has incurred costs improving IT networks and infrastructure to a specification beyond that which existed prior to the cyber incident, then this will amount to betterment and, depending on your policy wording, Insurers will often not cover such costs. I should add here that some of the better cyber policies would actually indemnify you in the aftermath of a cyber attack to ensure that your cyber resilience is strengthened going forward.
Finally, as I have touched upon previously, claims for coverage of fines / penalties have been declined by Insurers on the grounds that such fines and penalties are not insurable as a matter of law.
Now Helen and I will discuss some common myths and FAQs on cyber insurance, with the help of Jocelyn.
Jocelyn: What if people think "I already have cyber coverage through my other policies"?
Susannah: It may be that if you suggest to your Board that they need a cyber policy, you will experience some resistance. As I've mentioned, only 22% of businesses in the UK have stand alone cyber cover, and research has shown that one of the most common reasons for this is because companies think they already have sufficient coverage for cyber risks by virtue of their other polices. This is unlikely to be the case though.
Property all risks policies might provide you with cover if, for example, there was a malware attack on the data stored in an industrial computer, which resulted in a fire in a production facility. There would be cover for the property damage and resultant business interruption, but no cover for the data restoration cost or any IT forensic or PR expenses. These type of losses are also unlikely to be covered on other general liability policies. The Mondelez and Zurich case also shows how Insurers are fighting to find exclusions to rely upon so as to avoid being liable for such losses claimed on property policies.
There has been a lot of discussion in the insurance industry over the past few years about "Silent cyber", which refers to the exposure that Insurers have to cyber losses in traditional non cyber policies, which haven't been either specifically included as triggers for coverage or specifically excluded. In January 2019, the Prudential Regulation Authority required all Insurers to have an action plan to minimise their unintended exposure to cyber risks, and Lloyd's also issued a bulletin requiring its underwriters to state in all policies whether coverage arising from cyber events is affirmed or excluded. The deadline for this initial part of the mandate, applying to underwriters of first-party property policies, was on 1 January 2020. Various Lloyd's committees have published suggested endorsements, but the use of them is not compulsory. Insurers are therefore free to apply any wordings they feel comply with the requirements to specify the position either way.
It's nevertheless becoming more common for both property and general liability policies to include express exclusions for cyber risks.
In addition to this, even if the cyber risks are expressly included, some of the definitions in liability / property policies are narrowly drafted, and may not be appropriate to cover exactly what has happened in a typical cyber incident scenario. A cyber risk policy, which is specifically designed to cover these types of risks, is more likely to cover what you need it to do so.
Always safer to have a standalone cyber insurance, which is dedicated to getting businesses back up and running quickly after a cyber attack. It provides a range of specialised services in the wake of a cyber event, like IT forensic response, crisis communication, legal advice and, if necessary, credit card monitoring. It's rare for other policies to provide all these services.
If, however, you do end up relying solely on traditional policies to cover cyber risks, then a danger to be aware of is that cyber liability claims can erode limits and impact renewals of essential and sometimes mandatory insurances such as professional indemnity insurance for certain professionals. We've recently notified a claim for losses arising out of a data breach on a general liability policy, which will no doubt erode the limits available for other types of claims and make an already expensive policy even more so at renewal.
There is nevertheless still benefit in having the additional cyber cover offered by these traditional policies. A directors and officers liability policy, for example, might cover losses arising from a cyber risk that wouldn't be covered in a standalone cyber policy if, for example, a publicly traded company experienced a data breach, ultimately leading to a drop in its share price, which then resulted in a securities class action being issued against the directors for breach of their fiduciary duties.
Helen: Yes to summarise, before the event we would recommend considering cyber insurance for the reasons Susannah has said and also taking holistic view of insurances to make sure key risks overall are covered. Where an incident does arise we would look first and foremost at any cyber insurance but if there is none or depending on the issues arising will also look at any other policies in case they may cover the losses suffered.
Jocelyn: Many clients are unsure whether cyber insurance is worth it, think that they don't pay out, or think not enough cover available to be relevant.
Helen: I agree, I get the same feedback when discussing incident response planning.
Susannah: There appears to be a belief that cyber policies don't pay out, but this just isn't the case. According to the Association of British Insurers, 99% of claims made on ABI member cyber insurance policies in 2018 were actually paid. At the time, this was one of the highest claims acceptance rates across all insurance products.
There admittedly have been problems that some policyholders have experienced, but these are more likely arising on claims for cyber risks being made on property, contingency and liability policies, not on the standalone cyber policies themselves. Alternatively, issues occur when insureds are unfamiliar with the policy terms, but if the rules are followed, then claims will generally be paid.
The most frequently notified, and highest value, claims under cyber policies appear to be for data breaches. The most frequently occurring and most expensive types of data breaches are malicious data breaches carried out by third parties (as opposed to accidental data breaches carried out by the company, or malicious data breaches by an employee). Social engineering events are the second most frequently notified type of claim.
It's true that, in some of the huge claims being made for notorious data breaches, the insurance monies paid out didn't go anywhere near indemnifying the insured for the entirety of their losses. But available limits of insurance are rising - policies typically provide cover for limits between £380 million and £580 million. There is an abundance of capacity in the cyber market, and that creates a great deal of competition, and ultimately it's a buyers' market.
Standalone cyber-liability coverage does tend to be expensive, with the same limits sometimes costing three times those of general liability policies. The reason they're expensive is both because of the high-impact nature of the risk and the difficulty that Insurers face in quantifying potential losses.
And I accept that times are hard for most businesses at the moment, so if you're struggling to afford a cyber policy, even a small amount of cover is better than none.
Is it worth it? Well, the general consensus appears to be the cost of dealing with these cyber incidents is unfortunately increasing. The average cost of a cyber incident in the UK over the past year is thought to be around £35,000, according to Hiscox, although as I mentioned earlier, the UK also had the largest value single loss.
Insurance is there to cover the risk that it could be your organisation that is unlucky enough to experience a very costly incident, but obviously it may depend upon your business's own risk profile as to whether you think the premium is worth it.
Jocelyn: So how should a business notify their insurers of a cyber event?
Susannah: Where a standalone cyber policy has been taken out, the notification requirements can be quite onerous, in that the insured will likely to be required to notify Insurers on a 24 hour cyber hotline immediately, or fairly soon after, after becoming aware of an actual or suspected cyber incident. Early notification is in any event beneficial, as it will enable the policyholder to benefit from Insurers' guidance from their own experience as to how to handle the incident, and importantly, enable access to be given to a host of specialists that policyholders require, such as IT forensic consultants to advise on recovery efforts, lawyers to assist with data breach response, PR consultants to manage reputational issues etc.
Where circumstances have arisen which are likely to give rise to a claim against you in the future, then there will similarly be an obligation to notify Insurers, although there will be longer to do so. The exact requirements depend on the policy wording, but it is more likely to be as soon as practicable or within 30 days. Notifications should contain a description of the circumstances leading to the loss, or likely loss, and the names if known of the persons causing such loss. Helpful to give as much information as possible, although I recognise that, in the early stages of a cyber attack, very little may in fact be known.
If you're notifying a cyber risk on a general liability or property policy, then the notification requirements will be different again - probably more like as soon as practicable.
Helen: Also a warning about the notification and claims process in general, if you're making a claim for a cyber risk under a general policy. As you may be trying to make a series of events fit a scenario that it wasn't necessarily designed to cover, it can take longer to draft a notification so that needs to be factored into the time and costs. Also had experience of being asked questions on a general policy, which need to be dealt with, which we would not necessarily expect to be asked under a cyber policy.
Susannah: Yes, then the claims handler that you deal with won't be experienced with cyber events or understand the speed with which a response is required. We have had to notify a privacy breach on a liability policy recently, and the policy requires that Insurers' consent is obtained before taking any step, sending any letters, incurring costs. Given the time limits involved in responding to breaches of GDPR, it can be onerous to build in the additional time required to obtain Insurers' consent.
In general, it's worth taking the time when purchasing a policy to familiarise yourself with the notification requirements, and ensuring that such requirement are aligned with the business's incident response plan.
Jocelyn: So what effect is the Pandemic having on cyber insurance claims and renewals?
Susannah: Whilst working from home is the new normal, it could unfortunately be the reason why your company's next cyber attack isn't covered. I would urge you all to check your cyber insurance policies, or ask us to review it and we'll be happy to do so, and consider whether you have adequate coverage in the current remote working environment.
Most cyber policies provide coverage for loss that results from a "Security Event" (or some similar term) where that term is defined to mean the failure or violation of the security of a "Computer System." While the specific definition varies from policy to policy, one common cyber form defines "Computer System" to mean: "Computer hardware ….. under the ownership, operation or control of the Insured." With a definition such as this, Insurers are likely to argue that there would be no coverage if your employees are using their own personal laptops to connect to your business' system, or even just their own wireless routers.
Other definitions of Computer System may expressly include hardware or software "owned by your employees and operated on behalf of you". Even with this more helpful definition, Insurers may try and argue that if, at the time the security failure occurred, your employee was using their own hardware or software for personal activities, then there would be no coverage. If Insurers were to seek to decline claims on this basis, I'm not saying all would be completely lost however, as it may be possible to argue that either the business exercises some form of control over their employees' personal computer systems, or alternatively that a security failure involving a personal computer system which is not covered led to a security failure involving the policyholder's "Computer System," which is covered, and therefore coverage should apply.
I'd also urge you to consider, where policies do cover security failures on a supplier's or outsourced service provider's system, whether that would be covered if their employees were also working from home.
If renewal of your policy is coming up, then I would advise you to discuss the situation with Insurers and ask how the policy is intended to operate in the remote working environment, negotiate a more favourable position if possible, and then ensure that the policy wording does exactly reflect that intention in clear language. You might also want to look into plugging any gaps in coverage by ensuring that the company imposes rules restricting the use of employees' personal computers and provides more company computers where necessary.
I think it's fair to say that this greater reliance by businesses on their technology systems in general is leading to more companies examining their cyber coverage as a whole.
Pricing for cyber insurance is gradually increasing, although it hasn't increased significantly (yet) as a result of COVID-19. Competition and capacity in the cyber market remain strong. However, the ongoing pandemic is leading to greater underwriting scrutiny around cyber risk and COVID-19, including remote connectivity processes, business resilience, and business continuity planning. Start early and be prepared for questions around COVID-19 as well as other exposures. The current losses will likely lead to carriers tightening their risk appetite not only in connection to pandemics, but also other exposures.
Helen: This of course interplays with the IT, BYOD and cyber security policies and procedures that an organisation has in place, which we have previously recommended should be audited regularly. As consequence of the pandemic it is also worth considering further steps should be taken to enhance those polices in any areas.
Jocelyn: So if a company's cyber insurance renewal is approaching what should they be thinking about?
Susannah: Have a strategy, with clear goals regarding what you want to accomplish from your renewal and consider changes to your program structure. Ensure your underwriting submissions are robust, and focus on differentiating your organization using solid and concrete data. Ensure that details about your cyber security measures are up to date and highlight risk mitigation strategies adopted. Ensure that any other changes that have occurred within your organisation in past 12 months are disclosed.
Negotiate consent provisions.Most cyber-policies demand the insurer preapprove any forensic IT investigators, lawyers, or PR consultants before your company may hire them to assist in data breach response. For many companies, they already have lawyers that assist on other general legal matters or consultants that advise on information security issues. See if you can agree with Insurers up front that you may instruct your own experts and get them to approve them, as unfamiliar lawyers and experts can create additional uncertainty at a particularly chaotic time for your company.
Ensure the cyber policy has specific provisions for funds-transfer-fraud, as this is increasing as some policies exclude it. Ensure it has adequate cover for remote working.
So to wrap up, the key takeaways on this topic should be:
- Review your cyber coverage programme as a whole
- Understand what you are buying
- Ensure coverage is comprehensive and matches your risk profile
- Notify early
- Comply with policy terms
Jocelyn: Thank you all for joining us today. The final IT Masterclass in our series will be on 18 November, I will be joined by Matt Hervey, the partner who leads our AI team and who's book on the law of AI has just been published by Sweet and Maxwell. So we will get the inside line from Matt when we speak to him in a couple of weeks, and please do sign up to attend the session if you haven't already done so. Thankyou, goodbye.
Read the original article on GowlingWLG.com
Originally Published By Gowling, November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.