Cyber insurance is a relatively new area for both companies and insurers. In the past, it has suffered from a lack of understanding. In a 2016 PwC survey of specialist insurance companies, around half of respondents confirmed they did not actively pursue cyber due to the perceived complexity of the risks and the limited experience of cyber losses preventing confident underwriting1.
In the last five years, cyber security incidents have increased by 67%, with the average cost of cybercrime to organisations increasing to US$13 million2. While cyber risks may be challenging for insurers to underwrite, they are driving a rapid growth in demand for cyber insurance products. This has made cyber one of the most promising areas of growth and innovation in the insurance market. The cyber insurance market is forecast to grow 33.8% annually in the next five years, expanding from US$2.9 billion in 2019 to reach US$16.7 billion by 20243. Given the scale of this opportunity, insurers will need to think long and hard if they are currently not actively pursuing cyber.
If insurers decide to offer cyber insurance products, they will want to ensure the risks of cyber incidents are shared fairly with their clients. However, there is little established market practice in respect of insured risks and exclusions for cyber. Applying standard exclusions applicable in other insurance products is often inappropriate and confusing in a cyber policy. A number of recent high-profile denied cyber claims and subsequent disputes have arisen as a result. These disputes have damaged the reputation of cyber insurance products and risk undermining confidence in the fledgling cyber insurance market, stunting its growth.
It will be critical for the success of the cyber insurance market that insurers and the insured have a common understanding of the risks that should be included in a cyber insurance policy and those which can be fairly excluded.
Insured cyber risks
Cyber insurance products are intended to cover losses resulting from cyber and data incidents, which may not be adequately covered by other insurance products. This will typically include the following losses and costs arising from a cyber incident:
First party liabilities
- Business interruption costs: Business interruption costs, including lost revenue during any period of downtime caused by the cyber incident.
- Repairs to software/data: Costs relating to the repair or replacement of software, and relating to the reconstitution of data following a cyber incident.
- PCI DSS fines: Fines and assessments payable to merchant acquirers and other payment service providers relating to a breach of the Payment Card Industry Data Security Standards (PCI DSS).
- Cyber extortion costs: Payments and expenses paid or incurred in response to threats to publish, sell, destroy or encrypt data, or damage networks.
- Incident response
expenses: Incident response expenses, including:
- Breach notification expenses: Costs relating to the preparation of breach notifications to individuals, regulators and contractual counterparties;
- Forensic investigation costs: Costs incurred in establishing the existence, cause or scope of a security incident and to stop or limit the incident. The policy will generally specify a provider (or panel of providers) who must provide these services;
- Legal expenses: Legal expenses incurred by the insured in receiving advice on a cyber incident. The policy will generally specify a law firm (or panel of law firms) who must provide this advice;
- PR and crisis management expenses: Public relations expenses incurred by the insured in receiving advice on a cyber incident. The policy will generally specify a provider (or panel of providers) who must provide these services;
- Credit monitoring costs: Costs of providing a credit monitoring service to affected individuals to help detect credit-related fraud and identity theft, and to alert individuals to changes in their credit report or score. This is typically provided for a period of time (e.g. six, 12 or 24 months) following a major incident; and
- Regulatory defence expenses: Costs incurred in the investigation and defence of regulatory actions/investigations.
Third party liabilities
- Privacy/security claims: Damages and defence costs relating to claims from third parties, such as customers, employees and business contacts due to a security incident. These claims may relate to breach of applicable laws, such as privacy laws, contractual breaches or breach of confidentiality.
- Business interruption claims: Damages and defence costs relating to claims caused by the business interruption affecting third parties (e.g. for unfulfilled orders, or unplanned service downtime).
- Electronic media liability: Damages and defence costs relating to claims for libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement resulting from publication of electronic data on the internet.
Excluded cyber risks and disputes
Cyber policies, as with all insurance policies, will include detailed exclusions from liability for the benefit of the insurer. Many of these exclusions are standard across many policies. However, if not adapted when applied to cyber, they may result in some of the most material cyber risks being excluded.
One of the most significant risks of a cyber incident for the insured is the risk of a hefty regulatory fine (e.g. for breach of privacy laws, or financial regulations). While these risks may be insured in principle in some cyber insurance policies, the policy will typically exclude fines that are not insurable by law. There is some significant uncertainty as to whether or to what extent regulatory fines are insurable as a matter of law in many jurisdictions. Given the scale of the risk, this is very unhelpful to both the insurer and the insured.
For example, under English law the doctrine of illegality (ex turpi causa) could in certain circumstances prevent the recovery of fines on the basis that this would be against public policy. The general position on illegality under English law was recently considered by the Supreme Court in Patel v. Mirza. The court decided a claim should not be enforced if it is harmful to the integrity of the legal system. Although this will be dependent on the facts, there are many who view fines under GDPR (which can be up to 4% of global turnover) as irrecoverable under a cyber insurance policy. The UK regulator, the Information Commissioner's Office (ICO), has not expressly stated if GDPR fines are insurable, but has suggested insuring fines "misses the point". This issue has not been tested in court, but it is likely to only be a matter of time. There is no uncertainty in relation to financial regulations, as the UK Financial Conduct Authority expressly prohibits the insuring of fines.
Similar uncertainties exist in other jurisdictions. There are few jurisdictions where regulatory fines are certainly claimable. If it is correct that they are not claimable, this would significantly reduce the risk transferred to the insurer (and devalue the policy to the insured).
In January 2019, the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches.
Acts of war and terrorism
It is standard practice for insurance policies to exclude liability arising from acts of war or terrorism. Where there is a declared war, troops landing or other "kinetic military action", this will be obvious to both the insurer and the insured. However, cyber warfare or terrorism is much harder to identify. Governments may in some cases allude to cyber incidents being linked to foreign powers, but this is difficult to prove and is often contested by the accused.
This exclusion has, however, resulted in cyber claims being denied and disputed. For example, a major insurer rejected a US$100 million claim for damage caused by the NotPetya cyber attack in 2017 (which crippled the computer systems of companies around the world), citing the exclusion for "hostile or warlike action in time of peace or war" by a "government or sovereign power". In effect, the insurer argued that the losses had been suffered as a result of hostile action taken by a foreign government. This was supported by statements made by the US and UK governments.
There are a number of similar claims currently being disputed and there is a concern that the aggressive use of the "war" and "terrorism" exclusions could undermine confidence in cyber insurance. However, it is important to note that the disputes which are in the public domain have generally not related to claims under specific cyber insurance policies, but so-called "silent cyber exposure" under non-cyber policies (see below).
Cyber policies will typically exclude any cyber incidents which existed prior to the insurance policy commencing. This is reasonable in principle, but in practice can result in a very broad exclusion. Cyber incidents are an unfortunate fact of life for most organisations which, despite their best efforts, will suffer a number of incidents in the course of a year. However, it may not have been obvious at the time an incident occurred, or the severity of the incident may not have been fully understood.
To ensure the exclusion is not too broad, policies generally acknowledge that the incident must be known to the insured at the time the policy commenced. In some policies, this is further limited by stating certain key executives must have knowledge of the incident. If proper cyber incident management plans are in place and implemented, this will generally result in senior executives becoming aware of serious incidents in any event.
Monetary and trading losses and reputational damage
The theft of money or securities will typically be excluded from a cyber policy. There are policies that exist to specifically address these risks, including the risk of "social engineering fraud", covering identity theft and fraudulent schemes perpetrated online (such as email phishing).
Similarly, a company’s share price or value will typically fall significantly after a major cyber incident and it may suffer significant reputational damage, resulting in a loss of business. These losses will typically be excluded by the policy. However, the costs of hiring public relations experts to mitigate the damage to the company's reputation are generally included in the insured incident response expenses (see above).
Silent cyber exposure (or coverage)
The most active area for disputes relating to cyber insurance claims have arisen from "silent cyber exposure". This occurs where claims for cyber incidents are made on policies which are not specific cyber insurance policies and may not have been intended to cover the extent of risks arising from a cyber incident.
For example, the US$100 million claim mentioned above arose from a claim under a property insurance policy that provided extended cover for "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction".
These policies may have been designed before cyber risks became so significant, or insurers may have permitted policy extensions to be agreed by insurance teams that are not specialists in cyber. Insurers are now reviewing their non-cyber policies and are likely to tighten the policy wording to exclude cyber risks. In the future, cyber risks are likely to need to be covered by specific cyber policies. In the meantime, insurers are likely to continue to aggressively interpret exclusions to deny claims for cyber risks where there is "silent cyber exposure" on non-cyber policies.
The insurance market has a hard-earned reputation for its ability to insure just about any risk (even Gene Simmons' tongue). Insuring highly complex risks is a matter of routine. In the long run, given the huge potential for growth of the cyber insurance market, insurers are unlikely to find cyber risks uninsurable. However, it will take time to establish clear market practice for cyber insurance policies.
In the short run, denials of claims arising from "silent cyber exposure" in non-cyber policies will continue to erode confidence in policies. Over time, cyber risks are likely to be clearly excluded where policies are not intended to extend to this coverage and disputes will decline. Insurers may be tempted to deny claims even under specific cyber policies on the same basis as under non-cyber policies. If this happens, it will inevitably have a much more detrimental effect on confidence and may permanently damage the growth of the cyber insurance market. Insurers should continue to introduce specific limitations to the exclusions in the cyber policy wording to give clients confidence that they will get what they pay for.
Insurers also need to be transparent about the risks that are not covered in a cyber policy. If clients understand this at the outset, the risk of disputes will be limited, confidence will grow and the cyber insurance market can fulfil its significant potential.
Tristan Jonckheer is a partner in Dentons Tier-1 ranked IT and Telecoms team in London. Tristan will be moderating a panel on this topic at Dentons' Gotham Insurance Symposium in New York City on 24 October 2019.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.