Murphy’s Law may not be enough
Everyone agrees data breaches and cyber attacks are on the increase, and that the size of potential losses is vast. Why then is take-up of cyber insurance still so low?
The Association of British Insurers says despite 90% of large UK businesses suffering a breach in the past year, only 10% have cyber-specific policies.
And XL Catlin Executive Deputy Chairman Stephen Catlin warned last month that cyber risk “has the potential to be the biggest, most systemic risk I have encountered in my insurance career”.
While he was speaking of massive attacks that may only be able to be covered by government-initiated reinsurance pools, Mr Catlin’s concern reflects a growing alarm being felt within insurance. Many industry leaders feel governments and businesses simply don’t understand the scale and consequences of cyber attack.
As a paper from law firm Allens explains, there are significant gaps that could have disastrous consequences for Australian businesses.
It says many CEOs believe they are covered when they are not, putting faith in the traditional suite of business policies that has served them so well in the past.
Public and product liability, professional indemnity, commercial crime, directors’ and officers’ (D&O) liability, property damage and business interruption insurance cover many losses – but not all.
Public and product liability insurance covers for compensation payments relating to personal injury or property damage.
However, property damage is generally defined as damage to, or loss of, tangible items.
“Under Australian law, tangible property is unlikely to extend to computer software and other data,” Allens says.
“Accordingly, the ‘property damage’ limbs of such policies would likely be of no assistance when a company is liable to pay compensation due to, for example, the destruction of a client’s valuable data.”
Even if tangible property is interpreted to include electronic data, some policies specifically exclude IT hazards.
Professional indemnity insurance protects against claims for financial loss arising from the performance of professional services.
This may be of use to an IT company creating and maintaining firewalls, if they were found to be deficient during a cyber attack. But for the average victim, errors or omissions are not likely to have occurred in the performance of professional services.
Commercial crime policies indemnify against losses resulting from criminal acts, which would usually include computer fraud.
However, loss is often narrowly defined to the direct financial loss of property, money or securities – excluding consequential losses. These could include business interruption, contractual penalties, court attendance costs, data reconstitution, legal expenses, or the cost of hiring an investigator or public relations consultant.
“Accordingly, many kinds of losses consequent upon cyber attacks may not be covered by commercial crime policies,” Allens says.
Crime policies may be useful if a hacker holds computer systems to ransom.
“Cover for extortion is generally broadly worded enough to cover these threats to computer systems, although companies should be aware that such coverage is typically offered as an extension of cover, rather than as part of the standard insurance offering.”
D&O insurance indemnifies the directors and officers of a company for claims in relation to wrongful acts.
“Directors and officers of a company that falls victim to a data breach may need to make a claim on this policy if, for example, that company has failed to adequately disclose any high risk of cyber breach to the market,” Allens says.
But the increasing frequency of cyber attacks is causing insurers to scrutinise mitigation strategies and, in some cases, exclude cyber risk.
Most businesses hold property damage and business interruption insurance, but Allens warns these policies are not well suited to covering cyber losses, because they typically require a physical damage trigger.
“Many property damage insurance policies contain general exclusions for losses in any way connected with the destruction, distortion, or misuse or misappropriation of electronic data, or a failure to send or receive electronic data, unless it is caused by a peril such as fire or flood or the theft of the physical computer hardware.”
As a result of these many gaps in traditional policies, specific cyber cover is now available.
Typical policies cover third-party compensation, associated defence costs, and fines and penalties imposed by government authorities.
Cyber insurance generally covers the cost of public relations and crisis management to avert reputational damage, and the cost of restoring data and repairing or replacing IT assets.
Loss of business income would be covered, as would cyber extortion expenses.
Too many businesses are still taking chances, and hoping the traditional suite of policies will bail them out if disaster strikes.
But, as Allens has shown, this is far from guaranteed.
It is crucial for companies to closely consider their cyber-risk profiles and determine whether existing policies are sufficient.
Without specific cyber insurance, they could be heading for a nasty fall.