From privacy to premiums: the rise of cyber risk insurance
No longer a superfluous add-on
27 June 2019
As cyber breaches at corporate behemoths become increasingly common newspaper headlines and regulators continue to sharpen their teeth with new and more expansive powers of investigation and enforcement, our clients are starting to recategorise cyber security as a boardroom-level risk. This is even before considering the impact a cyber breach can have on an organisation’s revenue streams and business.
Technological and operational measures aside, corporates are mitigating risk upfront – before the event – in a number of ways, from notification matrixes (which document regulatory notification obligations) and legal privilege rule books to full-blown cyber incident response plans. One important means of risk mitigation is cyber insurance, which we are now regularly being asked about: is a dedicated cyber insurance policy worth it? If we take out cyber insurance, what will it cover? How do I reduce the premium? Of course, the answer to these questions will vary from one institution to another; however, in our experience, there are some general rules that always apply.
To start, conventional insurance policies are typically limited to more traditional business risks and will often expressly exclude losses relating to electronic data. Specific cyber cover, on the other hand, addresses these types of loss head-on.
A typical cyber policy will enable the insured to recover costs incurred in connection with response and investigation activities, as well as resulting litigation and regulatory actions. Higher-premium policies cover costs incurred in connection with liabilities owed to third parties, as well as first-party expenses. It is worth bearing in mind, however, it is unclear whether – as a matter of English law – it is possible to insure against the cost of a regulatory fine itself (which is important, as fines under the General Data Protection Act can be up to 4% of global turnover). The issue is being considered by the Organisation for Economic Co-operation and Development.
There are other terms within the policy that require attention, from aggregate claim limits and sub-limits to coverage periods and territorial restrictions. Be aware of any obligation to notify the insurer within certain time periods. When does the period start (the occurrence of the incident or the point at which the company became aware of the incident)? What happens if notifying the insurer causes the insured to breach its legal obligations (either under applicable law or a contract with a service provider)? Similarly, what types of device does the policy cover? Often, an incident stems from an unencrypted device used by an employee (whether in contravention of the insured’s security policies or not) and this is not covered.
With regards to premiums, companies have found they are able to significantly reduce their premium by improving cyber security standards within their business (and, indeed, in some cases the insurer has made this is a prerequisite to issuing a policy). Steps include refining encryption standards, institutionalising audit procedures and augmenting employee-facing cyber policies.
The market continues to evolve at an accelerating pace, but what is clear is cyber insurance is no longer a superfluous add-on, nor will off-the-shelf policies be adequate for sophisticated organisations.
This article first appeared in Insurance Day