With the rise of cyber attacks and imminent implementation of the Protection of Personal Information Act(“POPIA”), it may seem that these days the most important business risk to insure against is cyber attacks. The purchase of a cyber risks policy should therefore be an easy decision to make but many clients may be reluctant to purchase yet another insurance policy if they believe that they already enjoy cover under their Professional Indemnity (“PI”) or Directors and Officers (“D&O”) policies.
While it could certainly be postulated that data breaches could be entertained (to an extent) under any product which includes PI, it would certainly be prudent for brokers to ensure that their clients are adequately covered and are not relying on the existence of “silent cyber” to cover this risk. In fact, to avoid a situation where a policy is covering unintended cyber claims, many insurers have introduced silent cyber endorsements.
The silent cyber endorsement could affirm or exclude coverage depending on the product and risk carrier’s appetite. For example, certain sections of a Commercial Crime policy are intended to cover losses arising out of criminal acts perpetrated by way of a computer [fraud] and in respect of those sections, insurers may affirm the cover but then specifically exclude it in respect of areas where they would not wish to provide any cyber cover. On products like D&O and pension fund trustees, cover for cyber-related wrongful acts might be confirmed. Whereas on a policy offering PI, insurers may totally exclude silent cyber.
Camargue’s cyber risks policy wording offers cover for errors and omissions as a result of professional services offered by technology professionals, as well as a host of cyber covers. If an IT provider failed to prevent a data breach and it could be shown that they were negligent in carrying out their professional duties, this would be covered under the PI section of the policy. However, should there be a data breach of their own network, this would not be covered unless they had also purchased all relevant cyber covers. To this extent, and for the avoidance of all doubt, insureds who only purchase Tech PI would have a total cyber exclusion placed on their policies.
Clients who are concerned about being held liable for data breaches should therefore be encouraged to purchase a cyber policy. The following will highlight some of the key covers available under the Camargue cyber risks policy:
Insuring Agreement 3 (Security and Privacy Liability) essentially covers the Insured for legal defence costs and damages for negligence in failing to prevent a breach. This would be for breach of their own systems which compromises personal information; and failing to prevent a breach occurring through their own network. What is important to note is that the section specifically refers to the negligence of the Insured. In order to determine negligence, certain standards such as the reasonable man test and King IV Code will be considered.
Insuring Agreement 5 (Privacy Regulatory Defence and Penalties) is also important to note as it covers the awards, penalties and fines which the Insured can incur in terms of POPIA (or any other relevant piece of legislation), provided that these fines are insurable by law.
A privacy breach is also covered where it is as the result of a malicious intentional act of an employee. This is a key cover which clients should ensure is in place, as it could result in a very costly breach where an employee intentionally releases confidential data.
From the above it can be seen that clients should seek absolute certainty around ensuring that they are adequately and appropriately covered in the event of their negligence leading to a cyber breach, and should not be relying on silent cyber. By highlighting the pitfalls of relying on silent cyber, and expounding on the importance of purchasing a cyber policy, clients can have confidence in their broker’s recommendation to purchase a comprehensive cyber policy.