The Silent Cyber Uncertainty
In July 2017 the Prudential Regulatory Authority (the “PRA”) of the Bank of England issued Supervisory Statement (SS4/17) (the “Statement”) entitled “Cyber insurance underwriting risk”. The Statement was aimed at non-life insurance and reinsurance companies, and pronounced an expectation of them to identify, quantify and manage cyber insurance underwriting risk. Cyber insurance underwriting risks were described as resulting from insurance contracts which are exposed to cyber-related losses consequent to malicious and non-malicious acts, concerning tangible and intangible assets.
The PRA’s concerns were summarised into three parts. Firstly, have a clear cyber risk strategy and appetite, secondly ensure that you have the appropriate expertise to understand cyber insurance underwriting risk, and thirdly assess and actively manage all insurance products with respect to non-affirmative cyber risk exposures.
Non-affirmative or silent cyber refers to the possible cyber-associated exposures or perils arising from insurance policies which are not intended to cover cyber risks. The digitalisation and interconnectedness of most human activities has rendered cyber risk universal and inescapable, therefore potentially affecting a broad range of insurance products.
On 30 January 2019 the PRA issued a follow-up letter to provide feedback on the responses received from insurance and reinsurance companies, as well as to identify areas which the PRA believe requires focus for pragmatic management of cyber risk exposures.
In terms of non-affirmative cyber risk, most of the respondents agreed that the largest exposure was on casualty, financial, motor and accident and health insurance lines. Opinions on exposure varied significantly (between zero to full limit) in respect of property, marine, and aviation insurance. In some instances, this was as a result of companies applying exclusions or limitations to address cyber exposures, whilst in others there was a varied perception and understanding of cyber risk. Interestingly, some companies expressed concerns about how their reinsurance arrangements would respond to cyber-related losses in light of their own non-affirmative exposures. Finally, many companies admitted to shortcomings in their claims functions in terms of ability to distinguish and escalate non-affirmative cyber claims.
The PRA stated that they have connected with regulatory authorities internationally to try and achieve a coordinated approach to cyber insurance underwriting risk. Further, they will be meeting with insurers, reinsurers, as well as Lloyd’s to better assess the meeting of expectations identified in the Statement. The PRA expects to provide further feedback in the second half of 2019. An interesting thought is whether South Africa’s Financial Sector Conduct Authority (the “FSCA”) will be investigating this topic in a similar fashion.
Multiple Insurance Policy Overlap
A typical cyber insurance policy is made up of a number of insuring agreements which cover both first and third-party losses. First-party insurance pertains to the insured’s own loss, whilst third-party insurance covers losses concerning someone other than the insured for which the insured may be held responsible.
Most insurers’ policies do not offer all existing cyber insurance covers which are available in the market, and some combine certain sections. Thus, this article considers the most conventional cyber insuring agreements, and as well as where these covers may be found under other [non-cyber] insurance policies.
DATA RECOVERY AND LOSS OF BUSINESS INCOME
Coverage here is for loss of business income suffered by the insured following a security breach, computer virus, malicious code, accidental destruction of data, failure of their computer network or programming error. The data recovery portion relates to costs of restoring or replacing data, as well as the use of specialists and increased operation costs.
Certain property insurance policies may offer limited business interruption coverage related to computers or electronics. Insurers providing such policies should ensure that they understand the potential consequences following a cyber attack and contemplate whether such cover should be included hereunder.
CRISIS MANAGEMENT COSTS, CUSTOMER NOTIFICATION EXPENSES, CUSTOMER SUPPORT AND CREDIT MONITORING EXPENSES
This cover is in respect of crisis management costs, customer notifications expenses, and customer support and credit monitoring expenses following a security breach, privacy breach or breach of privacy regulations. This head of cover is absolutely instrumental to the cyber insurance policy as it provides the insured with access to public relations expertise, expertise in managing and understanding a data breach, as well as related expenses. The costs and time involved in a data breach are exorbitant, and if not managed correctly, could lead to serious reputational and financial consequences for the insured.
It is currently difficult to find other insurance policies which explicitly provide coverage of this kind. There is however the risk under errors and omissions policies that individuals could be held liable for losses caused to stakeholders.
Indemnity is provided for costs related to a demand for funds in order for the insured to avoid corruption, damage, destruction or denial of service to their computer network. Such claims include ransomware attacks, where the insured is unable to gain access to their data, which has been encrypted, unless a ransom is paid. The importance of this cover goes beyond the ransom paid, as it includes access to experts that are capable of negotiating the outcome with the hackers.
Kidnap and ransom insurance policies provide elements of this coverage. It may be advisable to ensure that the cyber insurance policy acts as the primary policy due to the breadth of coverage and access to very specialised expertise which is required to react to such threats.
This coverage protects the insured against damages and defence costs incurred due to libel, slander, invasion of privacy, plagiarism, infringement of copyright or trademark, or any liability arising out of publishing multimedia content. This is a peculiar cover under the cyber insurance policy as it requires no data breach at all. Interestingly, multimedia extends to physical as well as electronic format content.
There is overlap not only with traditional media liability insurance policies but also the advertising liability section of some general liability policies. If you are dealing with a media company, it is best to conduct a coverage comparison between a cyber insurance policy and a media liability policy. If media is not the core business of the insured, a cyber insurance policy is may be adequate.
SECURITY AND PRIVACY LIABILITY
This coverage protects the insured against damages and defence costs incurred as a result of a wrongful act following a security or privacy breach. Such wrongful acts include damage to electronic data, unauthorised disclosure of information, theft of data, negligent failure to disclose a breach, negligent failure to prevent transmission of computer viruses to third-parties, and breach of duty to maintain security or confidentiality of personal information as required under contract. Other covers here include the failure to prevent a denial of service attack from a computer network operated by the insured, and loss of employee personal information.
Such cover could arguably be inexplicitly found under errors and omissions policies such as directors’ and officers’ liability insurance and professional indemnity insurance. While these policies do not specifically cover losses resulting from data breaches, it could be conceivable that a director may be held liable for not ensuring that the company has adequate information technology (“IT”) security controls in place. Could an accounting firm claim under their professional indemnity policy if they are sued by a client that has had their personal information stolen from the accounting firm’s computer network? Would the professional indemnity insurer be successful in arguing that protection of personal information is not a part of their insured’s professional services?
PRIVACY REGULATORY DEFENCE AND PENALTIES
Indemnity is provided for damages and defence costs as a result of regulatory action against the insured following a privacy breach, security breach or breach of privacy regulations. It is important to note that cover is provided for fines and penalties (unlike most other insurance policies) to the extent that such is permissible by law.
Other insurance policies do not explicitly provide coverage for regulatory defence costs and penalties following a data breach. It is however possible that errors and omissions policies could be at risk should individual insureds be held liable for the loss.
The PRA has taken a very progressive approach in requiring insurers to identify, quantify and manage affirmative and non-affirmative cyber risk exposures. In order to be proactive, all insurers, reinsurers, intermediaries and insureds should, from their own perspectives, and where relevant, consider amongst other things, the following:
- Are we aware of explicit cyber-related exposures being covered in policies other than cyber insurance (the overlap of coverage)? Do we want to continue on this basis? Are we sub-limiting and/or addressing these exposures? Have we considered ensuring that the cyber insurance policy, as the more specific insurance cover, always acts as the primary cover in such instances?
- Do our reinsurance programmes adequately account for non-affirmative cyber risk exposures?
- Which of our policies are exposed to non-affirmative cyber risk? Do we want to specifically exclude cyber risk exposures on all policies? Do we want to adjust these policies to specifically include cyber risk exposures and sub-limit the coverage? What are our competitors doing?
Most importantly, are we all doing enough to improve our understanding of the complex and critical nature of cyber risk, privacy, big data, and IT in general? Competence around IT is fast becoming the norm in our digital world.
According to a 2017 publication by the Organisation for Economic Co-operation and Development (“OECD”) entitled “Enhancing the Role of Insurance in Cyber Risk Management”:
“Insurance can contribute to improving the management of cyber risk and should be considered an essential component of countries’ strategies for addressing digital security risks. The risk management expertise of the insurance sector should be leveraged to help countries address the risks inherent in the ongoing transition to a digital economy.”
“The insurance market, including re/insurance companies, brokers and relevant associations, have an important role to play in providing greater clarity about the coverage available for cyber risk and which policies provide that coverage.”
The global insurance industry clearly has a massive contribution to make, however, we are first required to fully understand cyber risk in an everchanging interconnected world.
As the Red Queen told Alice in “Through the Looking-Glass”:
“Now, here, you see, it takes all the running you can do to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”
Bob Bregman (2018), Cyber Risk: Understanding How Multiple Insurance Policies Intersect, IRMI.
Prudential Regulation Authority (2017), Cyber Insurance Underwriting Risk, Supervisory Statement 4/2017.