Getting the most from your cyber insurance: a quick guide

In a rapidly changing digital market, cyberattacks are on the increase. Given the speed at which cyber criminals are developing and the significant rise in organised crime, even well-protected companies are falling victim to cyberattack. This means appropriate insurance coverage to protect against and mitigate this risk is becoming increasingly important, so what can you protect and how should you get the best product to help create a cyber-resilient company?

What is cyber insurance? 

Put simply, cyber insurance is a specific type of insurance cover to mitigate the impact of a cybersecurity incident.  Cyber insurance may be a standalone product or specific coverage through a wider business interruption insurance or an IP/data loss policy. Subject to the nature of the insurance, a range of different types of incident, both accidental loss or compromise of data and deliberate attacks from hostile parties may be covered. In a bespoke policy this can be whatever is agreed and resulting damages and costs may be included. In a typical off-the-shelf policy, we would expect to see coverage for the following types of risks:

• Data Exfiltration
• Business interruption
• Property damage
• Loss of IP
• Reputational Damage
• Privacy claims (customers and employees and third parties)
• Cyber extortion
• Regulatory Investigations and Penalties  
• Legal and crisis management costs

Cyber insurance aims to mitigate risk by providing cover against the financial effects on your business of certain types of loss and damage, including the legal costs and potential regulatory sanctions associated with a cybersecurity incident. This can be by supplementing gaps in an existing business interruption policy or obtaining a policy to cover all perceived cyber threats to your business.

Separate from the liabilities to businesses that may arise from cyber risk, directors are potentially individually liable for breach of their directors' duties where their action or inaction on cybersecurity issues has failed to adequately protect the interests of their members.  Having adequate cyber insurance may help them argue they have acted appropriately.

With the costs of cyber coverage rising steeply in recent years, directors may choose to invest in data breach prevention measures instead of paying high premiums. Insurance can be a useful tool but it cannot substitute for investment in IT security or the development of breach prevention and response protocols. Ideally organisations will have both insurance and practical cyber incident prevention measures in place.

What does cyber insurance cover? 

The extent of cover available has evolved over time and continues to develop rapidly and adapt to the changing risk landscape. Technological advancements and significant changes to working and business practices as a result of the pandemic have contributed to growing reliance on technology by businesses.  This has only created more opportunity for cybercriminals which has, in turn, led to a significant expansion of the cyber insurance market and an increasing number of businesses going to the expense of arranging cyber insurance. Despite rising premiums as insurers look to manage their own exposure, the cyber insurance market is growing fast and that growth shows no signs of slowing.  

What is covered?

The areas of cover available are often identified as being in two distinct categories: First-party and third-party risks which attract different cover.  First-party risks are those suffered by the business, to the business and its data. Third-party risks relate to the losses sustained by customers and other third-parties associated with the business.

Each policy will be bespoke and should be thoroughly reviewed to determine what is covered for your business. It is essential to clearly understand the policy, including cover, exclusions and exceptions. It is also worth noting that insurers can offer additional areas of cover depending on a particular business need / assessed risk.

Cyber insurance policies often cover the following first-party risks:

• Incident management – the costs of investigating any cyber incident to establish the cause, threat actor and scope, including the costs of forensic IT consultants. This can also include the costs of interim IT security, often provided by forensic IT consultants.
• Cyber extortion - the negotiation following ransomware attacks (payments to the threat actor for return of network access or specific data), including legal advice as to the legality of the payment and other risks (see here for more on ransomware attacks). Ransoms themselves are generally not covered.
• Privacy and data protection liabilities – costs and legal fees associated with privacy notifications required by privacy regulation. This can include services the business provides to its customers and employees as part of that, for example, credit monitoring. Fines are often covered only to the extent they are 'insurable by law' and, therefore, not as a result of the insured's own wrongful act or conduct.
• Business interruption – costs due to network and necessary technology downtime impact the business's ability to operate. Cover often includes loss of income and additional costs incurred, preventing further losses.
• Reparation costs – the restoration of lost data, the capacity of a company's IT system and software costs.
• Reputation management and PR – costs of PR consultants, reporting to the market, announcements, notifications to clients/employees and responsive statements, campaigns and advertising. Loss caused due to damage to the business brand is ordinarily an addition to the basic level of cover. 

Examples of third-party risks that are typically covered include:

• Data breach compensation – claims made for personal data breaches and disclosure of confidential information, including compensation payments to affected individuals. There is potential for these claims to be brought via large group claims – where the individual claimants have suffered an identical breach and loss.
• Liability to third parties for breach of contract – contracts containing confidentiality provisions and other obligations in respect of the safeguarding of specific data.

It is worth noting that to be within the scope of a policy, third-party claims are often required to be made during the period of cover.

Exclusions

As a result of the (continued) rapid growth of the cyber insurance industry, the extent of coverage and the typical exclusions are often hangovers from other policies, and the available coverage has been drawn from other policies in other sectors. As such, not all exclusions interact well with a cyber environment. This has led to coverage uncertainty and a growing number of claims arising from insurers seeking to deny cover following an incident.

Common categories of exclusion in cyber insurance which are often seen as controversial include:

• War and Terrorism
  
  There is lots of commentary available on the applicability of the war exclusion, but there haven't, to our knowledge, been any significant decisions on this exclusion in the UK to date.
  
  There have been instances in other jurisdictions where the question of whether a war and terrorism carve out applies has been up for debate. The industry had been closely watching the US case Mondelez v Zurich involving losses caused to Mondelez as a result of the well-publicised NotPetya attack. The NotPetya attacks have been blamed on the Russian government. Mondelez sought to rely on an insurance policy which isn't cyber-specific. The insurer, Zurich, sought to avoid the claim by arguing that the policy excludes loss of demand damage resulting from a hostile or warlike action. Unfortunately (for the interests of the cyber insurance sector), the claim was settled during the course of the trial, and therefore the industry has been deprived of a decision either way.
  
  In another US case also associated with the NotPetYa attack, Merck & Co v Ace American Insurance Company, the Claimant insured sought to recover from its all-risk insurance (not specialist cyber insurance), and the insurer sought to rely on the war exclusion. The Court of New Jersey held that war exclusion covered the "use of armed forces" and acts of physical force and not state-sponsored cyber-attacks – a very claimant friendly decision in which the Court clearly sought to do justice to the insured.

• Future loss of profits
  
  While business interruption is listed as a type of loss that policies broadly cover, it is essential to note that not all loss flowing from network downtime or a cyber incident will be protected. Loss of future profits is typically excluded from cyber insurance policies.  

• Property damage and physical injury
  
  Although insurers cover loss of the data themselves, they will typically not cover physical technology/hardware and losses associated with failures of utility infrastructure: such as the internet (where that failure is not part of a cyber incident). Furthermore, physical injury to the person is also often excluded. If property damage is something that isn't covered by either an existing insurance policy or a cyber insurance policy, it is possible to negotiate an exception for specific hardware or tech. Sometimes referred to as 'bricking', negotiating this with your broker may be sensible where your business relies heavily on expensive physical tech.

• Conduct/Malicious Acts
  
  Cyber policies will exclude deliberate acts by the insured and conduct of the insured's senior management (save where an employee's conduct is not committed or condoned by senior management as in WM Morrisons Supermarket plc v. Various Claimants). In rare cases, they may also exclude negligent acts associated with a failure to take adequate steps to protect the company and/or prevent a cyber incident. 
The broad spectrum of typical exclusions highlights the importance of insuring risks under affirmative policies, where the policy is explicitly stated as covering the loss. This avoids there being uncertainty and potentially expensive litigation in order to determine whether certain risks or a particular incident are covered.

Insurer Requirements 

In addition to the typical exclusions listed above, insurance policies are likely to place certain requirements on the insured in order for cover to be provided. These often include the following:

• Payment of excess and waiting periods – as with all insurance policies there will be excess and retentions in place. In addition, cyber policies sometimes specify that an incident (such as business interruption) must be for a minimum period and that cover will only take effect after that period. Insured parties should look to negotiate this time period down as far as possible to avoid the business having to become untenable before the policy will pay out.
• Requirements/Consent – these can include the need for consent from the insurer before certain services or personnel are engaged in connection with an incident and in order to settle any third-party claims. Where consent is required, ensure this is identified in your incident response plan to avoid legal fees or forensic IT fees not being covered down the line. Many companies will engage their usual outside counsel first and only after some time realise that their insurance policy requires them to use a firm on their insurer's approved panel. This can cause delays to breach reporting and other crucial legal services, as well as leaving the company with additional, uninsured legal fees to pay.
• Notification – an insurer will require the insured to notify (often within a certain time period) a cyber incident, circumstances giving rise to a potential claim and third-party claims. Failure to notify may result in that incident/risk not being covered so this type of requirement should also be noted in any incident response plan.
• Duty to defend – more rarely seen but still present in some UK insurance policies, is a positive duty on the part of the insurer to defend claims made by third parties.
• Other insurance – where the cyber insurance has been purchased to supplement an existing policy and the other policy is responsive, a cyber insurer may require that that policy is relied on first, and the cyber policy used only to cover the difference in loss and recovery under the other policy.

Practical tips for obtaining adequate insurance 

So what is the best way to go about obtaining the right cyber insurance?

• Consult a specialist broker - use a broker with experience in both cyber and crime policies and, if possible, insurance in your particular business sector.
• Create a bespoke policy – given that cyber insurance cover can be particularly expensive, it may be worth carving out unwanted elements of cover (for example, where a business interruption or professional indemnity policy will cover some third-party cyber risks). Removing elements of the policy will likely reduce premiums; however, it will be important to consider this with your broker and take advice in order to gain comfort that cover will be adequate and, where you have additional insurance, how multiple policies will interact in the event of a claim.
• Check for and comply with any cyber policy requirements – review carefully any requirements that the insurers have for cyber resilience, including specific security measures such as encryption, multifactor authentication and a certain level of antivirus software. Make sure these and any notification requirements are included in any risk assessment and incident response plan.
• Consider the overall amount of cover and any cap on recovery - in addition to the scope of cover and exclusion.

Cyber resilience

While cyber insurance does offer businesses an opportunity to mitigate the significant financial and legal risks of a cyber incident, it is not a complete solution. In addition to taking out cyber insurance, businesses should look to improve their cyber resilience through other methods.  To find out more about how to enhance cybersecurity and what to do in the event of an incident, visit our Global Data Hub. Alternatively, please do contact us to find out more.