Cyber Insurance: Debunking the myths

The ongoing Mondelez case relating to losses incurred as a result of the 2017 NotPetya attacks shines a spotlight on the collateral fallout of what appeared to be nation state on nation state aggression. It also raises questions about the efficacy of cyber insurance, the ultimate comfort blanket for an uncertain world.

To get some clarity on this fascinating and timely topic, our global head of Cyber, Simon Shooter interviews Will Wright, a Partner in the Cyber Risk practice at Paragon Brokers, to help us answer some challenges and clear up a few common misconceptions relating to Cyber insurance.

Will, let’s start with the leading thorny subject: war, terrorism and crime exclusions. I have been warning my clients to check these definitions, as, since the first cyber policies were made available in the UK market, surely any half capable lawyer could argue that the majority of cyber attacks fall within one of these exclusions? Has the insurance industry really been selling us fresh air?

First and foremost it’s important to note that while Insureds think of risk, Insurers think about consequences , and there are naturally many consequences to cyber risk which need to be considered more broadly than solely in a cyber policy: think property, kidnap and ransom, general liability, crime and D&O (Directors and Officers liability) to name a few. There are stand-alone insurance markets available to write war and terrorism risks. Perhaps as a result of being an adolescent in the company of more mature insurance markets – the cyber market’s crowd-pleasing tendencies have meant it’s borrowed from other sectors – cyber-crime and cyber terrorism are good examples. Exclusions tend to be the only way the insurance community moderates its enthusiasm to ‘crowd-please’ and, put simply, a cyber product may have social engineering coverage grant for funds transferred erroneously to a third party, but also reference a theft of funds exclusion. If the funds were stolen (not transferred, even if duped by criminal or illicit behavior), then here is the first battle line: this is deemed a crime loss, and therefore excluded so as to be covered by the crime market. War is pretty clear-cut – there is a specialist war market – and any other markets are usually prevented from insuring war risks, either by their own mandate, by that of their reinsurers, or by their regulator (Lloyd’s of London for example, but only for those syndicates it governs). Terrorism is where most discussion should be focused, because in a desire to cover a cyber peril otherwise not always covered by the terrorism market, cyber policies have started to offer coverage for cyber-terrorism.

With the uncertainty stemming from the Mondelez and Zurich American case with the possibility of a judgment for or against the application of a war exclusion clause, what should the holders of cyber insurance be doing now and what should people renewing or buying cyber insurance be asking of their brokers and direct insurers?

Change is afoot in the cyber market, with a number of Lloyd’s syndicates currently in discussion to help standardise a new generation of cyber clauses for war and terrorism. This will ultimately result in clarity for insureds and the broking community. This is likely to not be resolved in any meaningful way until late 2019, so in the meantime cyber insurance buyers should ensure that any war exclusion is carved back for risk otherwise covered by a cyber terrorism grant, and should pay attention to the language of the cyber terrorism grant to identify the sorts of unattributed, but alleged, state sponsored acts that resulted in dissemination of the NotPetya virus.

It seems unlikely that the Mondelez case will go to a court decision as the insurance industry is unlikely to wish to have a determination on the point. If it doesn’t what must the insurance industry do to smooth the ruffled feathers caused? Presumably a deal of effort is being put into finding a new formulation that permits cover for the innocent insured who unwittingly gets hit by the collateral fall out of a nation-on-nation cyber attack. What precedents are there in the non-cyber world for the enforcement of these exclusions and how insurers can work around them? For instance, what was the insurance response to 9/11 and business interruption claims, or the impact to real estate and businesses of the IRA bombing campaigns in London in the 70s/80s?

It may sound crass, but the reality is that collateral damage from alleged state sponsored acts are, and have been, covered by the cyber market for years. The debate raging between Zurich and Mondelez is somewhat misguiding attention to cyber policies and their effectiveness, rather than focusing on the fact that a property and casualty (P&C) insurer (Zurich) is looking to exclude cyber risk from Mondelez’ P&C policy. So, nothing to do with the cyber market. In practice we’ve seen claims from the same proximate cause (NotPetya) covered under cyber policies, and the debate in the cyber market is less whether the terrorism or war clause should prevent such claims; rather, it’s to determine where known and attributed state sponsored attacks meet warlike acts in nature, and to ensure that we are crystal clear on what coverage is expected and afforded under a cyber policy.

Let's look at crime exclusions: surely any cyber attack, as opposed to inadvertent data loss, could qualify as a crime? The Computer Misuse Act appears to support most aspects of cyber attack, however GDPR criminalise it. How have cyber insurance policies dealt with crime and crime exclusions? Are there things people need to watch out for?

This is a fairly complex topic, in so much as there is clearly a difference between cyber-crime and traditional crime, but should there be a difference in how its underwritten and who underwrites it? It’s certainly our (Paragon’s) position that crime should be underwritten by the crime market, however so it occurs. The reality is that crime exists and is available in K&R (Kidnap & Ransom) policies, crime and D&O policies, cyber policies and property policies. As long as it IS available under these policies, an insureds’ broker should be a. helping them to understand where coverage does and doesn’t exist in their insurance portfolio, and b. ensuring that the respective policies respond in the correct and most financially beneficial order (deductibles, coverage and limits could all vary).

Moving on from exclusions, one area of confusion in the cyber insurance world that could do with a bit of simple explanation is the first party / third party distinction in insurance contracts. Can you help us understand the difference and the relevance of the two focuses? How does the split of first party and third party insurance affect Cyber insurance? Do bespoke cyber policies have the same spilt and what do I need to look out for?

Ideally, a cyber policy will have the same aggregate limit applicable to first party losses as to third party losses. This way, claims disputes between the two coverage sections are minimised, and both clients and insurers know that it doesn’t matter whether it’s first or third party loss, either it's covered or not covered! First party risks are those that are borne by the insured directly, rather than those initially borne by a third party, to be later brought against the insured as a liability. Examples of first party losses would be costs incurred to replace or restore damaged, corrupted or lost data following a cyber-attack, or the loss net income incurred following that same event. An example would be the costs borne by the insured to employ a PR consultant following a breach, or the costs to appoint legal counsel to review the breach and provide legal support. An example of third party losses would the costs to settle a privacy lawsuit, or to settle a law suit citing the failure network security practices in creating a loss to a customer or client.

Being covered for business interruption and data reinstatement is all well and good, but will we be covered for the loss of monies from our accounts if we fall for a business email compromise attack and the accounts team follows what seems to be a genuine instruction from our CEO to transfer those completion funds to a new bank account?

This is another complex area where in simple terms, yes, there is coverage usually afforded under a social engineering / e-crime or cyber-crime coverage grant, but these can sometimes be restricted to scenarios where the insured's network needs to be compromised, which of course doesn’t always happen in reality. Whilst some cyber carriers may offer broad enough coverage, this is not commonplace and it’s a good example of where the crime market would be far better suited to pick up the risk exposure.

Over the years I have heard many people professing that they have all the cyber insurance they need under their existing polices, such as data loss cover and business interruption under their general business insurance. Are they deluded? Surely it can’t be as simple as that?

We would never suggest that this attitude is deluded, but it is certainly a highly inappropriate response to an extremely complex risk area. The litigation between Zurich and Mondelez is a good example of a situation where the property market is trying to avoid a cyber claim (it is worth nothing that the same type of claim was indeed paid by numerous cyber markets following WannaCry in 2017 and NotPetya in 2016). Stand-alone cyber insurance is vital, if for no other reason that the coverage is fit-for-purpose and broader, and the critical incident response services provided will be by specialists who handle these events on a daily basis. The biggest improvements in cyber policies have largely come in the last 3 or 4 years, and always focus on claims response. Would you want a cyber insurer to respond to a property claim, or would you prefer to leave that to the property experts? The same applies here. Either the claims response under ‘general’ lines policies will not be as advanced and appropriate as under a cyber form, or the coverage will be lacking ,most likely both. This is actually a topic being reviewed thoroughly by Lloyds of London, and is termed as ‘silent cyber’ so as to create a more defined approach where coverage isn’t silent, and clients can rely on affirmative coverage grants for cyber. This will likely result in cyber-crime moving closer to the crime market; physical cyber risks moving closer to the property market; and intangible cyber risks staying in the cyber market.

The financial impacts of the spectacular global cyber attacks are reported to be in the multi millions: for example, Maersk publicly stated the cost of the NotPetya attack that also hit Mondelez was $300million. Is there adequate coverage available in the market and how do I sensibly set the level of cover for my policy?

The cyber market is approaching $5bn in premium globally, with individual limits in the combined US and London insurance markets reportedly above $700m in some cases – so it’s fair to say that we are not suffering from a shortage of capacity. Of course, there will always be certain industry sectors that struggle to obtain the broadest coverage or the highest limits, but in general terms, capacity is abundantly available. Modelling an individual client’s cyber risk and exposure is ideally managed through a client/broker evaluation. Whether it’s by doing an old fashioned risk-register review with a client, or by introducing some of the technological capabilities available these days, it is quite plausible to model a client's risk profile and potential financial loss with reasonable accuracy.

Some of the policies I have seen offer free response support in the event of a cyber attack. I haven’t seen policies offering services to support building cyber resilience. Wouldn’t insurers be better helping their customers to better protect from attack than offering a band aid after the event? Are there policies that will enable me to lower my premium if I can show I have top notch cyber security and incident response capabilities?

Whilst there are some insurers willing to offer risk management bursaries, these tend to only be applicable to clients spending large sums of money on insurance. The first step to cyber risk resilience is not cyber insurance of course: it is and should always be internal risk management, marrying up internal policies and procedures with appropriate technological protections. Insurance is the back-stop which responds when these policies, procedures and technologies fail to absolve a business of its cyber risk. Yes, there is a correlation between strength and depth in these protections and a lower risk profile, but with such an abundance of cheap insurance capacity available, these risk management tools will likely ensure a better all-round product with broader coverage and the most cost efficient pricing, rather than reducing premium specifically based on cyber controls. This will no doubt change in time, but for now a healthy approach to risk management is the entry level requirement for cyber insurance. Clients who cannot demonstrate this may find themselves being offered limited coverage or perhaps not even being offered coverage at all.

With cyber attack a daily occurrence and the wider cyber security industry predicting sustained levels of cyber crime and soaring financial impact, do you expect premiums to climb steeply? Should we be buying now?

The market has grown responsibly over the last 5 years, and we’re now at a point where we can absorb significant losses without creating a seismic wave in insurance pricing. An example of this would be the reaction to the Marriot breach which implicated 500m individuals worldwide – where the only meaningful issue clients may have felt would be the pricing of limits in excess of £200m, which are perhaps less competitive now, than they were 2 years ago. There is an abundance of capacity, and that creates a great deal of competition, and ultimately a buyers’ market. We’re likely to maintain the current status quo for a few more years, and as data monitoring improves, and as losses continue to be paid at an increasing rate, we’ll likely see a correction. It is, however, a correction our market is working hard to ensure is steady and risk appropriate. We constantly hear people saying “cyber will be the next D&O”, and I’m not a crystal-ball-gazer, I can’t agree with that statement. The underlying factors that implicate a cyber policy are so varied and constantly changeable that the mechanics that drive D&O claims, simply cannot be the same as in cyber. We can have a market correction, but by no means should we expect the cyber market to track the D&O market. We’re many years off that.

I have always recommended that my clients search out insurance brokers who truly understand cyber risk to assist them in working out their best cyber insurance solution. Being a specialist cyber insurance broker I don’t expect you to say that but are there some top tips you can offer to people who may be renewing or procuring cyber insurance?

Of the retail brokers in the UK engaging with clients on this topic there are realistically only a small handful who have deep knowledge and experience in this sector, and Paragon is certainly one of them. With only 4 or 5 brokers to choose from its clients want comfort that their broker has the experience and understanding of this class of insurance. All brokers should be willing to do a little ground work for a prospective client before engaging with them, so don’t be shy in asking them to do a bit of technical work up front before you renew or procure the product. It’s also worth reviewing your other lines of insurance to address where ‘silent’ or ‘affirmative’ cyber coverage may already exist.

William Wright
Partner, Cyber Risk
Paragon Brokers
Tel: +44 (0)20 7280 8252
Email: [email protected]