As remote working has increased, so have cyber threats on the equipment used. Personal devices and home Wi-Fi do not have the same level of protection as systems based in an office, which are intrinsically more protected due to built-in security functionality and the company's infosec team. Ransomware attacks, malware and phishing have become a part of our everyday lexicon. The cyber insurance business is growing, and global premiums are expected to reach $20 billion by 2025.[1]
Businesses can indemnify themselves against losses sustained due to cyber incidents by acquiring cyber insurance, which provides cover for losses relating to damage to, or loss of information from, impairment of IT systems and networks.
When purchasing and negotiating cyber insurance, businesses should consider the scope and amount of cover, as well as their other security measures, carefully.
Businesses may believe that their existing insurance will cover the full range of cyber risks. In reality, that is highly unlikely. Cyber risks are broad, and they continue to develop and expand. As a result, standard insurance policies are likely to contain various exclusions relating to cyber losses.
For example, in the ongoing Mondelez v Zurich case[2], Mondelez International, Inc. brought a claim against Zurich American Insurance Co. for refusing to pay out on a claim for losses sustained due to the 2017 NotPetya cyber-attack. Mondelez held an all-risk property insurance policy with Zurich, which included coverage for "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction". Zurich denied Mondelez's claim on the sole ground that the policy excluded "loss or damage directly or indirectly caused by or resulting from … [a] hostile or warlike action". Zurich argued that NotPetya was created by Russian state actors targeting Ukrainian entities in a hostile or warlike action.
When purchasing cyber coverage, it is important to scrutinise the drafting of the policy and the exclusions therein from an information security perspective. The more you can negotiate to narrow the exclusions, the more likely you are to be able to make a successful claim under the policy. During negotiations, it is as important to understand the insurer's standpoint as to what its drafting covers, as it is to try to change the clauses. Once you understand how the insurer interprets its drafting and what it is happy to pay out on, you can ascertain whether this is appropriate to your business, or not.
When deciding which cyber cover to purchase, begin by listing the cyber risks that the company may face. Examples include property damage, business interruption, reputational damage, cyber extortion, loss of data or intellectual property, and regulatory penalties and investigations. Consider whether you require insurance against both first-party and third-party cyber risks. Unlike more traditional lines of insurance, cyber insurance can vary significantly in scope between different insurers and different policy forms. Standard form policies are very uncommon, and many clauses have yet to be tested in courts.
However, a few notable trends have appeared in the market, for example, cover rarely extends to regulatory fines. Most insurance policies will provide cyber cover for a company's computer networks and systems, but the definitions do not always extend to cloud-based services that may be used.
Where you have a specific expectation of scope of coverage, this should be discussed with the insurer to confirm that they will provide this coverage and that the policy you are purchasing provides it. Maintaining clear records of these discussions is important and may assist you to refute any future counterclaim by an insurer who does not want to pay out on your claim.
Often cyber insurance contains aggregate annual limits on cover, and policies can contain sub-limits on specific covers. Sub-limits are lower than the overall aggregate limit, e.g. the costs of replacing IT systems might have a specific cap that is only a fraction of the aggregate limit on cover under the policy. Check that policy pay-outs are large enough to be helpful to your company.
Having good safeguards against cyber risks can reduce the cost of premiums. The onus is on the insured party to keep details of their cyber security safeguards, plans and policies. The policy holder will usually have a duty to inform the insurance company about any change to their cyber security measures under their policy agreement. The insurance company may not be obliged to pay out on a claim if the information provided about the safeguards in place are inaccurate.
Insurance coverage is one part of an arsenal against cyber risk, alongside cyber security and risk management. There are several pitfalls to avoid during the purchase of cyber insurance, and it remains to be seen how policies will adapt now most employees will be working remotely more in the future. It is worth keeping an eye on any policy renewals to ensure that new exceptions have not been added in that regard. When purchasing a policy, you will need to carefully consider the scope and amount of cover on offer, the specific drafting of any exception, as well as ensuring your security measures are up to standard.
Written by Simi Khagram and Stephanie Lopes
[1] https://www.agcs.allianz.com/news-and-insights/news/cyber-risk-guide.html
[2] Mondelez v Zurich (No 2018-L-11008)
