The Insurance and Reinsurance Law Review: Cyber Insurance
I INTRODUCTION 1
As the use of cloud-based computing, electronic platforms and smart devices continues to increase, it goes without saying that businesses have had to adapt quickly to technological advances and the corollary demands of their customers.
With widespread cyberattacks becoming more common, cyber risk has become a subject of much greater concern for businesses of all sizes.2 Since the high-profile WannaCry and NotPetya viruses of 2017, we have seen attacks on a number of leading companies such as Facebook, Uber, British Airways and Marriott International.
The cybersecurity insurance market is expected to grow from US$4.52 billion in 2017 to US$17.55 billion in 2023.3 Given that the average cost of a cybersecurity breach is in the region of £0.6 million to £1.15 million (£65,000 to £115,000 for SMEs),4 it is of little surprise that businesses are increasingly looking to cyber insurance to provide additional levels of protection.
II WHAT IS CYBER RISK?
For insureds to be adequately protected against cyber risks, they must fully understand the potential exposures they face. Typically, cyberthreats come from:
- malicious external attacks such as data theft and cyber extortion (whereby external third parties illegally restrict access to their victim's computer systems unless and until a ransom is paid);
- malicious insiders (this could include deliberate acts by disgruntled employees who compromise their employer's systems or intentionally leak confidential or sensitive information); and
- accidental losses (such as human error and lost or stolen devices).
The above is by no means an exhaustive list.
In addition to understanding the potential risks a business could face, the impact of such risks must also be fully evaluated. Losses are typically categorised as 'third party' (where loss is suffered by third parties (such as customers)) and 'first party' (risk to the insured's own assets). Incidents involving the leak of client data can be particularly damaging to a company, as can attacks that prevent an insured from trading.
III CYBER COVERAGE
A raft of cyber products are available to insureds, which can be tailored to their particular circumstances, and there is generally no uniformity of terms across the market. Cyber coverage can typically be obtained for:
- Business interruption (e.g., in respect of losses resulting from a business being unable to trade owing to its website being compromised, thus preventing it from accepting orders). The indemnity will be subject to a time deductible or 'waiting period' as well as a financial deductible. The precise scope of cover, however, varies so that some policies will only respond where the insured alone was the target of the cyberattack that gave rise to the loss. Other policies will respond where the insured is the victim of an untargeted attack or incident.
- Loss of data. Cyber insurance typically provides third-party cover in respect of data breach. This will include cover for any liability payments that have to be made to individuals or corporations whose data has been lost or damaged by the insured as a result of a data breach. Usually, however, these costs are only payable where the quantum of the payment has been the subject of judicial ruling or is the result of a settlement that the insurer has endorsed. Typically, this cover also includes defence costs.
- Recovering and repairing data.
- Payment of compensation to customers for their loss of data.5
- Ransom demands. Extortion is one of the most common forms of cyberattack. It occurs when an attacker disables the insured's computer systems by contaminating it with 'ransomware'. The system can only be unlocked by payment of a ransom, which is often relatively low and to be paid in bitcoin or other cryptocurrency. The relatively modest level of the ransom payment is intended to encourage early payment and to prevent the response to the attack being 'escalated' outside the insured's own organisation. First-party cyber insurance will usually provide cover for such payments. Many, but not all, policies will also indemnify the insured when a ransom is paid in response to a threat to disable its computer system but before any attack has actually been carried out.
- Expenses associated with an attack. Some, but not all, policies will provide insurance for associated costs such as call centre costs to deal with enquires from individuals whose data has been lost or destroyed, credit monitoring and Payment Card Industry Data Security Standard expenses.
- To the extent insurable at law, losses associated with complying with regulatory investigations and the related defence and enforcement costs.
- Incident response. More complex policies provide an incident response package that will include public relations and legal advice as well as technical assistance to address the IT vulnerability that gave rise to the breach.
Significantly, the High Court has held recently that bitcoin and other cryptocurrencies are 'property'.6 This may well have consequences for the scope of cover granted (deliberately or otherwise) by insurers. As in this case, however, this ruling may also assist insurers in their attempts to subrogate against hackers by, for example, obtaining a propriety injunction over cryptocurrencies believed to have been paid in settlement of ransoms.
IV POLICY TERMS AND FEATURES
There is no standard form or template for a cyber insurance policy and the clauses included in the policy may vary significantly. There are, however, some policy requirements that are almost universal, including the following.
i Claims-made cover
Cover under cyber policies is invariably provided on a claims-made basis, that is to say that the policy will respond to claims that are made within the policy period or within an agreed extended notification period after the policy has expired. In the latter circumstance, however, the claim will normally have to arise during the policy period to be accepted. Usually, policies will also respond to claims arising from circumstances that are notified within the policy period. A circumstance in this context is an incident or event that the insured believes may give rise to a claim against it at a later date. If the circumstance is notified during the policy period, any subsequent claim arising from that circumstance will be covered under the policy, regardless of when the claim itself occurs.
It is a requirement of all cyber policies that any claims against the insured that are covered under the policy are notified to the insurer within a specified period. The precise time will vary depending on the policy and may be anything from 'immediately' to 'as soon as possible', 'promptly' or 'as soon as practical', or within a fixed number of days of the insured becoming aware of the claim. These requirements are almost always conditions precedent to the insurer's liability; cover can be refused if the claim is not notified as required. Most policies also require the insured to notify circumstances that may give rise to a claim.
iii Claims control
Under cyber policies, the insurer usually has the right (but not the obligation) to take over the management of the insured's response to any third-party claim. Where this right is not exercised directly, it is likely to be a condition precedent to coverage under the policy that the insured does not admit liability or enter into negotiation or settlement with a third-party claimant without the insurer's written consent.
iv Claims cooperation
Cyber policies also require that the insured provides the insurer with all information and data about the claim that is reasonably requested and cooperates fully with the insurer in the management of the claim and in the defence of any third-party claim. These provisions are often conditions precedent to the insurer's liability, with the result that the insured's failure to comply with them will discharge the insurer from liability for the claim.
v Other common terms
Other terms commonly found in cyber policies include obligations on the insured to:
- notify the authorities of any extortion attempt;
- take reasonable steps to mitigate loss and to preserve the insurer's rights of subrogation;
- preserve evidence;
- take reasonable steps to avoid loss, for example, by ensuring software is patched regularly and firewalls are in place; and
- not to disclose the existence of the policy to any third party.
vi Important policy exclusions
As noted, there is considerable inconsistency in the scope of coverage offered under a cyber insurance policy and, therefore, in the policy exclusions. Some important exclusions that are commonly included, however, cover the following areas of loss:
- physical damage and personal injury, whether directly or indirectly caused by a cyber event;
- contractual liability – this provision excludes cover for losses incurred by the insured following a cyber event as a result of its contractual liabilities, except to the extent that such liability would have attached in any event;
- losses occurring prior to the retroactive date – all cyber policies include a retroactive date. Cover is excluded for losses occurring prior to that date even if the loss is only detected and notified during the policy period;
- losses resulting from the fraud, dishonesty or reckless conduct of a director or senior officer of the insured;
- claims resulting from the insured's use of unproven or illegal software;
- claims resulting from the failure of the cloud or other utilities or external services;
- employer's liability claims; and
- losses recoverable under another insurance policy.
V INTERACTION WITH OTHER INSURANCES AND 'SILENT CYBER'
Cyber insurance policies will generally purport to exclude physical losses and, increasingly, property policies will also seek to exclude cyber-related incidents. However, there are instances where policies will not explicitly include or exclude cyber-related losses (known as 'silent' or 'non-affirmative' cyber cover). The High Court's decision that cryptocurrencies are 'property' for legal purposes7 has added a further level of complexity to this issue. The question of whether a non-cyber policy would respond to cyber losses is untested and will turn on the construction of the specific policy wording.
Silent cyber is best illustrated with examples:
- A computer is hacked and compromised in such a way that leads to it overheating, causing fire damage to the insured's and a third party's property. In this situation, which of the insured's policies should respond (property, liability or cyber)?
- A law firm's computer systems are hacked resulting in client data (or money) being lost. This may give rise to a claim under the firm's professional indemnity policy as well as its cyber policy.
The UK regulators are aware of issues relating to silent cyber and the Prudential Regulatory Authority has issued regulatory guidance,8 which sets out how it expects insurers to 'introduce measures that reduce the unintended exposure' to cyber risk from physical and non-physical damage. In July 2019, Lloyd's mandated that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.9
The importance of precise exclusions can be highlighted by reference to a common 'cyber exclusion' known as the CL380 clause. In summary, this clause is designed to exclude losses caused by malicious cyberattacks. However, the onus will be on insurers to prove that the cyber incident was malicious and any inability to do so will mean that the exclusion does not bite. This is because CL380 does not deal with non-malicious cyber issues, which are, in many cases, just as common. In these instances, the CL380 exclusion clause would not apply and the insurer may still face liability. New exclusion clauses are now being introduced, but the CL380 clause can still be found in many policies.
VI CYBER REGULATION
As well as being a pressing issue for businesses, UK and EU legislators have introduced new regulatory regimes that go some way towards mapping out baseline cybersecurity standards. One of the key pieces of legislation is the General Data Protection Regulation EU2016/679 (GDPR), which overhauled previous data protection rules and requires data controllers and processors to ensure that appropriate measures are in place to protect against unlawful processing of personal data. The GDPR is reflected in the United Kingdom in the Data Protection Act 2018.
The Security of Network and Information Systems Directive EU 2016/1148 (the NIS Directive) was also implemented by EU Member States in 2018.10 Broadly speaking, the NIS Directive purports to ensure the reliability and security of network and information systems across the European Union by requiring certain 'operators of essential services' (such as energy, transportation and banking sectors (as well as others)) and 'digital service providers' (online marketplaces, search engines and cloud computing services) to adopt appropriate measures to manage cybersecurity risks. Non-compliance with the GDPR and the NIS Directive will expose firms to significant fines.
Both pieces of legislation are likely to continue to apply and remain in force in the United Kingdom notwithstanding Brexit, and they illustrate the additional regulatory burden that businesses are having to comply with and insure against.
1 Simon Cooper is a consultant at Ince.
2 In a Cyber Governance Health Check report published by the Department for Digital, Culture, Media and Sport, it was found that 54 per cent of boards surveyed viewed cyber as a top-level risk. Source: HM Government: FTSE 350 Cyber Governance Health Check Report 2017 (July 2017), https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635605/tracker-report-2017_v6.pdf.
3 'Global Cyber Security Insurance Market 2018 Size, Overview, Trends, Various Insurance Types, Applications, Key Player's Competitive Analysis & Growth by 2023', Reuters. https://www.reuters.com/brandfeatures/venture-capital/article?id=36676.
5 See Vidal-Hall v. Google Inc  EWCA Civ 311 where the Court of Appeal held that victims of a data breach could recover compensation for distress associated with a contravention of the Data Protection Act 1998, even in circumstances where no direct financial loss had been suffered by the claimant. This principle was subsequently applied in a case against the Home Office (TLT and others v. The Secretary of State for the Home Department and the Home Office  EWHC 2217 (QB)), where a number of asylum seekers' personal data was wrongfully published on the Home Office website. The claimants in this instance were each awarded between £2,500 and £12,500. While the amount of damages a court may award will be determined on a case-by-case basis, these cases demonstrate that a cyberattack resulting in a large volume of data being compromised could result in significant third-party liability.
6 AA v. Persons Unknown  EWHC 3556.
7 AA v. Persons Unknown  EWH 3556.
8 See PRA Supervisory Statement SS4/17.
9 See Lloyd's Bulletin Y5258.
10 In the United Kingdom, the NIS Directive has been introduced by the Networks and Information Security Systems Regulations (2018 No. 506).