The Insurance and Reinsurance Law Review: Cyber Insurance

I Introduction

Rapid advances in technology, growing interconnectivity and increasing digitalisation are transforming the way we live, work and communicate, and transforming business operations at an unprecedented pace. According to the UK government's National Cyber Strategy 2022,2 we are likely still in the early stages of a long-term structural shift, and the coming decade will see the continued rapid expansion of data and digital connectivity to almost every aspect of our lives.

The digital transformation has brought enormous opportunities for businesses to create and access new markets, innovate products and services, and increase productivity and efficiency. However, as organisations of all sizes, and across all sectors, increasingly rely on information technology and digital services, their exposure to new and evolving risks arising from disruption by cyber incidents also increases.

Cyberthreats are significant and growing. The UK government's Cyber Security Breaches Survey 20213 found that four in 10 businesses (39 per cent) reported having cyber security breaches or attacks in the previous 12 months, rising to 65 per cent of medium businesses (50 to 249 employees) and 64 per cent of large businesses (250 employees or more).

Malicious actors including criminal groups, activists and nation states use an expanding range of cyberattacks to access and control computer networks or systems and the data held on them. When targeting businesses, cyber criminals typically aim to steal intellectual property and personal data, carry out electronic fraud, or extort the target by threatening to disrupt systems or compromise confidential data unless a ransom is paid.

Since the high-profile WannaCry and NotPetya viruses of 2017, we have seen a series of data breaches involving leading companies such as Facebook, LinkedIn and Marriott International, and high-profile cyberattacks such as the ransomware attack on the Colonial Pipeline Company in May 2021 which shut down the largest fuel pipeline in the United States for several days and led to fuel shortages.

At the same time, tightening regulation, particularly the introduction of the General Data Protection Regulation EU2016/679 (GDPR) in 2018, has driven an increased awareness of cyber risks and data security as the risk of regulatory fines has increased. In 2020, the top administrative court in France (Conseil d'État) upheld a record fine of €50 million imposed on Google for GDPR breaches by the French data regulator (CNIL). Other fines were significantly reduced in 2020 as a result of the economic impact of covid-19. For example, the £20 million fine imposed by the UK Information Commissioner's Office (ICO) on British Airways for a data breach which affected more than 400,000 customers was considerably smaller than the £183 million that the ICO originally said it intended to issue back in 2019.

As a result of the increasing frequency of cyber incidents and the potential severity of their consequences, it is of little surprise that cyber risk has become a subject of much greater concern and businesses are increasingly looking to cyber insurance to provide additional levels of protection. The UK government's Cyber Security Breaches Survey 20214 found that 77 per cent of boards surveyed viewed cyber security as a high priority. The global cyber insurance market is expected to grow from US$7 billion in 2020 in gross written premium (GWP) to US$20.56 billion in 2025.5

II What is cyber risk?

For insureds to be adequately protected against cyber risks, they must fully understand the potential exposures they face. Typically, cyberthreats come from malicious acts (such as data theft and cyber extortion) and non-malicious acts (such as human error and accidental loss of data). Malicious acts include external cyberattacks (such as malware or phishing attacks) and insider threat, which typically involves a disgruntled employee using access to their employer's systems to steal or leak confidential or sensitive information for financial or personal incentives.

The most common types of malicious cyberattacks are:

  1. Malware. Malware is a broad term used to describe any malicious software that is created with the intention to harm a computer, network or server. It includes viruses and worms that can self-replicate and spread to other computers, and spyware that illicitly monitors a user's activity and steals data.
  2. Ransomware. Ransomware is a type of malware that encrypts systems and data so they cannot be accessed. The attacker then demands payment of a ransom through cryptocurrency in exchange for decryption.
  3. DoS attacks. Denial-of-Service (DoS) attacks attempt to take websites offline by flooding a network with false requests causing them to crash.
  4. Phishing. Phishing is a type of cyberattack that uses social engineering to deceive a victim to obtain information or gain access to their computer. A phishing attack is often the start of further attacks such as the installation of a virus or ransomware, or a MITM attack.
  5. MITM attack. In a man-in-the-middle (MITM) attack, the malicious actor eavesdrops on a conversation and impersonates one of the parties with the aim of stealing information, such as personal data, passwords or banking details to complete a fraudulent transaction.

The above is by no means an exhaustive list. The cyberthreat landscape is constantly evolving as malicious actors develop new techniques to exploit vulnerabilities in IT systems and circumvent cyber defences, and new strategies to leverage their malicious activities.

In addition to understanding the potential risks a business could face, the impact of such risks must also be fully evaluated. Losses are typically categorised as 'third party' (where loss is suffered by third parties (such as customers)) and 'first party' (risk to the insured's own assets). Incidents involving the leak of client data can be particularly damaging to a company, as can attacks that prevent an insured from trading.

III Cyber coverage

Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks. Cyber cover may be purchased as a stand-alone product or as add-on coverage to traditional lines of business such as commercial property, business interruption or professional indemnity insurance. A raft of cyber products are available to insureds, which can be tailored to their particular circumstances, and there is generally no uniformity of terms across the market. Cyber coverage can typically be obtained for:

  1. Incident response management costs. Many policies provide an incident response package to provide assistance with and management of the incident itself. This generally includes IT forensic consultants to contain the IT vulnerability that gave rise to the breach and restore systems and recover data, public relations consultants and lawyers to advise on obligations to notify data breaches to regulators and data subjects.
  2. Business interruption from network downtime (e.g., in respect of losses resulting from a business being unable to trade owing to its website being compromised, thus preventing it from accepting orders). The indemnity will be subject to a time deductible or 'waiting period' as well as a financial deductible. The precise scope of cover, however, varies so that some policies will only respond where the insured alone was the target of the cyberattack that gave rise to the loss. Other policies will respond where the insured is the victim of an untargeted attack or incident.
  3. Cyber extortion. Ransomware is one of the most common forms of cyberattack. First-party cyber insurance will usually provide cover for payment of ransom demands to restore access to encrypted systems or where the attacker threatens to release data. Many, but not all, policies will also indemnify the insured when a ransom is paid in response to a threat to disable its computer system but before any attack has actually been carried out.
  4. Loss of data. Cyber insurance typically provides third-party cover in respect of data breach. This will include cover for any liability payments that have to be made to individuals or corporations whose data has been lost or damaged by the insured as a result of a data breach. Usually, however, these costs are only payable where the quantum of the payment has been the subject of judicial ruling or is the result of a settlement that the insurer has endorsed. Typically, this cover also includes defence costs.
  5. Recovering and repairing data.
  6. Payment of compensation to customers for their loss of data.6
  7. Expenses associated with an attack. Some, but not all, policies will provide insurance for associated costs such as call centre costs to deal with enquires from individuals whose data has been lost or destroyed, credit monitoring and Payment Card Industry Data Security Standard expenses.
  8. To the extent insurable at law, losses associated with complying with regulatory investigations and the related defence and enforcement costs.

Significantly, the High Court has held recently that bitcoin and other cryptocurrencies are 'property'.7 This may well have consequences for the scope of cover granted (deliberately or otherwise) by insurers. As in this case, however, this ruling may also assist insurers in their attempts to subrogate against hackers by, for example, obtaining a propriety injunction over cryptocurrencies believed to have been paid in settlement of ransoms.

IV Policy terms and features

There is no standard form or template for a cyber insurance policy and the clauses included in the policy may vary significantly. There are, however, some policy requirements that are almost universal, including the following.

i Claims-made cover

Cover under cyber policies is invariably provided on a claims-made basis, that is to say that the policy will respond to claims that are made within the policy period or within an agreed extended notification period after the policy has expired. In the latter circumstance, however, the claim will normally have to arise during the policy period to be accepted. Usually, policies will also respond to claims arising from circumstances that are notified within the policy period. A circumstance in this context is an incident or event that the insured believes may give rise to a claim against it at a later date. If the circumstance is notified during the policy period, any subsequent claim arising from that circumstance will be covered under the policy, regardless of when the claim itself occurs.

ii Notification

It is a requirement of all cyber policies that any claims against the insured that are covered under the policy are notified to the insurer within a specified period. The precise time will vary depending on the policy and may be anything from 'immediately' to 'as soon as possible', 'promptly' or 'as soon as practical', or within a fixed number of days of the insured becoming aware of the claim. These requirements are almost always conditions precedent to the insurer's liability; cover can be refused if the claim is not notified as required. Most policies also require the insured to notify circumstances that may give rise to a claim.

iii Claims control

Under cyber policies, the insurer usually has the right (but not the obligation) to take over the management of the insured's response to any third-party claim. Where this right is not exercised directly, it is likely to be a condition precedent to coverage under the policy that the insured does not admit liability or enter into negotiation or settlement with a third-party claimant without the insurer's written consent.

iv Claims cooperation

Cyber policies also require that the insured provides the insurer with all information and data about the claim that is reasonably requested and cooperates fully with the insurer in the management of the claim and in the defence of any third-party claim. These provisions are often conditions precedent to the insurer's liability, with the result that the insured's failure to comply with them will discharge the insurer from liability for the claim.

v Other common terms

Other terms commonly found in cyber policies include obligations on the insured to:

  1. notify the authorities of any extortion attempt;
  2. take reasonable steps to mitigate loss and to preserve the insurer's rights of subrogation;
  3. preserve evidence;
  4. take reasonable steps to avoid loss, for example, by ensuring software is patched regularly and firewalls are in place; and
  5. not to disclose the existence of the policy to any third party.

vi Important policy exclusions

As noted, there is considerable inconsistency in the scope of coverage offered under a cyber insurance policy and, therefore, in the policy exclusions. Some important exclusions that are commonly included, however, cover the following areas of loss:

  1. physical damage and personal injury, whether directly or indirectly caused by a cyber event;
  2. contractual liability – this provision excludes cover for losses incurred by the insured following a cyber event as a result of its contractual liabilities, except to the extent that such liability would have attached in any event;
  3. losses occurring prior to the retroactive date – all cyber policies include a retroactive date. Cover is excluded for losses occurring prior to that date even if the loss is only detected and notified during the policy period;
  4. losses resulting from the fraud, dishonesty or reckless conduct of a director or senior officer of the insured;
  5. claims resulting from the insured's use of unproven or illegal software;
  6. claims resulting from the failure of the cloud or other utilities or external services;
  7. betterment;
  8. employer's liability claims; and
  9. losses recoverable under another insurance policy.

V Interaction with other insurances and 'silent cyber'

Cyber insurance policies will generally purport to exclude physical losses and, increasingly, property policies will also seek to exclude cyber-related incidents. However, there are instances where policies will not explicitly include or exclude cyber-related losses (known as 'silent' or 'non-affirmative' cyber cover). The High Court's decision that cryptocurrencies are 'property' for legal purposes8 has added a further level of complexity to this issue. The question of whether a non-cyber policy would respond to cyber losses is untested and will turn on the construction of the specific policy wording.

Silent cyber is best illustrated with examples:

  1. A computer is hacked and compromised in such a way that leads to it overheating, causing fire damage to the insured's and a third party's property. In this situation, which of the insured's policies should respond (property, liability or cyber)?
  2. A law firm's computer systems are hacked resulting in client data (or money) being lost. This may give rise to a claim under the firm's professional indemnity policy as well as its cyber policy.

Non-affirmative cyber exposures may give rise to two significant issues for insurers. First, insurers may be required to pay claims for unforeseen cyber losses in certain circumstances when they have not charged a premium for the risk. Second, unexpected cyber exposures could trigger accumulation of losses within other policies.

The UK regulators are aware of issues relating to silent cyber and the Prudential Regulatory Authority has issued regulatory guidance,9 which sets out how it expects insurers to 'introduce measures that reduce the unintended exposure' to cyber risk from physical and non-physical damage. In July 2019, Lloyd's mandated that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.10

The importance of precise exclusions can be highlighted by reference to a common 'cyber exclusion' known as the CL380 clause. In summary, this clause is designed to exclude losses caused by malicious cyberattacks. However, the onus will be on insurers to prove that the cyber incident was malicious and any inability to do so will mean that the exclusion does not bite. This is because CL380 does not deal with non-malicious cyber issues, which are, in many cases, just as common. In these instances, the CL380 exclusion clause would not apply and the insurer may still face liability. New exclusion clauses are now being introduced, but the CL380 clause can still be found in many policies.

VI Cyber regulation

As well as being a pressing issue for businesses, UK and EU legislators have introduced new regulatory regimes that go some way towards mapping out baseline cybersecurity standards. One of the key pieces of legislation is the GDPR, which overhauled previous data protection rules and requires data controllers and processors to ensure that appropriate measures are in place to protect against unlawful processing of personal data. The GDPR is reflected in the United Kingdom in the Data Protection Act 2018.

The GDPR requires organisations to report any personal data breach (meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data) to their relevant supervisory authority within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a risk to individual's rights and freedoms. Organisations are required to notify individuals where any breach is likely to result in a high risk to their rights and freedoms.

The Security of Network and Information Systems Directive EU 2016/1148 (the NIS Directive) was also implemented by EU Member States in 2018.11 Broadly speaking, the NIS Directive purports to ensure the reliability and security of network and information systems across the European Union by requiring certain 'operators of essential services' (such as energy, transportation and banking sectors (as well as others)) and 'digital service providers' (online marketplaces, search engines and cloud computing services) to adopt appropriate measures to manage cybersecurity risks. Non-compliance with the GDPR and the NIS Directive will expose firms to significant fines.

Both pieces of legislation are likely to continue to apply and remain in force in the United Kingdom notwithstanding Brexit, and they illustrate the additional regulatory burden that businesses are having to comply with and insure against.


1 Christopher Crane is a partner at Ince. With thanks to Simon Cooper, author of this chapter in the previous edition.

4 ibid.

6 See Vidal-Hall v. Google Inc [2015] EWCA Civ 311 where the Court of Appeal held that victims of a data breach could recover compensation for distress associated with a contravention of the Data Protection Act 1998, even in circumstances where no direct financial loss had been suffered by the claimant. This principle was subsequently applied in a case against the Home Office (TLT and others v. The Secretary of State for the Home Department and the Home Office [2016] EWHC 2217 (QB)), where a number of asylum seekers' personal data was wrongfully published on the Home Office website. The claimants in this instance were each awarded between £2,500 and £12,500. While the amount of damages a court may award will be determined on a case-by-case basis, these cases demonstrate that a cyberattack resulting in a large volume of data being compromised could result in significant third-party liability.

7 AA v. Persons Unknown [2019] EWHC 3556.

8 AA v. Persons Unknown [2019] EWH 3556.

9 See PRA Supervisory Statement SS4/17.

10 See Lloyd's Bulletin Y5258.

11 In the United Kingdom, the NIS Directive has been introduced by the Networks and Information Security Systems Regulations (2018 No. 506).

The Law Reviews content