Cyber insurance – overview of policy coverage Tim Johnson
Aug 07, 2015
Cyber insurance –
overview of policy
coverageTim Johnson
Content
• ‘typical’ cyber policy
• available covers
• common pitfalls
Cyber – ‘typical
policy’Not all cyber policies are the same!
• new and developing sector
• insurers have different appetite to risk / different
target markets
• limited claims history / information
• no (limited) legislative framework
Cyber insurance – what
cover is available?
Cyber insurance – what
cover is available?
• First party losses
– Breach costs
– Business interruption
– Hacker damage
– Cyber extortion
• Third party liabilities
– Privacy claims / investigations
– Media liability
1st party losses – breach
costs
What has to go wrong?
Unauthorised:
– acquisition;
– use;
– loss;
– disclosure,
of personal data
1st party losses – breach
costs
What might the policy pay?
• IT forensic costs (for cyber breach) – to identify
and shut down a breach
• Legal fees – to manage your response to the breach
• Notification costs – to notify data subjects and
regulator
1st party losses – breach
costs
What might the policy pay? - Cont’d
• Credit monitoring costs – where required by law
• Call centre costs – to deal with queries from data
subjects
• PR / Crisis management costs – to manage media
fallout
1st party losses –
business interruption
What has to go wrong?
An interruption to your business caused by a:
– hack; or
– (distributed) denial of service attack.
1st party losses –
business interruption
What might the policy pay?
• Loss of income /gross profit
• Increased costs of working
• Additional increased costs of working
1st party losses – hacker
damage
What has to go wrong?
• disruption, misuse, damage or destruction etc. of
your computer system; or
• copying, stealing or damaging computer programs
or data held electronically,
caused by a hacker.
1st party losses –
hacker damage What might the policy pay?
Costs incurred to:
• replace or repair damaged programs (e.g.
rebuilding website)
• reconstitute electronically held data
1st party losses –
cyber extortionWhat has to go wrong?
Third party threatens to:
• damage, destroy, copy or steal your computer
systems, programs or data held electronically; or
• disseminate personal data held by you,
unless you pay a ransom.
1st party losses –
cyber extortionWhat might the policy pay:
• ransom payable to hacker
• value of goods / services surrendered
• expert costs to negotiate and deliver ransom
3rd party liabilities –
privacy claims &
investigations What has to go wrong?
Following loss, theft or unauthorised use of data:
• a third party brings a claim against you; or
• a regulatory body (e.g. ICO) commences an
investigation or prosecution.
3rd party liabilities –
privacy claims &
investigations What might the policy pay?
• Compensation payable to third party
• Legal fees to defend claim / investigation /
prosecution
• IT forensic costs
• Regulatory fines (only where legally insurable)
• PCI charges
3rd party liabilities
– media liabilityWhat has to go wrong?
A third party brings a claim against you for:
• defamation; or
• breach of intellectual property rights,
arising from your internet, website, e-mail and other
electronic media.
3rd party liabilities
– media liabilityWhat might the policy pay?
• Compensation payable to third party
• Legal fees to defend claim
• IT forensic costs if website etc. altered by a hacker
Common pitfalls
Pitfall 1 –
precautions against
loss• Most policies require compliance with a certain
level of security
• Generally either compliance with:
– your declared precautions; or
– reasonable’ precautions
• Equivalent of an intruder alarm condition in a
material damage policy
Pitfall 2 –
employee dishonesty• All policies will have a dishonesty exclusion
• Dishonesty exclusions vary widely between policies
• Whose dishonesty is excluded:
– all employees?
– (senior) managers?
– board directors?
Pitfall 3 – third
party suppliers• Breach by supplier:
– you are still liable to your customers for the breach
– many policies will only cover a breach by you (as
opposed to breaches for which you are liable)
• Attack on cloud provider:
– again, you remain liable to your customers
– many policies exclude breaches by cloud providers
(either specifically or as a third party supplier)
Other common
pitfalls• Geographical / territorial and jurisdictional limits:
– geographical/territorial limit – where the loss occurs
– jurisdictional limit – where a claim is brought
– where is your data? where is the breach? where is cyberspace?!
• Breach by data centres:– who owns the servers?
– breach by you or breach by supplier (see pitfall 3)?
• Theft of commercially sensitive information– high risk area but may be excluded
– does policy only cover personal data?
Other common
pitfalls• Business interruption time excess
– length of an interruption before cover kicks in
– what is your business model?
– how effectively can you work if your systems go down?
• PCI charges– are you a member of the PCI scheme?
– charges are often excluded as contractual fines, but can represent a
substantial loss.
Summary
• Not all policies give the same cover
• Understand the risks to your business
• Understand the cover provided (and where cover is
not provided)
• Cover is flexible to meet your specific needs
• Take advice!
LinkedIn – NEW
showcase page Follow the NEW technology showcase page for news,
legal updates, real opinions and training about
managing cyber security risks.
Tim Johnson, Partner
t: +44 (0)115 976 6557
m: +44 (0)7825 229767