Cyberinsurance – What can it (not) do for you ?

Index

• Context
• Don’t rush into it – look for the right fit
• Pitfalls with Coverage
• Potential legal issues with Insurability
• Additional Guidance

Context

Cybercrime

Companies worldwide are facing growing accountability and liability due to increasing demands by regulations such as GDPR, CCPA, NIS and other security and privacy requirements. Moreover, both direct and indirect damages resulting from malicious security breaches – such as ransomware attacks – have risen significantly in recent years. Cybersecurity Ventures predicted that cybercrime will cost the world USD 6 trillion annually by 2021, up from USD 3 trillion in 2015. The Equifax breach alone cost the company over USD 4 billion in total.

Cyber Insurance

This trend reinforces an appetite for insurance coverage of damages caused by security incidents.  It is estimated that about one third of larger businesses have now procured some flavour of cyber insurance. The cyber insurance market as a whole was valued at USD 4.3 billion in 2018 and is expected to register a compounded annual growth of over 25%, expanding to well over USD 20 billion by 2025.  Source https://www.researchandmarkets.com/reports/4871728/global-cyber-insurance-market-2019-2025 .

An ounce of prevention is worth a pound of cure. Your first defense should be proactive and implement security controls.

Of course no defense is perfect. Could you benefit from adding cyber insurance? What could it do for you … and what likely not?

Don’t rush into it – look for the right fit

Cyber Insurance criteria

Cyber insurance is a form of liability & damage insurance. By contrast to well-established insurances, such as a car insurance, the cyber insurance market is not yet fully mature. It is continuously evolving, there is no ‘industry standard’ or ‘minimum baseline’ yet. Moreover premiums, services included, and coverages vary widely. Initially, cyber insurance was offered by larger, supranational insurance companies. Now, local players have developed niche offerings as well.

Choice is good, but it adds to the complexity of the landscape, and it is not straightforward what the ‘hard’ acceptance/rejection criteria are for each possible option. Likewise, it isn’t always fully transparent what criteria have an outspoken positive, or negative, effect on the premium of each option.     Now, some criteria which may have an effect, such as the nature of activities, countries with operations and data processing, volumes and types of data, are a given anyway. Other criteria, such as acquiring and maintaining privacy & security certifications, conducting external audits & pen tests, are a matter of choice. A structured procurement process helps to find out what influences premiums most.

Procurement process

In order to maintain coverage past the point of initial underwriting, and have some measure of control over the premiums, it is important to develop insight into the key criteria.  Hence, don’t rush into it. Take the time to do your homework – what incidents and damages require coverage most? Run an RFI (Request For Information) to gain insights into ‘the inner workings’ of available offerings. Run an RFP (Request For Proposal) against a shortlist of the most suitable candidates.

Be aware that the process to negotiate and select the most suitable cyber insurance can take many months, if not half a year. But it beats the alternative of ending up with a policy that’s not a good fit and won’t cover you when you do need it.

Pitfalls with Coverage

Exclusions & Conditions

Limits to what is covered by an insurance policy is typically stated in one of three ways:

• explicit exclusions, i.e. not covered under any circumstances;
• conditional coverage, i.e. coverage only holds as long as certain boundary conditions are met;
  • g. precise notification requirements towards the insurer in case of a data breach.
• coverage limit, i.e. there is coverage up to a certain amount.
  • absolute amount, a percentage, or set by a formula.

Companies need to properly assess the implications of such limitations and be critical of ambiguity of wording. Coverage may be less solid as assumed, and one will typically find out when the coverage is needed the most. We present you with some common examples of limitations and exclusions.

Criminal Acts

Insurance terms & conditions will typically state exclusions on ‘Act of God’, ‘Force Majeure’, ‘acts of war, ‘criminal acts’, …  Now, this is open for interpretation, and can become an issue when a big claim is filed. There have already been cases where the insurer has argued that ransomware, a malware attack, or social engineering is digital terrorism, or a criminal act (Zurich American Insurance vs Sony, AIG vs SS&C Technologies, Zurich Insurance vs Mondelez). The result is that a company, in addition to dealing with a security crisis, media, stakeholders, supervisory authorities, … ends up in legal proceedings with its cyber insurer – instead of being covered and compensated.

Wording and terminology are important. Ensure nothing is being left out or left to ambiguity and ‘spur of the moment’ interpretation, if it absolutely needs to be covered.

Errors by own staff

Another category of incidents which is often being excluded, or subject to coverage limitations, is deliberate ‘Errors & Omissions’ and ‘insider threats’ by own staff. There is at times also a ‘social engineering reduction’ clause. Now, this is at odds with the reality that the most damaging security incidents can be caused from within, by own staff. It also leaves room for debate. An inside job can be triggered by an external party, manipulating, social engineering, or even threatening staff. Is staff then committing a ‘deliberate error’ or not?

If these categories of events are being excluded, or severely capped, from coverage, then a company should be aware it has not obtained coverage for this type of high-risk security incidents.

Maintaining conditions

Some coverages will only hold if specific conditions are being met in full. Ensure whether the wording of such conditions is realistic and can be met at stressful times. For example, some cyber insurance policies included onerous breach notification requirements towards the insurer. Whereas often the first duty and legal obligations are towards authorities and individuals whose data was breached. This likely results in not meeting the notification requirements towards the insurer in full, and leaves the company exposed to the risk of limited or non-compensation.

Direct & Indirect damages

Then there is the puzzle of direct and indirect damages resulting from security incidents. It is often doable to assess and quantify the direct damages with reasonable accuracy. They also tend to emerge quite quickly after the incident, and their effect is immediate or short-lived. Indirect damages are varied, tend to emerge more slowly, can have longer lasting effects, and are much harder to quantify. How are these covered and capped? Is the wording positive (‘covered unless explicitly out-scoped’), or negative (‘not covered unless explicitly listed’)? What is the procedure to agree upon a quantification?

Wording. Do you have the benefit of doubt?

In defense of the cyber insurance companies, it is a tricky type of policy, as the risks they would be expected to cover, come in many different flavours. At the same time, such risks are hard to re-sell to reinsurers. Why? Because, as opposed to fire insurance where a fire in one city would not accompany a fire in another city, worst case cyber-attacks can hit all policy holders at once. That simultaneous risk across all policy holders makes cyber re-insurance a high-risk endeavour.

This does imply that an insurer might be tempted to construct a cyber insurance policy and choose wording with the primary objective to avoid pay-outs. Because it is possible the insurer will take the full hit itself. Here European laws such a MiFiD II and IDD may come to the rescue stating that the insurer must always act in the interest of its clients and that all precontractual and contractual information must be clear, correct and can’t be misleading. On top of that, in some EU Member State countries like France and Belgium, an insurance clause has to be interpreted in favour of the insured (whether they are individuals or professionals) in case of doubt due to the ambiguity of the wording or phrasing.

Hence, for EU companies, going for cyber insurance with an insurer registered in the EU, applying law of an EU Member State to the contract, seems a safer bet than a non-EU contract such as a UK- or US-based contract. Ideally, the applicable law is from an EU Member State that has confirmed the extension of above-mentioned protection of the insured to legal persons.

NDA (non-disclosure agreement) on cyber insurance

Various companies, both insurers and insured, make public announcements about the procurement of cyber insurance, including details such as premiums, indications of scope etc. This may not be best practice.

One way attackers can take advantage of such information, is by listing companies which have made details about a cyber insurance policy public, as preferential targets. Then by ensuring their ransom demand is likely covered by the cyber insurance, and probably less than the costs of recovering from backups and other contingency assets. Be wary that cyber-insurance transparency may put you on a ‘hit list’.

As a precautionary measure, it seems better to not publish any details at all about cyber-insurance coverage, and have your insurer contractually commit to not expose anything about having underwritten such a policy. Including NDAs to that end at the time of signing off on a contract.

Combination of policies

Some organisations have chosen to combine cyber-insurance coverage from more than one insurer. If well balanced, this can enhance total coverage, and add an additional layer of risk diversification. E.g. combine a policy by a national specialty insurer to cover country-level risks, with general cyber insurance or apply a dual sourcing policy to obtain competitive pricing and spread counterparty risk. Be aware that most EU Member State legislations prevent that an insured can benefit from the same payout from multiple insurers for the same damage.

Potential legal issues with Insurability

Insurability of fines

Is it always legally allowed to provide insurance coverage, and compensate for fines by authorities? DLA Piper and AON have analysed the insurability of GDPR fines across Europe, see https://www.dlapiper.com/en/uk/insights/publications/2019/07/updated-guide-on-the-insurability-of-gdpr-fines-across-europe.

In a high number of European countries, fines are not, or not guaranteed, to be insurable. This leaves a company with operations in multiple countries and jurisdictions, uncertain about the effectiveness of its coverage. On the one hand, it may have procured a cyber insurance policy from an international insurer which suggests that, within limits, damages including fines are covered. On the other hand, the company, i.e. the insured, may have activities in various countries that do not necessarily allow fines to be insured. So depending on where security incidents happen, and what the residence of the impacted data subjects are, the company may have fines compensated by its cyber insurance … or not at all because it would be illegal.

In addition, there are governmental bodies that have already suggested yielding into ransomware demands by making payment, should be made an illegal act in itself. The reasoning here is that paying up, fuels the cybercrime market, and one should not support nor negotiate with criminals.

Additional Guidance

No substitute for an information security management system (ISMS)

It should be clear from above that having cyber insurance is a reactive measure, the effectiveness of which cannot be fully guaranteed up-front. It is a post-fail risk offset and it could never replace a proper security management program. First and foremost, implement proactive security measures and maintain them frequently.

There is no insurance that will recover the millions your company spends on R&D if your intellectual property is hacked and stolen. Nor does yielding in to ransomware demands, as encouraged by some cyber insurance companies if they deem it to be the cheapest way out, provide any guarantees of data recovery and non-abuse. There are plenty of documented cases where even after payment, the data was still erased, left behind encrypted or corrupted; or was stolen and resold.

Security Risk Assessment

Perform an internal security risk assessment first. Without a gauge of your key risks, it is not possible to determine what type of damages need coverage the most by cyber insurance. Likewise, you cannot estimate how much of an issue any specific exclusions, capped or conditional coverages, … might become. Note that such assessment must not be limited to security risks associated with digital or IT assets. It must extend to other potentially risky assets, such as paper documents & archives.