Recent high-profile cyberattacks and the Federal Court's Inchcape decision provide a timely reminder of the need for suitable cyber insurance coverage 8 min read
This is the second instalment of our Cyber Insurance Handbook Series. See our first instalment here.
The successful exfiltration of customer data from Optus and Medibank, among others, highlighted the heightened global cyber-threat environment and the potential ramifications for Australian companies—including reputational damage, loss of customers, class actions, regulatory investigations and enforcement, potential prosecutions and even the potential replacement cost of customers' passports and other ID documents.
These incidents have also focused attention at the board level on the adequacy of companies' cyber insurance arrangements, with a renewed focus on how companies' insurance policies might respond in the event of a cyberattack.
In the first instalment of our Handbook Series, we outlined how the cyber insurance market has hardened recently, with rising premiums, restrictions on cover and increasingly onerous expectations of the underwriter on each annual renewal. In this context it can be tempting to eschew standalone cyber insurance and to instead rely upon the cover available under the broader suite of corporate insurance. In recent years, however, there has been a concerted push by the insurance market to exclude this form of 'silent cyber' coverage. This Insight explains what this means for your business.
Key takeaways
It is now standard industry practice for insurers to offer 'standalone' cyber insurance policies, while including exclusions for cyber-related liabilities in other policies.
While there is unlikely to be much that can be done to resist the inclusion of cyber exclusions in non-cyber-specific insurance products, it is still important to consider the wording carefully. Often, exclusions can be drafted so broadly that they may operate to exclude legitimate claims for third-party liability, property damage or business interruption where there is even a remote or tangential connection to a cyber incident. Where businesses fail to understand their coverage position, the extent of the uncovered risk can be enormous.
This means:
- You should not assume that mainstream policy lines will cover the significant costs and liabilities that can arise from cyber incidents.
- You need to understand the cyber liability cover held by your organisation, and stress test that coverage against potential cyber incident scenarios in advance.
- Subject to the advice of your broker, you should consider maintaining cyber liability insurance that provides specific cover for investigation, recovery and remediation costs.
What is 'silent cyber'?
Historically, 'silent cyber' referred to the circumstance where property or liability insurance policies were 'silent' on the issue of whether they provided cover for losses arising from cyber-related incidents.
For example, following a cyber-attack, would denial of access to data or the theft of customer information constitute physical loss or damage to property? And would this scenario be different if the data was damaged or erased? The answer to these questions was often contentious, uncertain—with conflicting court decisions—and highly material, not only to insureds' claims for the cost of data recovery, but related business interruption losses.
How 'silent cyber' cover could potentially arise under various mainstream policy lines (with significant exposure for insurers):
Policy type | Coverage type | Potential cyber |
General Liability Insurance |
Provides cover for liabilities to third parties for personal injury, property damage or advertising liability associated with the operation of the policyholder's business. | A cyberattack on the control system of industrial equipment causes it to operate unsafely, resulting in physical harm to the attendant workers on-site. |
Property Damage & Business Interruption Insurance |
Provides cover for property damage and business interruption loss sustained by the policyholder at their sites of operations. | A cyberattack on the control centre of a production plant forces manufacturing operations to close for an extended period, with resulting property damage and business interruption loss. |
Third Party Liability Cover (Directors & Officers' Liability, Personal Injury) |
Provides cover for liabilities incurred by directors and officers as a result of claims or investigations against them, and potentially to companies for the costs of securities litigation. | The price of shares in a publicly listed company is affected by a data breach, resulting in a shareholder class action or other representative complaint. |
Response by regulators and the insurance market
Following a period of industry consultation, the UK's Prudential Regulation Authority (PRA) became concerned about the systemic risks posed to insurers, and the broader market, from latent and unidentified cyber insurance coverage. In response, in January 2019, the PRA warned general insurers they should 'have action plans to reduce [their] unintended exposure'.1
Following this announcement, in July 2019, Lloyd's of London released a market bulletin mandating that 'all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage'.2
As a result of these measures—and on account of the substantial power and influence of the London market—the global insurance community has moved to exclude cyber from all mainstream policy lines.
The Lloyd’s Market Association has published recommended cyber and data endorsements (LMA 5400 and LMA 5410) containing broad exclusions. In general, these endorsements operate to exclude: (a) all direct or indirect losses to data; and (b) any losses resulting from a cyber act or cyber incident, potentially with a 'write back' for resulting fire or explosion damage from a cyber incident.
The wording of these (and other) cyber exclusions are very broad, with multiple convoluted limbs and far-reaching causal phrases (such as 'loss, damage, liability, claim, cost, expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with…'). Such broad exclusions are typically presented to insureds as a 'non-negotiable' requirement upon renewal.
Insureds should proceed with caution. Given the extent to which automated systems—such as robotics, process automation, connected devices, cloud computing and AI—are now embedded in the day-to-day functionality of businesses and modern supply chains, it is important to scenario-test proposed exclusions to ensure any losses for which your business requires cover do not inadvertently fall within the scope of the exclusion.
While a 'cyber exclusion endorsement' may be unavoidable in the current market, your broker may be able to negotiate modifications to preserve your cover in particular scenarios. And if not, this will only heighten the importance for your business to obtain dedicated cyber insurance.
What is covered by cyber insurance?
Cyber insurance typically now takes the form of a 'standalone' policy that covers businesses for a range of losses related to cyber incidents.
Such policies generally provide a mixture of first-party and third-party cover, as follows:
First Party Liability – covering losses incurred directly by the insured related to loss or damage to data, business interruption losses from the inoperability of computer systems, and the costs of investigating and remediating a breach. |
Third Party Liability – covering losses sustained by others where a cyber incident impacts one or more third parties for which the insured is legally liable—including fines and penalties imposed by regulators, compensation to individuals, contractual liabilities and the legal costs of defending the claims. |
Increasingly, cyber insurance is sold in a package that includes access to experts (including forensic investigators and sometimes ransom negotiators) retained and pre-approved by the insurer, and other support services.
In evaluating the scope of your cyber insurance arrangements, it is important to assess what is excluded from the suite of other policies held by your business and whether the cyber policy provides the necessary cover.
The Inchcape decisionWhat happened?Inchcape, an automotive services provider, was reportedly hit by 'Windows Ransomexx ransomware', causing server encryption, deletion of backups, deployment of malicious software and data exfiltration. The exfiltrated data, including customer information, was then leaked on the dark web. The attack reportedly cost the company over $4 million. Inchcape sought indemnity under its Electronic and Computer Crime Policy (Policy) for $2.3 million in costs it had incurred in clean-up and recovery, such as forensic IT expenses, incident response and replacement hardware. The Insurer declined indemnity, the matter was determined by the Federal Court and the insurer ultimately prevailed. What did the policy say?The findings of the case were specific to the particular wording of the Policy held by Inchcape. Relevantly, the Policy was not a standalone or tailored cyber insurance policy (and was not of the kind ordinarily procured for the purpose of cyber liability cover). Further, the Policy did not include specific incident response cover. The Policy was instead focused on the reimbursement of certain limited categories of loss arising from the compromise of data held in certain systems. Specifically, the Policy:
The adverse outcome for Inchcape resulted from the complex interaction between three different insuring clauses within the Policy and its particular definitions, exclusions and general conditions. This complexity highlights the importance of 'wargaming' or 'scenario testing' cyber incident responses and likely coverage outcomes in advance of any claim. |
Footnotes
-
Anna Sweeney, 'Cyber underwriting risk: follow-up survey results' (Letter to Chief Executives of specialist general insurance firms regulated by the Bank of England Prudential Regulation Authority, 30 January 2019). See this page.
-
See Lloyds, 'Update – Providing clarity for Lloyd’s customers on coverage for cyber exposures' (Market Bulletin Y5277, 29 January 2020). See this page.
Cyber Insurance Handbook Series
Backing up the backups: cyber insurance in a hardening market
Key trends in the cyber insurance market and how your business should respond.
Insurance in a time of (cyber) war
The cyber insurance market reckons with the state malware threat.
'A ticking time bomb': limitations in cyber cover for known vulnerabilities and end of life hardware
Monitoring your systems and addressing vulnerabilities may be essential to preserving insurance coverage.