UK insurance governance expert Mactavish is concerned that a lack of knowledge about cyber insurance could lead to companies buying the wrong cover.
The cyber liability insurance market is still early in its development compared to other types of cover – so it’s no surprise there are questions over its reliability.
Cyber risk is a top concern for businesses – the Allianz Risk Barometer 2019 reported that it tied with business interruption as the number one fear among businesses globally.
It means companies are taking out new policies that will protect them financially and provide expertise to organise a response against a potential cyber-attack.
But UK insurance governance expert Mactavish has reported concerns with off-the-shelf style products.
The consultancy believes a lack of knowledge about cyber insurance could lead to companies buying unnecessary cyber cover, or cover that doesn’t appropriately fit their needs.
CEO Bruce Hepburn says: “Cyber insurance is a new and untested financial product.
“In many cases, it is complex and incomplete and in need of major adaptation to provide reliable protection for a specific business’s exposures.”
For this reason, it’s important for businesses to understand the cyber risk landscape and what their specific needs are.
What is cyber liability insurance?
Cyber liability insurance can be difficult to define because of the variation in policies offered, as well as the impact that high-level policy disputes like the recent Mondelez legal case have on interpreting policy wording.
The Association of British Insurers says: “Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks.”
This means that cyber liability is an individual or business’s legal responsibility for its exposure to these risks.
However, cyber insurance policies also offer varying levels of cover for business interruption costs in the event of a cyber-related issue.
It’s for this reason that Mactavish urges companies to ensure they consider their risk landscape beyond legal liability when buying cyber liability insurance.
Technical director Rob Smart says: “If somebody hacks into your system and shuts it down, or somebody gives you a denial of access attack or a ransomware attack, then the costs associated with a claim can very quickly grow when you consider interruption to your business.
“There’s also technical investigation costs to find out what the hack is and where it came from, as well as finding out where any stolen information may have got to.
“The range of different cover in different policies, and how the various triggers are defined within them, can vary quite a lot from one policy to another.”
Cyber liability insurance isn’t just financial
Financial compensation is only one side of the cyber liability insurance proposition, with policies also giving access to various types of support to help a company prepare and respond to a cyber-attack.
Graham Wedgebury, cyber specialist at insurance broker Lycetts, believes the range of support on offer is key to responding to a claim.
“Brokers can help businesses with contingency planning, establishing and understanding the implications of cyber crime, evaluation of risk, and putting security measures and crisis action plans in place should the worst happen.
“Many security insurance policies provide swift legal and public relations advice post-breach to help companies decide how and when to communicate an incident to their customers.”
Companies need to understand their risk exposure
According to the Cyber Security Breaches Survey 2018, less than one in ten businesses have cyber liability insurance – despite 43% suffering a breach or attack in the past year.
Some 41% of businesses said they didn’t consider there to be enough of a risk to facilitate the need for cover, and 22% claimed they didn’t purchase it due to a lack of awareness.
Mactavish believes this lack of awareness cuts both ways, with companies buying cyber insurance policies doing so without understanding their risk exposure.
Mr Smart says: “Cyber insurance is a complex financial product that’s bought as if it was toilet roll.
“People’s experience of buying car insurance or health insurance, where the differences are quite small, makes them think that buying a cyber insurance product is the same, in that you buy it and you’re covered.”
Mactavish has set up a cyber risk consulting practice to help businesses understand their risk profile and negotiate the right cyber liability insurance.
One reason for setting up the practice was to stop businesses from relying on silent cover – an industry term for non-cyber specific policies that can still cover cyber-related issues.
Mr Smart says: “The insurance industry’s reliance on silent cover is abhorrent to us because we see where it goes wrong.
“If you don’t negotiate a policy when the issues are hypothetical, trying to negotiate it in the event of a claim, when you have a £20m loss or a £200m loss it is going to be pretty difficult.
“The more a company can do to understand its specific exposures, disclose them and never rely on silent cover – but be very clear on what sort of cover it needs – the better protected it is in the event of a claim.”
Cyber policies can be disputed
The variation in products mentioned by Mr Smart means that not everything that constitutes a cyber risk is always covered in a cyber insurance policy.
Based on its own research, Mactavish claims that 45% of all large commercial claims are disputed by insurers, and take an average of three years to resolve.
According to Mr Smart, this figure isn’t specific to cyber, the number for which could be even higher.
He says: “The stats we publish about the number of large claims that are disputed aren’t cyber-specific because we’d expect cyber to be worse as a new and untested product
“What those stats show is that insurance is reliable for small, run-of-the-mill claims, but not for larger and more complex ones.
“We certainly expect those stats to be at least as bad, but probably worse for cyber in the next few years, as these products get tested by cases like Zurich versus Mondelez.”
The Zurich v Mondelez legal case is the ‘tip of the iceberg’
The case filed against large multi-insurer Zurich by Mondelez – one of the largest food and drink companies in the US – represents the first time a cyber insurance policy’s war exclusion clause has been tested.
Mondelez claims that Zurich breached a contract by refusing to pay out for an insurance claim that would cover physical damages and business losses totalling over $100m (£78m).
Zurich’s defence in the case is that NotPetya, the virus introduced to the Mondelez servers in 2017, was orchestrated by the Russian military – and not covered by the policy Mondelez purchased due to an exclusion under an act of war exclusion by a “government or sovereign power”.
Mr Smart sees this case as just one example in a long line of policy exclusions that if tested, could be bad news for businesses.
He says: “When you look at disputes like Zurich on Mondelez, that’s really the tip of the iceberg because it requires a company to have suffered a loss and its insurance policy to have responded.
“There’s probably 30 different issues in a cyber policy that need the Mondelez case law to decide where it’s going to sit on each of them.
“The much bigger part of the iceberg is all the policies that are arranged without adequate knowledge of the risk.
“If the reliability of those cyber policies were to be tested, they probably wouldn’t pass with flying colours, so the nature of our business is seeing that wider iceberg and being concerned about it.”