On 20 March 2015, the UK Government published a report on the role of insurance in managing and mitigating cyber security risk. It is a collaboration between the Government, insurers, brokers and insurance associations and it defines cyber risk, comments on cyber exposures, types of losses, and identifies gaps in traditional insurance cover.
It seems the main focus of the report is to heighten awareness of cyber risks to ensure businesses in the UK are obtaining adequate insurance, as recent statistics shows that 81% of large businesses and 60% of small businesses suffered a security breach in 2014.
What losses are UK businesses facing now?
The report shows losses range from the insurable e.g. damage to IT systems from a breach of privacy, to the uninsurable e.g. theft of intellectual property.
The report acknowledges there is a lack of data on losses, due to incidents going unreported, which is forcing insurers to use over-conservative assumptions. Due to the lack of data, the Government plans to collaborate with insurers to make data more accessible, with a view to reducing premiums. Perhaps more likely to have a substantial effect is the new EU legislation (General Data Protection Regulation) currently being lobbied, which in its current form includes mandatory notice requirements, which once implemented could increase data available.
Where is traditional insurance falling short?
The report identifies traditional insurance that can cover cyber risks, but frequently does not. Cyber insurance should be a “wrap”, and fill the gaps other traditional policies do not cover. The report provides a warning to all UK businesses that are buying cyber products “off the shelf”, or even worse, buying no cover at all.
The following gaps are identified:
- Property: these policies can exclude first party property losses resulting from a cyber trigger, and damage to intangible property e.g. damage to software and data is also generally excluded.
- Business interruption: cyber attacks usually do not cause physical damage (a trigger for BI cover to operate), although it is not unheard of (it was recently reported an attack on a German steel mill resulted in an unscheduled shutdown of a blast furnace causing “massive damage”).
- General liability: these policies can exclude unauthorised disclosure of personal information (for example, resulting from an accidental breach of privacy e.g. loss of a USB with personal information on it).
- Errors and omissions/professional indemnity: cover in these policies may be restricted to liability claims from customers only, and certain exclusions might apply e.g. computer virus transmission.
The report predicts that there might be an increased use of exclusions in traditional policies, with cyber exposures insured explicitly as add-ons to traditional policies, or combined in stand-alone policies.
Aggregation: future fears
The report covers the difficulty posed by cyber risks to insurers due to the ability of losses to aggregate across different insureds and different jurisdictions, due to their global nature.
A similar challenge to insurers from an aggregation perspective, is the effect on reinsurance recoveries, as interpretation of reinsuring clauses which aggregate losses present a common area for dispute between reinsureds and reinsurers. Whether cyber claims aggregate would depend on the type of aggregating language in the clause i.e. is it “cause” or “event” based? Wordings that are “cause” based will have a broader effect and allow multiple events to aggregate where there is one originating cause. As an example, in the context of cyber risks, claims resulting from a breach of privacy or software damage resulting from a virus that has infected systems in multiple locations, at multiple times, are unlikely to be aggregated under an “event” based wording by failing to establish unities of both locality and time.
Due to fears over exposure, a government backed reinsurer of cyber risks similar to Flood Re was a possibility, however the report has confirmed there is no conclusive evidence of the need for such a solution at present. However, as more loss data becomes available, this position may change, so watch this cyber-space.
A copy of the report can be found here: https://www.gov.uk/government/news/cyber-security-insurance-new-steps-to-make-uk-world-centr