The London Market is witnessing a long and rather stuttering evolution of cyber cover for European insureds.
The risks involved are very real: in 2014 an estimated 81% of large corporations and 60% of small business in the UK experienced a cyber security breach. These figures however give no indication of the types of losses involved and “cyber” is little more than a convenient blanket term; it may describe a malicious hack and subsequent theft of sensitive data such as credit card details or medical records, or an innocent omission such as an employee accidentally leaving an unencrypted laptop containing client information on a train.
Unsurprisingly, the associated insurance cover available is equally broad: an insured may obtain cover for first party losses including damage to critical infrastructure, business interruption and the significant response costs that are incurred in rectifying a security breach and notifying affected individuals. Third party risks are also commonly packaged into cyber policies under which an insurer may, for example, indemnify an insured for regulatory fines or claims brought by individuals whose data has been negligently compromised.
As a rule European companies have been reluctant to buy stand-alone cyber cover and instead appear willing to gamble on their existing programmes responding to cyber losses. In some cases, where the wording in question is sufficiently wide, this might pay off. A company’s property and general liability policies, for instance, could well indemnify the first and third party losses that typically follow a cyber event. However, from a coverage perspective, the lack of established English case law means there is uncertainty regarding exactly when non-cyber cover will respond. As ever, the coverage issues faced by insurers will turn on the particular wording concerned, however the key questions have been well rehearsed by legal commentators: will damage to data constitute property damage? Are regulatory penalties insurable as a matter of law? Where is the line between the cost of responding to a cyber security breach and betterment in terms of enhancing protection?
With these uncertainties, the increasing profile and frequency of large cyber losses, and the proliferation in the use of electronic data exclusions, the days of companies favouring premium savings over cyber protection are likely numbered.
Writing cyber risks
The relative infancy of cyber products for European insureds when considered against the American experience, where the first cyber policies were written in the late 1990s, raises its own challenges in writing
cyber risks for insurers and reinsurers alike. The effective assessment and rating of risks sits at the top of the list. The lack of actuarial and historical loss data means that the experience of the underwriter and a comprehensive review of the policyholder’s operations are essential.
The considerations faced by Reinsurers have not been widely discussed. As a corollary to the relative youth of cyber products, the first key decision is naturally which risks to write. It is not for lawyers to stray too far into this area, however Reinsurers will be keen to satisfy
themselves that the reinsured appreciates that a proposal form “tick box” exercise by an insured is not enough. The majority of cyber events stem from human error, therefore a good insured will have introduced organisation-wide training addressing the “dos and don’ts” of electronic data protection. In the UK the general awareness within companies about how to protect against cyber attacks should be encouraged by the introduction of “Cyber Essentials”, a basic standard introduced by the Government in 2014.
Cyber reinsurance: considerations
The aggregation of outward reinsurance claims is an area of potential controversy in the cyber context. English law on aggregation in non-cyber cases is well-established, but is inherently fact based and close scrutiny of the aggregation wording and losses is almost always required. Without the benefit of “on point” case law it is not difficult to foresee disagreement between a reinsured and its reinsurers as
to whether related losses can aggregate. For example, a reinsured may want to recover losses paid to a number of insureds as a result of a cyber extortion campaign organised by one particular association. Equally, in the third party liability context, an insured may want to aggregate all claims that result from a data breach affecting a number
of systems taking place over a number of months or even years. The “hours clause” is unlikely to bring much clarity here as it is often impossible even for forensic vendors to establish exactly when a cyber breach first occurred. The task of mapping the history of a data breach is inherently more challenging than establishing the timings associated with a natural catastrophe, as the breach is typically, by its nature, latent.
Facultative reinsurers need to carefully consider their relationship with the original claims and the suitability of their claims co-operation provisions. The London Market trend for writing tall towers of cyber insurance cover means that potentially huge aggregated losses could result from a catastrophic cyber event, such as a hack of a cloud provider. With this in mind, in these early days of large cyber risks reinsurers will be unlikely to simply follow the reinsureds’ settlements without any real involvement in the claim.
There is no standard market cyber wording on either side of the Atlantic meaning cyber policies, as well as the underwriting assessment of cyber risks, continue to evolve. With disparate cyber forms on offer, insurers and reinsurers have the unenviable task of gauging how to limit their exposure while remaining competitive in a relatively small market. What is clear is that cyber risks, unlike the Y2K exposures at the turn of the Millennium, are a real threat to potential policyholders and logic dictates that interest in cyber products will grow. While the financial exposure to a cyber event faced by a company based in America is higher than that faced by a Europe-based counterpart (due primarily to the regulatory landscape) a Data Protection Regulation is currently working its way through the European legislature which will pave the way for vast fines for companies in violation of data protection law and should reinforce the merits of cyber cover.
The growing prominence of cyber cover represents an exciting opportunity for many insurers and reinsurers alike. There will undoubtedly be an element of trial and error for insurers and reinsurers introducing cyber offerings into London, however the Market is uniquely placed to become a leading, global centre of cyber security insurance.