Introduction
Silent cyber and scope of cybersecurity insurance policy
Risk of liability insurance that covers penalties and administrative fines
Risk of causing increase in insurance coverage
Detailed analysis of policyholder's systems before execution of insurance contract
Comment
The importance of cybersecurity insurance has grown significantly as a result of the covid-19 pandemic. Companies that operate remotely with insufficient cybersecurity defences face increasing risks of cyberattacks. According to the Global Risks Report 2021, cyberattacks are classified as a major global risk, which caused data breach costs of $4.24 million in 2020.
To counter such attacks, cybersecurity insurance offers a wide range of protections against threats, such as:
- phishing;
- baiting;
- pretexting; and
- water holing.
Cybersecurity insurance entitles an insured company to compensate its losses from cyberattacks within the scope of the insurance policy.
In general, cybersecurity insurance policies cover costs that arise from:
- stolen information;
- data hacking and service breakdown;
- data protection damage;
- ransom money;
- damage caused by business interruption;
- computer and technical device damages;
- cyber extortion; and
- defamation.
On the other hand, cybersecurity insurance policies do not usually cover:
- cyber terrorism;
- damages that arise from breaches of competition law;
- IP rights;
- media and advertising; and
- activities subject to criminal liabilities.
Silent cyber and scope of cybersecurity insurance policy
Both insurers and policy holders should be aware of the risks of silent cyber, which refers to cyber-related losses arising from policies that do not specifically cover cyber risks.
In terms of insurers, insurance policies that are not tailored to cover current cyber risks could result in the payment of claims for cyber losses. In order to minimise this risk, insurers should explicitly cover cyber risks or introduce exclusions.
Similarly for policyholders, policies and exemptions that are not suitable for covering cyber risks specific to a business sector could leave companies unprotected.
Therefore, traditional insurance policies may be insufficient if they only cover damages such as:
- data hacking;
- service breakdown;
- business interruption;
- cyber extortion; and
- defamation.
Risk of liability insurance that covers penalties and administrative fines
In practice, damages incurred by third parties and the payments made to public institutions due to a cyberattack are insured by professional liability insurance.
However, considering article 1404 of the Turkish Commercial Code No. 6102 (TCC) and the purpose of administrative fines, it is risky to cover administrative fines and any other penalties imposed by public institutions such as the Personal Data Protection Authority and the Banking Regulation and Supervision Agency through cybersecurity insurance.
According to article 1404 of the TCC, insurance that covers losses as a result of the policyholder's or insured's breach of mandatory rules, moral values, public order or rights of personality will be null and void.
Further, imposing administrative fines and any other penalties is used mainly as a deterrent; the aim is to force companies to act in accordance with the laws and regulations.
Therefore, it can be argued that insurance policies covering such fines and penalties should be considered as a breach of their purpose and a breach of public order. In this regard, liability insurance that covers fines and penalties may be evaluated as a breach of public order and courts may decide that an insurance contract should be deemed invalid from the date of its execution.
Risk of causing increase in insurance coverage
According to article 1444 of the TCC, following the execution of a contract, a policyholder cannot act or make any transaction causing the amount of indemnity to increase without the insurer's prior consent. In such cases, an insurer may request an additional premium or terminate a contract within one month of the date that they became aware of the policyholder's actions.
If a policyholder negligently causes such an act or transaction affecting the amount of insurance coverage, an insurer may request a reduction in insurance coverage depending on the degree of the fault. If the policyholder has acted with intent, the insurer will be discharged of its payment obligations.
In this regard, cybersecurity insurance policyholders should take technical, systemic and administrative measures in accordance with the market standards against cyberattacks. In addition, a company's software and hardware should be adequate to protect them from such attacks.
If an insurance company determines that a risk occurred because of a company's negligence, it may request a reduction in insurance coverage depending on the degree of the fault.
Detailed analysis of policyholder's systems before execution of insurance contract
Before signing a cybersecurity insurance contract, an insurer must examine a policyholder's:
- computer systems;
- software and hardware systems;
- applications; and
- cloud systems.
This will also determine the premiums a policyholder must pay.
In this regard, IT companies operating in Turkey are increasingly focused on providing such analysis services to insurers. In terms of cyber insurance, cooperating with IT companies that examine companies' systems in detail puts insurers in a more secure position.
Due to recent technological developments and the increase in remote working as a result of the covid-19 pandemic, obtaining strong cybersecurity has become a necessity. Businesses globally hold a large amount of personal information data, which potentially exposes them to:
- cyberattacks;
- fines by the relevant authorities; and
- lawsuits from customers and their personnel.
In general, insurers should seek to verify the details of:
- silent insurance risks;
- coverage of insurance;
- administrative fines; and
- analysing policyholders' equipment.
There are still no legal regulations regarding cybersecurity insurance; therefore, both insurers and policyholders should be aware of the risks discussed in this article and ensure that they have made thorough assessments and/or taken additional policies in order to reduce those risks.
For further information on this topic please contact Lale Defne Mete, Koksal Kaplan or Serra Nur Kaya at CETINKAYA by telephone (+90 212 351 31 40) or email ([email protected], [email protected] or [email protected]). The CETINKAYA website can be accessed at www.cetinkaya.com.