Insurers need to take a careful look at the cyber cover being offered by insurers, and make sure that they are aware of the implications of what is and is not on offer.
The EU’s General Data Protection Regulation (which comes into force in May 2018) and Network and Information Systems Directive (currently under consultation) indicate the beginning of a stricter regulatory regime as regards data protection. This, together with a maturing market and increased market sophistication, could have a significant impact on insureds in that it looks set to lead to cyber insurers to seek to reduce cover and adopt a hardened attitude to claims.
In recent years, cyber insurers’ focus has been on increasing their market share by offering additional cover and favourable terms in their policies at relatively low cost. Now we are seeing insurers taking a tougher approach. One example of this is notification periods. Traditionally cyber policies provided insureds with long periods in which to notify claims. More recently, the trend has been for policies to require immediate notification and to make this a condition precedent to liability.
Similarly with the scope of cover available. Insureds are increasingly finding that insurers are insisting on problematic exclusions being included in their policies, for example the CL380 exclusion clause, which means that there is no cover for a potential computer hacking event. In the light of recent high profile hacking stories, this is arguably a must have cover.
Cyber risk can take many forms, and cannot always be quantified in terms of monetary losses. Brand reputation is increasingly at risk and cyber cover should include property damage cover for both hardware and software, business interruption, cyber crime, cyber extortion, reputational damage and privacy and security liability cover.
It is critical for insureds that they are aware of their exposures and what is and is not covered by their policies, particularly in the light of the ongoing developments in and increasing sophistication of the cyber landscape.