In the September 2017 edition of its monthly journal, the German Financial Supervisory Authority (BaFin) published a statement on the insurability of cyber extortion payments. BaFin decided to allow coverage for cyber extortion payments in combination with general cyber policies. Following this clarification, there is now legal certainty that from now on, cyber extortion payments can be covered under cyber policies.
In the past, cyber extortion payments were subject to the general BaFin provisions on the insurability of kidnap and ransom insurance (K&R). Until 1998, K&R insurance was inadmissible due to the German regulator’s strict approach finding that the insurance of K&R claims would foster the risk of kidnapping and would therefore violate public policy. While none of the BaFin publications on this subject are technically legally binding, they can be deemed as a clear indication of the regulator's expectations. Moreover, such publications will usually constitute a self-commitment of BaFin with the effect that BaFin has to treat similar cases alike.
In 1998, BaFin changed its opinion by publishing a circular letter and stating that under certain conditions the provision of product extortion and ransom insurance does not violate public policy. However, BaFin still considered K&R insurance only admissible under strict requirements such as: no combination with other coverage, no advertisements, contract term not to exceed one year, confidentiality as regards coverage (information of no more than three persons). BaFin has adjusted the requirements for K&R insurance three times since the circular letter was published. In 2000, BaFin stated that a separate K&R license was no longer required and, since 2008, has accepted automatic policy renewals as admissible under certain circumstances. In 2014, BaFin stated that in certain scenarios more than three persons may be informed about the K&R policy but also stressed that the other strict requirements for K&R insurance would remain applicable.
Following these strict requirements also for cyber insurance purposes, insurers were to provide German policyholders with two separate cyber policies: the main policy to cover the standard cyber risks and the separate policy to cover cyber extortion payments.
Therefore, besides providing legal certainty, the recent BaFin statement simplifies the business for insurance companies providing comprehensive cyber coverage. From now on, they can provide one cyber policy that covers general cyber risks as well as ransom payments. However, it should be noted that the ransom coverage can only be combined with cyber policies and not with any other insurance policies, such as crime policies for instance.
Moreover, BaFin underlines in its recent statement that the other strict requirements established in the circular letter of 1998 are, in general, still applicable. If an insurer decides to offer comprehensive cyber coverage including ransom payments, in particular the following restrictions are still relevant:
- The cyber policy can still be advertised but it is not admissible to advertise the ransom component.
- It has to be ensured that the ransom coverage does not interfere with police investigations.
- The insurers have to ensure high data protection standards which have to be adapted to the ongoing technical developments.
The new BaFin publication is addressed to insurers that have a licence to conduct property and casualty insurance business in Germany. It is also applicable for insurers from other member states of the European Union and the European Economic Area conducting business in Germany on a freedom of services or freedom of establishment basis.