Key Points:

Cyber risk insurance policies are structured to remedy the inadequacies of traditional insurance by dealing with cyber risks specifically and broadly.

We've already looked at the growth of cyber risks – including some varieties of cyber-attacks, their impacts and the changing legislative landscape in the context of data breaches. We now turn to the insurance that is available to manage the risks posed by our increased use of information technology.

The need for bespoke cyber insurance for cyber risk

In the face of growing e-commerce and cyber-attacks, costs to address information breaches, and increasing legislation (particularly in the area of privacy law), it is not surprising that attention is turning to insurance as a tool for managing cyber risks. Insurance policies for cyber risk have been used for some years in the USA, but are gradually gaining exposure in Australia.

Most traditional property and liability insurance policies are unlikely to be triggered by cyber risk events (which do not involve traditional risks such as physical damage to tangible property or physical injury to persons). There may be some limited cover for certain cyber risks through extensions and endorsements to different types of policies. However, that cover may be disjointed or inadequate. It is not uncommon for the policies which form the traditional foundation of a company's insurance protection to exclude expressly loss, damage or liability arising from cyber risks.

The most well-known example of the disconnect between traditional insurance policies and the risks associated with cyber-attacks involves Sony. Sony incurred a range of liabilities and costs as a result of hacking activity that compromised data held by the corporation. Sony ended up in litigation with its insurers over whether its liability insurance responded to its losses. Relevantly, Sony faced the difficulty of proving that the cyber-attacks constituted damage to property within the scope of the traditionally worded policy terms.

The features of cyber risk insurance

Cyber risk insurance policies are structured to remedy the inadequacies of traditional insurance by dealing with cyber risks specifically and broadly. The nature and extent of coverage can vary significantly. This may reflect different appetites for the risks, but could also signal the fact that the market for this insurance in Australia is relatively new.

Often the underwriting process requires prospective insureds to demonstrate a certain level of security to protect against cyber-attack and data breaches. The purchase of this insurance will not only provide some protection, but may also require a company to review and update its own internal policies and procedures.

Cyber risk insurance products may differ. Typically, they have a number of triggers for cover which may include:

  • Failures in data security processes;
  • Acts of employees (negligent or intentional);
  • Acts by third parties;
  • Virus infections; and
  • Breaches arising out of incorrect procedures used by host or cloud service providers.

Although it is difficult to generalise about all available cyber risk policies, the insurance is usually divided between first party loss (losses incurred by the insured itself) and third party liability (liability of the insured to third parties). In respect of first party loss, coverage may extend to:

  • Damage to property, both physical and electronic;
  • Investigation and notification costs;
  • Repair and replacement costs;
  • Public relations costs; and
  • General business interruption costs.

In terms of third party liability, available coverage may include:

  • Compensation or settlement of claims involving breach of privacy;
  • Compensation or settlement of claims for infringement of intellectual property;
  • Compensation or settlement of claims associated with defamation;
  • Compensation or settlement of claims of misleading or deceptive advertising;
  • Fines and penalties imposed by law and regulation; and
  • Legal costs for such actions.

The new risk management environment

The increasing use of electronic media has provided businesses in every sector with both greater commercial opportunities and greater exposure to exploitation. Without awareness of the wide range of risks facing companies operating in cyberspace, the cost to business of an attack or a breach can be significant. These costs will increase further if mandatory data breach reporting is adopted in Australia.

By planning ahead with a risk management strategy involving cyber risk insurance, companies that grow more dependent on their electronic systems can prepare to limit the damage to their networks, their customers and their reputations.

James Bai