For years, network security professionals have been saying “either you have been data breached or you just do not know that you have been data breached.” As the lives of both private individuals and businesses are increasingly dominated by technology and lived on the internet, data breaches are an inescapable fact of life. The purpose of cyber insurance is to mitigate the risks of data breaches and the sometimes significant costs resulting from them.
Silvi Wompa, who heads Willis Towers Watson's Financial Industry Group for Western Europe,
explains that although cyber insurance has been available in the market for over a decade, many network security professionals have yet to hear about the possibilities. Insurance cover has been most successfully used as a risk transfer option in those countries that have mandatory data breach notification laws – as the cost of notifying affected users can be extremely high.
The US is a clear example, where 46 of the 50 states have mandatory requirements for data-breach notification. In Europe, the impending draft EU Data Protection Regulation
includes mandatory notification of breaches, but the scale and timing of this new regulation is still to be determined.
What Risks are Covered?
Today, cyber insurance is designed to address two separate issues.
Firstly, the challenges connected to business’ increased dependence on IT networks, third party IT and business processing providers.
Secondly, the risks that come with the abundance of digital assets and private data with companies collect and store.
A policy normally includes:
First-Party Network Loss
Damage to digital assets: Costs to recollect, recreate and reconstitute the digital assets of the insured which is damaged or lost, altered, corrupted, distorted or stolen and any other costs to prevent, minimise or mitigate any further damage.
Non-physical business interruption and increased cost of working: Income loss and interruption expenses incurred by the insured during the period of restoring the network directly as a result of the total or partial interruption, degradation in service or failure of the computer network
Privacy and Security Liability
Third-party and employee privacy liability: Damages and legal fees as a result of privacy legislation
Security liability: Third-party damages and legal fees as a result of unauthorized use or access to networks or data, transmission of a virus, denial of service attacks and other computer crime.
Damages and legal fees as a result of a wrongful act in the course of publishing content in electronic or print media, including online social media platforms
Privacy Regulation Defence, Awards and Fines
Expenses resulting from investigation, adjustment, defence and appeal of regulatory proceedings
Privacy regulatory fines and penalties where insurable by law
Crisis Management and Reputational Expenses
Costs to employ specialist forensic experts and solicitors to investigate and respond to a privacy breach or system failure
Costs to notify victims of privacy breaches and provide them with identity theft assistance and costs for PR-related services to mitigate reputational harm
Costs to engage crisis management experts and pay ransoms if this is deemed necessary.
What Risks are Not Covered
Typical exclusions include:
Death, bodily injury or loss of/damage to tangible property
Losses from facts known before the beginning of the insurance period by the CEO, CFO, CLO or CIO of the insured
Losses from any criminal acts of the CEO, CFO, CLO or CIO of the insured
Losses from failure/outage/disruption of power, utility services, satellites or telecom services not under the direct control of the insured
Losses from war or civil uprising
Losses from the bankruptcy or liquidation of the insured
Losses arising from wind, flood, earthquake etc.
Financial institutions are often able to acquire more than $300 million in capacity
Many insurers are moving into cyber insurance, but appetite varies substantially, especially for financial institutions. Premiums are dropping, but not every insurer is keen to write primary insurance. Many insurers use third-party specialists for risk evaluation. The underwriting process typically takes some time to complete.
Financial institutions are able to acquire more than US$300m in capacity, if there is a willing primary insurer.
Different policies address cloud services very differently. Make sure that the policy chosen matches the infrastructure of the client.
Make sure that all parties agree on how to show that a security breach has occurred, especially in outsourced environments.
Claims handling is done through third party specialists. Some insurers insist on pre-approved vendors, some agree to pay reasonable rates. Make sure that all parties agree upfront on how to handle insured events.
There are a number of issues that insurers are now starting to address, all in their own fashion.
Aggregation issues from cloud services are starting to worry insurers. Some are starting to map these exposures, while others shy away from covering them.
The large retail breaches in the US have had some influence on the ability to insure credit card activities in Europe.
The pending privacy legislation in the EU, the General Data Protection Regulation
(GDPR), will have an impact on the privacy liability part of the cyber policies. Clients need to understand how the GDPR affects them, in order to have these exposures insured.
US state and federal regulators are constantly reviewing and updating their cyber rules and requirements
Read more on the Willis
Towers Watson Wire