The November 2018 Cyber Risk & Insurance Report by insurance governance expert Mactavish has shone a spotlight on common cyber cover limitations, and now a Financial Times report is pointing to a rise in disputes between policyholders and providers.
The newspaper cited a particular case involving Everest National Insurance Company and the National Bank of Blacksburg, wherein the insurer offered to pay US$50,000 and not the US$2.4 million being claimed by the bank after the latter incurred losses from cyberattacks. The dispute will be heard in court in 2019.
“The mismatch between what people think they have bought and what they have actually bought is often very significant,” the Financial Times quoted Mactavish technical director Rob Smart as saying. “The products are put forward as an all-singing, all-dancing solution to cyber risk, but the reality is more nuanced than that.”
In fact, the Cyber Risk & Insurance Report – which examined standard cyber insurance wordings – listed eight common flaws, including usual exclusions.
“Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions,” noted the Mactavish report seen by Insurance Business. “Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice).”
The British daily also quoted Airmic’s Julia Graham as stating that insurance companies “are not offering the breadth of cover that people would like.”
CFC Underwriting chief innovation officer Graeme Newman, however, suggested that the scope issue isn’t what it is alleged to be. Cited by the publication as saying that “policies are written in a very open way,” Newman added that they deny fewer cyber claims compared to other lines of business.
Meanwhile brokerage giant Marsh told Insurance Business that the coverage dispute arising from the National Bank of Blacksburg incident does not actually involve a cyber policy.
In a recent report it published in response to what it described as confusion surrounding the case, Marsh said: “At issue instead is whether the loss resulting from this attack triggers coverage under the bank’s C&E (computer and electronic) rider to its FI (financial institution) bond.
“The Blacksburg case raises two key questions: 1) Which policies should respond to various types of loss – cyber (network security and liability) or crime (FI bond)? 2) Has the FI bond form sufficiently kept pace with evolving exposures to provide meaningful coverage to financial institutions?”
It added that risk professionals should pay specific attention to potentially broad exclusionary language to ensure that policies provide appropriate coverage for otherwise covered losses caused by cyber perils.