Cyber Insurance 101: Best Practice Tips for Maximising Cyber-Insurance Recoveries
Anne Hoffman and Tristan Smith from Herbert Smith Freehills explore the role of cyber insurance and how it relates to the cyber incidents that businesses may face.
Anne Hoffman
Tristan Smith
Introduction
After a considerable increase in major cyber incidents affecting businesses globally and an expectation that the complexity and severity of cyber incidents is likely to trend upwards as systems and services increasingly digitise, cyber-risk mitigation is a top priority for boards and management.
The recent uptick in major cyber incidents globally has sharpened the focus in boardrooms on implementing a range of cyber-risk mitigation strategies in their businesses. There is increasing acceptance of the fact that it is no longer a question of “if” but “when” a cyber incident will strike.
As part of contingency planning, businesses are looking closely at their insurance policies to understand what coverage they may have to mitigate the financial fallout from a major cyber incident.
Importance and Complexity of Cyber-Risk Insurance
When cyber risk has the potential to affect all areas of business and result in significant financial, operational and reputational losses, recoveries may be drawn from a range of insurance policies.
These losses may fall within the scope of traditional policies such as:
- directors’ and officers’ liability (D&O liability);
- fraud/crime liability;
- public liability; and
- property damage and business interruption policies in certain circumstances (a US appeals court recently found that pharmaceutical giant Merck was entitled to recover USD1.4 billion under an all-risks property insurance policy following a cyber-attack).
Insurers have, however, been working to exclude so-called “silent” cyber coverage (ie, non-express cover for cyber-related losses available in traditional liability/property policies) in appropriate cases, and the scope of coverage available in those policies depends on policy terms.
In response to business demand for tailored cyber-insurance products, standalone cyber-insurance policies have emerged, designed to help businesses protect themselves from the financial and legal consequences of cyber-attacks, data breaches, and other cyber-related incidents.
Cyber-insurance policies can provide certainty for businesses seeking to insure their potential cyber exposures. However, it is important to know the effect of the specific policy wording – what it covers, and what it does not – and to ensure that it is aligned with the specific business risks.
In practical terms, maximising potential recovery means the following.
Knowing which policy covers which loss
The fallout from a cyber-incident can vary, potentially causing any (or all) of:
- direct financial loss;
- consequential business interruption loss; and
- significant financial loss associated with incident response, regulator investigations, class actions, third-party claims and reputational issues.
It is essential to understand which policy covers what loss, and to what extent/limit.
Knowing which events are covered
Cyber-attacks are becoming more sophisticated as part of an ongoing arms race alongside increasing investment in cyber defences.
It is important to ensure the policy wording is fit for purpose to cover the latest types of cyber incidents affecting the relevant business or sector.
For example, it is important to know whether the policy covers:
- incident response costs – legal advice, data recovery expenses, IT expenses to isolate the cause and contain the breach, customer, employee and regulatory notification expenses, reputation and public relations expenses and/or credit monitoring or identity theft protection services provided to customers;
- liability costs – legal liability and defence costs for third-party claims brought by customers, employees, regulators or other third parties who are alleged to have suffered loss or damage due to a cyber incident;
- civil fines/penalties – paying civil fines or penalties imposed by regulators for violating data protection laws;
- extortion/ransom costs – paying ransom or other demands to end a cyber incident or prevent the release of sensitive data; and
- business interruption costs – lost profits or increased costs of working due to a cyber incident disrupting normal business operations.
Policy terms are crucial to the success of a claim – for example, in the recent decision in Inchcape v Chubb [2022] FCA 883, the terms of a valuation clause requiring “loss of, or damage to, electronic data” were critical to the court’s decision to deny coverage (noting though that the decision did not involve a specific cyber policy).
It is therefore important to have a thorough understanding of the cover provided by the policy, as this will assist with business-as-usual cyber-risk mitigation planning as well as save critical time for getting across the terms of the policy in the event of a cyber incident.
Engaging with insurers early
As with any insurance claim, early engagement with insurers is important when faced with a cyber incident or facts and circumstances which are reasonably likely to lead to a cyber incident. This is especially important for business-critical cyber incidents where insurers can often offer breach response assistance and services to help stop an attack and limit losses.
Obtaining early independent advice is essential
Given the time pressure and range of issues to be addressed in the event of a cyber incident, there are key advantages in seeking advice from a firm that acts for policyholders to avoid lengthy conflict checks.
Summary
In the current climate, it is important for businesses to be well acquainted with their insurance programme and how it might assist to reduce the financial fallout from a cyber-attack. As the effects can be so varied, this is not an easy task and requires regular scrutiny.
Anne Hoffman is a partner in Herbert Smith Freehills’ disputes team, specialising in insurance.
Tristan Smith is a senior associate in Herbert Smith Freehills’ disputes team, specialising in insurance.
Herbert Smith Freehills LLP
