CYBER INSURANCE: AN OVERVIEW

This document is published by Practical Law and can be found at: uk.practicallaw.com/w-026-4193
Get more information on Practical Law and request a free trial at: www.practicallaw.com

This note provides an overview of cyber insurance, including the type of risks covered, some typical insurance RESOURCE INFORMATION
terms and risks that might be excluded. It also provides information on arranging cover, handling claims and
risk management by the insured, and provides some tips for maximizing insurance recoveries.
RESOURCE ID

by Steven Hadwin, Norton Rose Fulbright LLP and Jamie Monck-Mason, Willis Towers Watson w-026-4193

RESOURCE TYPE

CONTENTS Practice note

• Scope of this note – Data protection regulatory fines and costs cover PRINTED ON

• What is cyber insurance • Some typical insurance terms 3 August 2020

– What is cyber risk? – Conditions JURISDICTION

– History and future of cyber insurance – Duty to defend England, United Kingdom, Wales

– Purpose of cyber insurance – Typical exclusions

– Risk mitigation for the insured – Amount of cover
• Cyber insurance policy coverage • Handling claims
– Scope of cover • Arranging cover
– First and third party risks – Merger and acquisition considerations
– Incident response cover • Risk management by the insured
– Cyber business interruption cover – Issues facing insurers
– Cyber extortion cover • Tips for maximising recoveries
– Privacy and security liability cover

SCOPE OF THIS NOTE

Cyber is now one of the most significant risks facing companies and the insurance market.

This note explains cyber insurance and provides information on:

• Key terms and features of cyber insurance coverage (including scope, amounts and policy construction).

• How insurers handle cyber insurance claims.

• The process for arranging a cyber insurance policy.

• Merger and acquisition considerations for the insured.

• Practical guidance for managing cyber risk and maximising recoveries in the event of a loss.

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

WHAT IS CYBER INSURANCE

Unlike more traditional lines of insurance, cyber insurance can vary significantly in scope between different
insurers and different policy forms. Generally, cyber insurance may be categorised as insurance which provides
cover for losses relating to damage to, or loss of information from, impairment of the service provided by IT
systems and networks (see ABI briefing: Cyber risk insurance). Cyber insurance is either purchased as a standalone
policy or as an extension to an existing policy.

Although some existing insurance policies may, directly or indirectly, provide cover for certain cyber risks, insurers and
insureds may not be fully aware of the scope of cyber risk being underwritten. In addition, the triggers for cyber cover
in existing insurance policies may not apply and as a result, cover may not be provided for cyber related risks.

Standalone cyber insurance has therefore become more popular as this ensures cyber related risks are covered.
It is estimated that the cyber insurance market was roughly worth $4.3 billion in 2019, with the US market
accounting for most of that total (see Visiongain: Cyber Insurance Market Report 2019-2029). As cyber incidents
are becoming more common and severe in nature, seeking effective cyber coverage is becoming increasingly
prevalent. It has been estimated that cyber insurance premiums globally are expected to reach $20 billion by 2025
(see Allianz: A guide to cyber risk (September 2015)).

(For more information on insurance contracts generally, see Practice notes, What is a contract of insurance? and
Insurance contract law: general principles.)

What is cyber risk?

Cyber risks encompass any risks arising out of the use of technology and data.

Cyber risks are more prominent than ever because companies in all sectors have become reliant on the use of
technology and data in the conduct of their business. The results of a survey across selected UK businesses
commissioned in 2018 by the Department for Culture, Media & Sport demonstrate that on average, 11% of senior
managers were updated on a daily basis regarding action taken around cyber security (see Cyber Security Breaches
Survey 2019). The results also highlighted that around a third (32%) of businesses had reported cyber security
breaches or attacks in the previous 12 months. As in previous years, this is much higher specifically among medium
businesses (60%), large businesses (61%) and high-income charities (52%). (For businesses, analysis by size splits
the population into micro businesses (one to nine employees), small businesses (10 to 49 employees), medium
businesses (50 to 249 employees) and large businesses (250 employees or more).

Cybercrime also has a huge financial impact. In 2018, it was estimated that close to $600 billion, nearly 1% of
global GDP, is lost to cybercrime each year, which is up from a 2014 study that put global losses at about $445
billion (see Center for Strategic and International Studies: Economic Impact of Cybercrime: No Slowing Down).

The Prudential Regulation Authority’s (PRA) supervisory statement on cyber insurance underwriting risk (SS4/17)
identifies two types of cyber risks:

• A loss resulting from malicious acts (that is, cyberattacks or infection of an IT system by malicious codes).

• A loss resulting from non-malicious acts (that is, loss of data or accidental acts or omissions).

For more information, see Legal update, PRA policy statement on cyber insurance underwriting risk.

Therefore, cyber risks can be either deliberate or accidental. Cyber risks can also be first party and third party in
nature (see Scope of cover).

The range of cyber risks and losses arising from cyber incidents are broad, and may include the following:

• Property damage.

2 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• Business interruption.

• Reputational damage.

• Loss of intellectual property.

• Cyber extortion.

• Theft or loss of data.

• Death or bodily injury.

• Privacy claims brought by employees.

• Privacy claims brought by third parties.

• Crisis management costs (public relations, IT forensics, credit monitoring or legal costs).

• Regulatory penalties.

• Regulatory investigations.

Note that not all cyber risks, as identified above, are necessarily covered by most cyber insurance policies.

History and future of cyber insurance

Cyber insurance first emerged around a generation ago, primarily in the US. It was used to insure business interruption
and, particularly, damage to data exposures caused by the dot-com bubble. However, take-up was limited.

As the internet and payment networks grew, concerns over vulnerabilities increased. The enactment of the California
Security Breach Information Act, SB1386, which regulated the privacy of personal information, proved to be a turning
point for the cyber insurance business in the US. The legislation imposed obligations on those handling data to disclose
adverse cyber incidents to the authorities and to those affected. Similar legislative changes across US states have been
among the primary drivers for the cyber insurance market. This tougher legislative approach has been reflected in the
EU by the General Data Protection Regulation 2016/679 (GDPR) which came into force on 25 May 2018.

GDPR, DPA 2018 and NIS Regulations

Article 5(1)(f) of the GDPR contains the principle of “integrity and confidentiality”, also referred to as the security
principle. This requires that personal data should be processed in a manner that ensures appropriate security,
including protection against unauthorised or unlawful processing, and also against accidental loss, destruction
or damage and using appropriate technical or organisational measures. In addition, the accountability principle
in Article 5(2) requires controllers to be able to demonstrate compliance with the principles. This is supplemented
by Article 32 which provides more specific requirements for security. While the security principle only applies
to controllers, Article 32 applies to both controllers and processors and Article 28 requires processors to be
contractually bound to take the security measures required by Article 32. The GDPR also imposes an obligation to
record and report certain data breaches (Articles 33 and 34, GDPR).

The GDPR provides data subjects and national supervisory authorities (SAs) with significant powers to enforce its
provisions and obtain compensation for its breach. Among other things, SAs are granted:

• Several investigative, corrective and authorisation and advisory powers (Article 58, GDPR).

• The power to impose administrative fines on controllers and processors (Article 83) of up to 4% of an
undertaking’s total worldwide annual turnover or EUR20 million.

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 3
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

The UK passed the Data Protection Act 2018 (DPA 2018) on 23 May 2018. The DPA sets out the framework for data
protection law in the UK. It updates and replaces the Data Protection Act 1998, and sits alongside the GDPR.
While it tailors how the GDPR applies in the UK, it ultimately provides for UK law alignment with the GDPR beyond
Brexit. It also sets out separate data protection rules for law enforcement authorities, extends data protection to
some other areas such as national security and defence, and sets out the Information Commissioner’s functions
and powers. (For more information on the GDPR and the DPA 2018, see Practice notes, GDPR: key provisions and
what businesses should be doing to comply (UK), Data Protection Act 2018: overview, Data breach notification (GDPR
and DPA 2018) (UK) and Data security under the GDPR (GDPR and DPA 2018) (UK).

Although the UK left the EU on 31 January 2020 (exit day), during the UK-EU transition period (31 January to 31
December 2020) the UK will continue to be treated for most purposes as if it were still an EU member state, and
most EU law (including as amended or supplemented) will continue to apply to the UK. This means that the GDPR
continues to apply in the UK until the end of the UK-EU transition period, sitting alongside the DPA 2018.

After the end of the transition period, the Data Protection, Privacy and Electronic Communications (Amendments
etc.) (EU Exit) Regulations 2019 (SI: 2019/419) (DP Brexit Regulations), will come into force and will introduce a
new UK GDPR by merging the GDPR and the applied GDPR (which arises under the DPA 2018) into the UK GDPR.
The GDPR will be known as the EU GDPR. For more information on the impact of Brexit on data protection, see
Practice note, Brexit: implications for data protection.

The Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) came into force in the UK
on 10 May 2018, implementing the Directive on Security of Network and Information Systems ((EU) 2016/1148) (NIS
Directive and sometimes referred to as the Cybersecurity Directive). Like the GDPR, the NIS Regulations impose
security and incident reporting requirements and provide for high penalties (up to £17 million, regulation 18(6)).
However, their focus is on security of IT systems, rather than security of the personal data processed by those
systems. In practice, the two regimes are often inextricably linked although only two groups of businesses or other
organisations are covered by the NIS Regulations:

• Operators of essential services (OES) that are critical to the economy and wider society, including energy,
transport, healthcare, drinking water supply and distribution and digital infrastructure (such as internet
exchange points, domain name system service providers and top-level domain name registries).

• Relevant digital service providers (RDSP) in the UK, such as providers of online marketplaces, online search
engines and cloud computing services.

For more information on the NIS Regulations, see Practice note, Cybersecurity Directive: UK implementation. For
information on the impact of Brexit on cybersecurity, including the NIS Regulations, see Practice note, Brexit:
implications for cybersecurity in the UK.

Increased regulation, including implementation of the GDPR and the NIS Regulations, has led to an increased
demand for specialist cyber insurance, as the risks of regulatory fines and GDPR-related liabilities have
increased. High-profile cyber-attacks causing significant business interruption losses, such as the WannaCry
and NotPetya cyberattacks, have stimulated further interest in cyber insurance in recent years (see Purpose of
cyber insurance).

Cyber insurance cover has evolved over time to reflect the expanding cyber risk landscape, exacerbated by the
proliferation of cloud computing and big data (see Practice notes, Cloud service provision: overview and Legal
aspects of managing data). This evolution will continue as technology and the legal/regulatory positions develop.
What looks like cyber insurance today may change significantly in the future, but the same link to technology
dependency will remain. As a result of the changing nature of the risk, the scope of cyber insurance cover is itself in
a constant state of evolution (see Scope of cover).

Studies suggest that the cyber insurance market is still believed to be in its infancy. Specifically examining
insurance taken up by corporate, public sector, and not-for-profit organisations between 2013 and 2017, it is
predicted that by 2021 the most rapid premium growth will come from cyber cover, based on 23% annual growth
in cyber premiums for the period and worldwide premiums forecast to be worth $4 billion by 2021.

4 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

Purpose of cyber insurance

Cyber insurance serves two main purposes:

• Risk mitigation for the insured.

• To fill in the gaps left by existing insurance policies.

Risk mitigation for the insured

First, cyber insurance can operate to indemnify an insured for its financial and business interruption losses caused
by cyber risks. Second, it can operate to indemnify an insured for its legal and regulatory exposure. Companies are
becoming more conscious of this exposure as they are being required to meet higher standards in terms of data
protection and cybersecurity. This is particularly the case in the UK, both under statute and as a result of recent
case law.
As discussed in History and future of cyber insurance, the GDPR imposes several obligations of this nature and as
has been well-publicised, if data controllers breach GDPR obligations, they can be fined the greater of EUR 10m
or EUR 20m (depending on breach), or 2% or 4% of the total annual turnover (see GDPR, Articles 83 and 84).
Similarly, the NIS Regulations provide for fines of up to £17 million for breaches of the cybersecurity and incident
notification requirements imposed on OESs and RDSPs.

In addition to the GDPR and the NIS Regulations, case law has imposed further liability on companies in matters
relating to data privacy and cyber risks more generally. In Vidal-Hall v Google Inc [2014] EWHC 13 (QB), the courts
held that tortious claims for misuse of private information can be brought in the English courts and damages
under section 13 of the Data Protection Act 1998 may be awarded for non-tangible loss, which included emotional
distress (see Legal update, High Court will hear Safari users’ case against Google). This position has since been
effectively codified under the Data Protection Act 2018. The Court of Appeal has also found that damages are,
in principle, capable of being awarded for loss of control of data under section 13 of the DPA 1998, even in the
absence of distress (see Lloyd v Google LLC [2019] EWCA Civ 1599, considered in Legal update, Representative action
for DPA 1998 claim for compensation against Google appeal allowed (Court of Appeal)).

Article 82 of the GDPR provides a legislative basis for the right to compensation for both “material” and “non-
material” damage caused by infringement of the GDPR. In this context, “non-material” damage includes non-
pecuniary matters such as distress. Since the GDPR entered into force in May 2018, there has been a rapid increase
in the number of claims of this nature being brought by data subjects following data breaches.

Filling the gap

Cyber insurance is also used to fill the gaps which conventional insurance policies leave open. Insureds may
consider that their existing insurance cover will respond to the full range of cyber risks they face. In reality, that is
highly unlikely. Cyber risks are broad and continue to develop and expand. In addition, existing insurance policies
may contain exclusions relating to cyber losses; therefore, potentially exposing a company to financial loss caused
by a cyber risk.

The ongoing US case of Mondelez v Zurich (No 2018-L-11008) highlights the potential dangers in relying on
traditional liability or property policies to cover cyber risk. Specifically, the NotPetya attack infected two of
Mondelez’s servers, with Mondelez estimating that the direct (computer damage) and indirect (supply and
distribution disruptions) costs of the malware damage total over $100 million. In October 2018, Mondelez filed in
the Circuit Court of Cook County, Illinois, an insurance claim for damages with Zurich American Insurance, on the
grounds that its all-risk property insurance policy covered both the direct physical losses and the indirect expenses
incurred during the period of the computer failures.
Mondelez claims that Zurich denied the claim in June 2018 on the sole ground that the policy excluded “loss or
damage directly or indirectly caused by or resulting from … [a] hostile or warlike action”. Much commentary has
emerged as to whether the war exclusion will be held to apply in this context, but what is clear is that cases such
as this one incentivise companies to insure cyber risks under affirmative cyber insurance policies (that is, policies

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 5
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

that explicitly cover cyber risk), rather than looking to more traditional insurance products. (For more information,
see Celso de Azevedo, Cyber Risks Insurance: Law and Practice (Sweet & Maxwell, 2019) Chapter 3, paragraphs
3-030 to 2-031.)

Many insurance claims arising from the NotPetya attack were covered by cyber insurers as such incidents sit more
comfortably within cyber underwriters’ appetites (rather than those of traditional lines insurers) and their claims
teams are more experienced in dealing with such incidents. Had cyber insurers declined claims arising from the
NotPetya attach on the basis that the war exclusion applied, it would adversely have affected their ongoing sales
proposition and reputation.

Cover for cyber risks provided by traditional liability and property policies

The diagram below illustrates various cyber risks, where those risks may be covered under traditional insurance
policies (such as professional indemnity and business interruption policies) and the limitations determining
whether those risks are actually covered under such insurance policies:

The diagram demonstrates that existing insurance policies may sometimes, directly or indirectly, provide cover for
certain cyber risks. The PRA refers to this as:

6 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• Affirmative cyber cover. That is, existing policies that explicitly include coverage for cyber risk.

• Non-affirmative cyber risk. That is, existing policies that do not explicitly include or exclude coverage for cyber
risk; however, the insuring clause is broad enough to include a cyber incident (as long as no exclusions apply).

Insurers face significant exposures through non-affirmative cyber risk. This has led to the PRA setting out its
expectations on the prudent management of cyber insurance underwriting risk and requesting insurers to develop
an action plan to improve their management of and reducing their unintended exposure to such risk. The Lloyd’s
Market Association (LMA) has followed the PRA’s approach and published various model clauses to assist the
property and marine and consumer and commercial property insurance markets in providing clarity of cyber
coverage.

See Legal updates, LMA publishes model cyber endorsements for bankers blanket bond and crime policies and
PRA letter to insurers on managing cyber insurance underwriting risk and Supervisory statement: cyber insurance
underwriting risk (SS4/17).

In this context, it is worth emphasising that, exclusions commonly used in existing insurance policies may preclude
cover for some cyber-related risks. Cyber risks may also be one of several causes of loss. Under English law an
insurer will only be liable for losses proximately caused by the risk covered by the policy. Proximate cause in
this context refers to the dominant, effective or operative cause of the loss. It is possible for there to be multiple
proximate causes of a loss which operate concurrently.

An important issue is therefore whether an insurer will be liable in circumstances where not all of the proximate
causes of a loss relate to risks that an insurer is underwriting (that is, cyber risk). In these circumstances, the
historic position under English law is essentially that:

• Where there are two proximate causes of loss, one of which is specifically covered and the other is neither
specifically covered nor specifically excluded (that is non-affirmative cyber cover), the insurer will in principle
be liable for the loss.

• Where there are two proximate causes of loss, one of which is specifically covered and the other is specifically
excluded (that is, an exclusion of cyber cover), the insurer can rely on the exclusion for the entire loss.

For these reasons, insureds use cyber insurance to protect them against any losses should cyber risks occur rather
than trying to rely on existing and traditional policies which may not cover the breadth and depth of cyber-related
losses and liabilities. Insureds should also be aware that another danger of relying on traditional policies to
cover cyber risks is that cyber liability claims can erode limits and impact renewals of essential and sometimes
mandatory insurances such as professional indemnity insurance for designated professionals.

For more information on the causation principles that apply to insurance contracts, see Practice note, Insurance
contract law: general principles.

CYBER INSURANCE POLICY COVERAGE

There are certain common features present in cyber insurance policies. This section explains the following in detail:

• Scope of cover.

• Amount of cover.

Scope of cover

Given the broad nature of cyber risks, cyber insurance cover tends to be wide-ranging. Forms of cyber insurance
are many and varied, but typically include cover for loss arising from:

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 7
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• Crisis management (incident (or breach) response) costs, including notification expenses, IT forensics
expenses, legal advice, public relations costs, credit monitoring and call centres.

• Non-physical business interruption.

• Cyber extortion.

• Privacy liability.

• Confidentiality liability.

• IT security liability.

• Data protection regulatory fines and costs.

Some cyber wordings (but by no means all) may also provide cover for:

• Theft of monies through social engineering.

• Long-term reputational damage (which is difficult to quantify but is commonly measured by loss of customers
or loss of profit attributable to adverse publicity generated by the cyber incident).

• Property damage (including for operational technology, industrial control systems and the “internet of
things”).

• Technology professional indemnity cover.

• Costs and liabilities relating to breaches of Payment Card Industry Data Security Standards.

• Media liability (online or multi-media) for intellectual property infringement, defamation and other liabilities.

First and third party risks

Cyber insurance policies cover both first party and third party losses, normally through separate insuring clauses
and sometimes through optional extensions and endorsements. First party losses occur when there is loss and/or
damage to the insured’s own business or data as a result of a cyber incident (for example, business interruption,
loss or damage to digital assets, reputational loss, theft, ransom demands or incident response costs). The first
party sections of a cyber insurance policy are typically written on an occurrence basis (in the case of self-evident
cyber incidents such as cyber extortion threats). This means that the policy will cover insured events that occur
during the policy period. Sometimes cover may be provided on a discovery basis (in the case of cyber incidents
which may well remain undiscovered for a long time such as data breaches). The policy will, therefore, cover events
that are discovered during the policy period. This alleviates concerns over a lack of cover for historical hacks,
provided that they could not reasonably be identified until after inception of the policy.

In contrast, third party losses occur when there is (alleged or actual) damage or loss to others, such as an insured’s
clients or customers as a result of a cyber incident. This may include compensation payments to customers for
a breach of personal data controlled by the insured or liability in contract or tort to commercial counterparties
arising out of cyber incidents. The third party liability sections of a cyber insurance policy are typically written on a
claims made basis (similar to professional indemnity insurance). This means that the policy will cover claims that
are made against the insured during the period of cover.

Incident response cover

Cyber insurance will generally cover crisis management costs incurred in dealing with adverse cyber incidents,
especially personal data breaches. Typically, these would include legal, IT forensics (including data restoration,

8 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

and investigation as well as remediation costs), public relations consultant costs and the costs of notifying data
breaches to regulators and data subjects as well as call centre and credit monitoring costs (in the event of a data
breach).

Cyber insurance policies often afford access to a range of pre-agreed service providers for these purposes. It is now
common market practice for large insurers to enter into alliances with law firms, IT forensics and cyber extortion
advisers and PR specialists who are experienced in responding to cyber incidents. Emergency helplines are
sometimes provided to facilitate direct contact with those providers.

Cyber business interruption cover

Cyber-related business interruption losses are typically covered under a cyber insurance policy, subject to
limitations and exclusions. Those losses comprise loss of profits and increased costs of working caused by an
insured event. While traditional business interruption clauses are triggered by physical perils such as fire, cyber
business interruption is triggered by non-physical IT outages caused by cyber-attacks (security failures) or, less
universally, accidental IT outages (system failures). Almost all cyber business interruption cover is subject to
the application of a “waiting period” or “time retention”, that is, a period of time expressed in hours from the
beginning of the IT outage which must elapse before the cover kicks in. From that point on, and unlike other
cyber insurance coverages, no monetary retention will apply to the covered loss. Sometimes, however, insureds
can elect to have the business interruption cover written on what is known as a franchise basis, that is, once the
time retention has expired, the cover will then apply retrospectively to all loss incurred since the beginning of the
outage, albeit subject then to a monetary retention. Whether or not it makes sense to ask for franchise basis cover
will depend on whether an organisation expects a very severe financial impact to the business in the first few
hours of an outage. In any event, cyber business interruption cover is subject to a maximum period of indemnity
expressed, usually, in days (for example 120 days after the outage begins or 90 days after the outage ends).

Recent cyber incidents impacting large corporates, such as the WannaCry and NotPetya malware attacks have
brought the need for business interruption cover into sharp focus.

The WannaCry worldwide ransomware attack that took place in May 2017, targeted computers running
the Microsoft Windows operating system by encrypting data and demanding ransom payments in Bitcoin
cryptocurrency. According to the National Audit Office’s report Investigation: WannaCry cyber attack and the NHS,
it is thought the attack affected more than 200,000 computers in at least 100 countries. Following on from this,
in June 2017 the NotPetya ransomware virus wiped data from systems on an international scale by encrypting files
and destroying master boot records, leaving infected Windows machines unusable. The virus affected computer
systems in Denmark, India and the US, but more than half of those victimised were in Ukraine.

The attack crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European
subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer
Reckitt Benckiser. The NHS also experienced serious business interruption as a result of the WannaCry attack with
80 out of the 236 trusts across England being affected because they were either infected by the ransomware or
turned off their devices or systems as a precaution (see National Audit Office: Investigation: WannaCry cyber attack
and the NHS).

Cyber extortion cover

Cyber extortion insurance claims are among the commonest made under cyber insurance policies, particularly
in recent years in the context of ransomware attacks. Whereas the business interruption section(s) under a cyber
policy will cover the loss of profits and increased costs of working associated with the unavailability of computer
systems resulting from such attacks, the cyber extortion section of the policy will cover specialist cyber extortion
advisers’ costs as well as ransoms. Under English law, there is no blanket prohibition on paying ransoms, although
care has of course to be taken regarding sanctions or when potentially dealing with terrorists.

Because ransoms tend to be lower than the retention applicable under a cyber policy, the chief value in this
cover lies in the access on an emergency basis to specialists who see such attacks on a daily basis and who are

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 9
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

best placed to advise on who might be behind the attack and whether a ransom should be paid or the threat can
otherwise be averted. Those advisers are also skilled at negotiating with extortionists and at facilitating payment
of ransoms.

Privacy and security liability cover

The third party liability sections under a standard cyber insurance policy are generally triggered by either:

• Claims alleging a breach of personal data (or of confidential corporate information).

• Claims made by third parties alleging that they have suffered loss occasioned by the insured’s lack of cyber
security (for example, via the inadvertent transmission of malware).

Unlike “system failure” business interruption cover, third party cyber liability cover is only rarely triggered by errors
or omissions in operating or maintaining computer systems in the absence of a data breach. Many cyber insurers
feel that those exposures more properly fall to be addressed by professional indemnity insurers. As noted above
(Purpose of cyber insurance), privacy liability claims have become far more common since the coming into effect
of Article 82 of the GDPR. Claimant lawyers increasingly see privacy liability class actions as a lucrative source of
revenue. The ground-breaking Court of Appeal decision in Lloyd v Google LLC [2019] EWCA Civ 1599, considered
in Legal update, Representative action for DPA 1998 claim for compensation against Google appeal allowed (Court
of Appeal) potentially makes it easier for claimants to successfully represent a class, now that it is no longer
necessary to even establish distress on the part of individual members of that class.

The liability coverages under a cyber policy will always cover damages, settlements and defence costs, but care
occasionally needs to be exercised to ensure that slavishly copied US wordings do not exclude claimants’ costs. As
is the case with incident response providers, care should always be taken to ensure that the identity and rates of
defence lawyers are agreed with insurers before costs are incurred. On smaller placements, insurers are less likely
to be flexible about using any firm that is not on their own panel. In practice, defence lawyers will usually be those
appointed by or agreed with the insurer and the insurer will (once the retention is eroded) pay them direct net of VAT.

Data protection regulatory fines and costs cover

Cyber insurance policies cover data protection fines and penalties “to the extent insurable at law”. In practice, this
is likely to mean that insureds will not be able to obtain an indemnity for any fines imposed for wrongdoing on
the part of an insured which led or contributed to a cyber incident. This is because under English law, the ex turpi
causa doctrine applies whereby an individual cannot pursue a legal remedy if it arises in connection with his or her
own illegal act, as it is contrary to public law, policy and interest (see In the estate of Crippen [1911] P. 108 and Patel
v Mirza [2016] UKSC 42, considered in Legal update, Supreme Court adopts “range of factors” approach to illegal
transactions, and overrules reliance test). This doctrine applies not only to criminal acts but also “quasi-criminal”
acts which may include the “infringement of statutory rules enacted for the protection of the public interest which
gives rise to civil sanctions of a penal character” (see Les Laboratoires Servier and another v Apotex Inc and others
[2014] UKSC 55). It may be possible to recover fines and penalties imposed where there has been no wrongdoing
on the part of the insured. However, significant fines are likely to be imposed only in circumstances where there is
considered to be at least some degree of culpability on the part of the company. There is, at the time of writing, no
case law in England and Wales concerning the insurability of data protection fines per se, and it will be interesting
to see on a case by case basis whether the type of wrongdoing that might be associated with a negligent failure to
protect data will lead to the application of the ex turpi causa doctrine. Following a call for clarity on the insurability
of fines and penalties for privacy breaches, the Organisation for Economic Co-operation and Development (OECD)
has recommended that governments should provide a clear statement on the insurability of fines, penalties and
ransoms in their jurisdiction. Any decision limiting insurability should consider the possibility of exceptions for:

• In the case of fines, situations where the insured was not directly negligent.

• In the case of ransom payments, where the payment of a ransom is necessary to avoid significant harm to life
or property.

10 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• In the view of the OECD, a consistent approach to the above issues across jurisdictions would reduce the risk of
insurers providing coverage for uninsurable losses on a cross-border basis and support a level-playing field for
insurance providers and policyholders (see OECD report, Encouraging Clarity in Cyber Insurance Coverage: the
role of public policy and regulation).

In any event, cyber insurance normally covers legal costs incurred in responding to investigations or actions
brought by data protection regulators, and there is no legal objection whatsoever to insuring those costs.

SOME TYPICAL INSURANCE TERMS

Conditions

Cyber insurance policies typically include terms relating to, for example, notification, claims co-operation,
settlement and other insurances. Depending on the drafting of the insurance policy, compliance with those
terms by the insured may be required as a condition precedent (although insurers often relax that requirement by
negotiation pre-inception). If a condition precedent is not fulfilled, either the insurer does not come on risk (if the
condition is precedent to the validity of the policy or to the attachment of the risk), or the insured is prevented from
making a particular claim (if the condition is precedent to the insurer’s liability).

Notification clauses

It is common for cyber insurance policies to contain notice provisions.

Typically, a cyber insurance policy will require the insured to notify insurers of:

• Any first party loss or third party claim arising from an insured cyber risk.

• Any circumstances which are considered to give rise to a potential claim under an insured cyber risk. As with
other lines of insurance, if an insured fails to notify a circumstance which may give rise to a claim, they run the
risk of having no cover in place for the resulting claim if it is made in a subsequent policy period. Cyber policies
are inconsistent in requiring (or not requiring) an insured to notify circumstances, but to avoid jeopardising
cover, insureds are well advised to notify.

Compliance with notification requirements may be expressed as a condition precedent to the insurers’ liability.
This means that if the condition is breached, the insured will be prevented from making the particular claim even if
the insurer has not suffered any prejudice.

Claims co-operation

Cyber insurance policies often contain some form of claims co-operation clause. These clauses require the insured to
co-operate with the insurers, such as disclosing information following a cyber risk giving rise to a claim, so that insureds
can substantiate claims. If the insured fails to co-operate, it is sometimes a condition precedent under the policy that
the insured is prevented from making the particular claim. Care should be taken in the application and reliance of
claims co-operation clauses following the decision of the Court of Appeal in Ted Baker plc v AXA Insurance UK plc [2017]
EWCA Civ 4097. In that case, the court held that insurers have a “duty to speak” and are likely to be estopped if they are
silent and then later rely on a defence of a breach of an insurance clause as a reason to escape the claim. This is by no
means a hard and fast rule, as whether insurers can rely on a policy clause to escape liability depends on the facts and
actions taken (for more information, see Legal update, Insurers could not rely on breach of condition precedent because
they failed to tell insured that they still regarded documents as outstanding (Court of Appeal)).

Other insurance

Cyber insurers are conscious of the fact that their policies will generally be purchased to fill the gaps left after
the purchase of more traditional insurance policies such as professional indemnity or property policies. “Other

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 11
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

insurance” conditions are therefore commonplace. Insurers’ standard form policies typically state that the cyber
insurance will apply excess of any other valid and collectible insurance. A more nuanced approach is for the
third party liability sections of the cyber policy to apply as excess policies, but for the more specialised first party
sections (for example, business interruption, cyber extortion and incident response) to apply as primary policies.

Insured’s consent to settlements

Unlike more traditional liability insurance contracts, cyber insurance contracts, drawing on US precedents, often
contain a condition (often known as a hammer clause) whereby, in the event of an insured withholding consent
to a demonstrably achievable settlement of a liability claim, the insurer will be obliged (if they wish to tender the
settlement sum and then walk away from the defence of the claim) to not only pay defence costs incurred to date,
but also to meet a stated percentage of defence costs incurred thereafter until the final resolution of the claim.
Sometimes those hammer clauses require the insurer to pay not only a percentage of the ongoing defence costs,
but also a stated percentage of the final damages or settlement sum if that sum exceeds the earlier settlement
that was rejected by the insured.

Duty to defend

Because the earliest cyber insurance policies were developed in the US, several features associated with US
insurance policies can still be found in English cyber wordings. For example, it remains common to see conditions
imposing on insurers a positive duty to defend the claim against the insured. In contrast, under traditional liability
policies, insurers typically have the right but not the duty to take over the defence of a third party claim.

Typical exclusions

Cyber insurance policies will usually contain exclusions. These may include the following:

• Malicious acts. Although policies usually provide cover for accidental acts, that cover will not extend to
deliberate breaches or acts by the insured. Deliberate acts by rogue employees, such as in the case of WM
Morrisons Supermarket plc v. Various Claimants [2018] EWCA Civ 2339, however, will be covered, if those acts
are not committed or condoned by the insured’s senior management. (For more information, see Legal update,
Employer vicariously liable for employee’s disclosure of co-workers’ personal data (Court of Appeal). Note that the
decision of the Court of Appeal on vicarious liability of the employer was overturned by the Supreme Court in
WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, considered in Legal update, Employer not
vicariously liable for data protection breach committed by an employee (Supreme Court).)

• Recklessness or negligence. Policies may also contain an exclusion where the insured has, for example,
negligently failed to maintain adequate security systems or, more commonly, failed to patch or update
systems. Those exclusions are, however, controversial and are increasingly rare.

• Known cyber incidents. Cyber policies will often exclude cover where the insured knew, or should reasonably
have known, of a cyber incident and failed to disclose this on inception of the policy. Insurers usually run a
lengthy disclosure exercise before a policy incepts, so that they can calculate and underwrite their risk. If an
insured fails to disclose a known cyber incident, cover is typically excluded. This is not to be confused with
unknown cyber incidents before the inception of a policy. (For more information on the duties owed when
presenting a risk to insurers, see Practice note, Insurance: the pre-contractual duty of fair presentation under the
Insurance Act 2015.)

• Double insurance. Policies will often contain an exclusion which prohibits the insured from claiming under
the insurance policy if the cyber risk is already covered under another insurance policy. This is to be expected
in circumstances where a cyber insurance policy is intended to fill the gaps between the cover provided by
existing traditional insurance policies. The issue of double insurance is typically addressed by the inclusion of
an “other insurance “ clause (see Other insurance) but sometimes both an other insurance clause and a double
insurance exclusion are found in tandem in a policy.

12 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• War and terrorism. Policies will inevitably contain exclusions of liability for cyber related losses resulting from
acts of war and terrorism, although these exclusion clauses are sometimes less onerous than those adopted in
traditional lines such as property insurance. As has been noted above, the grey area of suspected nation state
sponsored cyberattacks, such as WannaCry and NotPetya in 2017, sit more naturally within cyber insurers’
underwriting appetite and many related claims have been met by cyber insurers. With regards to terrorism,
local law may of course prohibit insurers from paying out a claim for ransom loss if there is reason to suspect
that the cyber extortionists may also be terrorists. For example, under section 17A(1)(b) of the Terrorism Act
2000, it is an offence for an insurer to make a payment under an insurance contract if the payment is made in
response to a demand for the purposes of terrorism.

• Infrastructure. Concerns over aggregated cyber risk mean that cyber insurance policies invariably exclude
loss arising from the failure of utilities such as electricity, gas and water as well as internet service providers,
telecommunications and satellites.

• Betterment. Cyber insurance policies are not generally intended to put an insured in a better position than they
would have been in in the absence of a covered risk, and they therefore exclude the cost of restoring computer
systems to a higher standard of functionality than was originally the case. However, these exclusions can
sometimes be tempered to allow for affirmative cover, for example, where an original component or program
can no longer be purchased, so as to provide for the cost of the nearest up-to-date equivalent.

• Bodily Injury and property damage. Personal injury is invariably excluded from cyber insurance cover
(save for distress or anxiety in the context of privacy liability, and sometimes defamation, claims). Tangible
property damage is normally excluded, but exceptions can be negotiated, for example, for certain industry
sectors or, increasingly, in the context of “bricking”. Bricking refers to hardware devices being rendered
useless by malware, and bricking endorsements (carving back property damage exclusions) may allow for the
replacement cost of that hardware, and for associated data restoration or business interruption exposures.

• Assumed liability under contract. Cyber policies typically contain exclusions relating to liability arising from
guarantees and liquidated damages. However, these exclusions are often softened by the qualification that
such liability that would have existed in the absence of the assumption of liability will in any event be covered.
(For information of liquidated damages, see Practice notes, Contracts: agreed remedies and Contracts: debt and
damages, liquidated and unliquidated claims.)

• Retroactive date. Some policies include a retroactive date exclusion relating to claims arising from wrongful
acts committed before a particular date specified in the policy. This exclusion seeks to prevent insurers from
having to indemnify the insured for claims brought during the policy period which relate to events which
occurred many years earlier.

Amount of cover

Cyber insurance policies will usually specify an aggregate limit of liability and are also likely to specify certain
retentions. Different limits and retentions may often be applicable to different insuring clauses or endorsements.

Retentions

A retention (also known as self-insured retention or SIR) is an amount the insured will have to pay before the
insurance attaches. Most retentions are monetary retentions but “time retentions” or “waiting periods” are
also commonly found in relation to cyber business interruption (see Cyber business interruption cover). If the loss
claimed is less than the amount of the retention (see below), the insured must bear all the loss. Generally, an
increase in retention will reduce the amount of premium.

For example, a policy may have a sum insured of £1 million (the limit of liability) and have a retention of £20,000.

• Scenario one: the cyber loss is at £10,000 (less than the retention). In this instance, the insured will bear the
full loss of £10,000.

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 13
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

• Scenario two: cyber loss is at £500,000 (more than the retention but less than the limit of liability). In this
instance, the insured will pay the first £20,000 and the insurer will pay the remaining £480,000.

• Scenario three: cyber loss is at £1.5 million (more than the retention and limit). In this instance, the insured will
pay the first £20,000, the insurer will cover the next £1 million and the remaining £480,000 will be at the cost
of the insured. Deductibles, which are relatively rare in cyber insurance, operate to erode the limit of liability;
whereas retentions do not. If, in this example, the policy had a deductible of £20,000, the insurer would only
pay £980,000.

The above examples are purely illustrative and for large risks with large limits of liability, retentions are often
measured in millions of pounds.

Limits in the aggregate

Cyber policies generally have an aggregate limit of liability rather than being written on an each and every claim
basis. The aggregate limit sets out the total sum that will be paid over the policy’s duration, which means that
multiple claims can together erode the limit notwithstanding that each of those claims may fall within the limit.

Aggregation of claims

Cyber insurance policies will usually contain aggregation language, which operates so that related or similar
claims are treated as one single claim. How this operates will depend on the specific form of words used in a
particular insurance policy, but the overall purpose of aggregation is to minimise the insurer’s exposure so that the
total pay-out does not exceed the agreed per-claim limit. However, aggregation can benefit the insured as it may
allow the insured to pool together several smaller losses so that the overall loss suffered exceeds the retention and
triggers the liability of insurers.

The wording to determine which claims will be classed as “separate” or “similar/related” in aggregation
clauses will need to be carefully considered between the insurers and the insured. This is because in a dispute,
ambiguous wording could alter the interpretation on whether an aggregation clause applies. In AIG Europe Ltd
v OC320301 LLP [2017] UKSC 18, the Supreme Court held that determining whether transactions were related
for the purposes of aggregation involved an exercise of judgment. The court considered the interpretation of
an aggregation clause which concerned multiple claims arising from the same act or omission or similar acts
or omissions in a “series of related matters or transactions”. It held that the word “related” implies that there
is inter-connection between matters and the matters must in some way fit together (for more information on
this decision, see Legal update, Supreme Court rejects intrinsic connection test for the purposes of aggregation,
see also Scott v Copenhagen Reinsurance Co (UK) Ltd [2003] Lloyd’s Rep IR 696. For information on typical
aggregation language and how it is interpreted by the courts, see Article, COVID-19: Aggregation in insurance
and reinsurance).

HANDLING CLAIMS

The claims handling capabilities of insurers vary significantly depending on how much experience the claims
handlers have of cyber incidents rather than of more traditional insurance claims. Calculating cyber claims
is generally complex and claims handlers need to understand the complexities of the particular cyber-attack
and the technology behind it and determine whether coverage is available under the policy. Price is therefore
only one of several factors that need to be considered when purchasing cyber insurance. Other factors include
the insurers’ financial resilience and, particularly, the breadth of insurance cover and efficacy of claims
response.

Typically, insurers will authorise any expenditure incurred to investigate a cyber incident and repair any damage,
subject to the provision to insurers of information relating to the cause and extent of the incident. It is not unusual
for insurers to reserve their right to deny coverage until the relevant information is provided.

14 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

ARRANGING COVER

Before an insurer is prepared to cover cyber risks, they will need to conduct due diligence on the insured’s business
and the relevant business sector and regulatory environment for that sector or geography.

The insurer may therefore require the following information from the insured, for the purposes of pricing the insurance:

• Number of personal data records stored.

• How long personal data records are stored.

• The nature of personal data records (for example, any health records or sensitive information).

• Revenues (relevant to assessing business interruption exposures).

• Estimated timelines for restoration of critical IT systems following outages.

• Copies of cyber security policies, governance and cyber incidence response and business continuity plans.

• An overview of cyber security controls including firewalls, anti-virus, intrusion detection, data loss prevention,
alert log monitoring and patching.

• An overview of protections for critical data and of systems segregation.

• Actions taken to mitigate the impact of business interruption (loss of critical systems) and loss of data
(for example, back-ups). Evidence of compliance with recognised information security standards (such as
ISO27001) or, if covered, Payment Card Industry Data Security Standards.

• Appointment of a Data Protection Officer (if relevant).

• Dependence on critical third parties for the continuity of IT services.

• Evidence of vulnerability testing.

• Declarations that the insured is not aware of any breaches or potential circumstances which may give rise to a
potential claim under the policy.

• Correspondence and reports regarding previous claims or incidents.

Information gathering is generally carried out via a proposal form. Cyber insurance proposal forms tend to be
longer and more involved than proposals for traditional insurances. Sometimes, for larger and less straightforward
risks, it may be preferable to give an underwriters’ presentation. In either event, follow-up questions from insurers
are likely. While non-binding indications of price and very rough indications may be obtainable from insurers
or brokers at a relatively early stage in the process, quotations of premium will only be forthcoming following
completion of the above information gathering exercise.

Merger and acquisition considerations

Acquisitions or mergers with other organisations can bring uncertainty in the level of cyber resilience and
unwanted legacy issues. Due diligence should extend to cyber risks. Many cyber insurance policies will provide for
acquired entities to automatically be added during the policy period, subject to detailed criteria concerning, for
example, the percentage revenues of the acquired entities in proportion to those of the insured.

For general information on addressing cyber risk in corporate transactions, see Article, Cybersecurity: considerations
for M&A practitioners.

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 15
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

RISK MANAGEMENT BY THE INSURED

In addition to purchasing cyber insurance, companies should also internally manage cyber risks. This will help
reduce the probability and impact of a potential cyber incident and may include:

• Appointing a Chief Information Security Officer at board level to ensure information security policy and issues
are dealt with at the highest level.

• Conducting penetration testing to test the insured’s security arrangements, identify vulnerabilities and suggest
improvements.

• Producing a cyber incident response plan which will provide certainty of procedures following an incident. This
will ensure effectiveness and consistency in the insured’s response to a cyber incident, in turn reducing any
financial and reputational impact.

• Complying with, or being certified to, certain industry, national or international cybersecurity standards,
including the International Organization for Standardization and the International Electrotechnical
Commission standards, or, in the UK, the government-backed Cyber Essentials certification which provides
evidence that the insured’s business complies with cyber best practice to insurers, customers and other
stakeholders. For further discussion on this topic, see Practice note, Cybersecurity in regulated sectors,
cybersecurity guidance and standards: Cybersecurity guidance and standards.

• Providing employees and other technology users with an up to date and accessible IT policy.

• Educating employees through regular IT and cyber security training to raise awareness of cyber risks and
incidents. This will assist in developing a culture where cyber security is everyone’s responsibility, rather than
simply an IT issue.

• Investing in and upgrading security equipment.

Effective risk management should also, of course, bring down the cost of insurance. Cyber insurance should form
part of an effective cyber risk management strategy, and not be seen as a substitute for such a strategy.

For further discussion on this topic, see Cybersecurity toolkit.

Issues facing insurers

One of the main issues facing insurers when deciding whether to accept the risk and on what terms, setting loss
reserves and forecasting their capital requirements is quantifying losses. Insurers will not generally know the
nature and scale of losses that could be caused by a cyber incident before underwriting; however, they must still
develop and price products. As cyber risks are evolving and are becoming more diverse, pricing cyber insurance
(based on the insurer’s exposure) is a difficult process. As a result, insurers may face difficulties in reducing their
exposure in the reinsurance market.

Aggregation risks are of particular concern to insurers (for example, if a particular infrastructure provider or IT
contractor were to experience disruption, how would that impact a particular industry sector or geography?).
Therefore, the imposition of infrastructure exclusions (see Typical exclusions).

With traditional lines of insurance revenue experiencing a degree of stagnation in recent years, insurers have
generally displayed a marked eagerness to develop their cyber books as a welcome new source of revenue. High
profile cyber incidents and a desire for normalisation in a maturing market mean that a relative hardening of the
cyber market, in other words an increase in premiums and the inclusion of terms in favour of insurers, is widely
expected.

16 Practical Law Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers.
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.
 ESSENTIAL CONTENT FROM PRACTICAL LAW

TIPS FOR MAXIMISING RECOVERIES

To maximise recoveries, when a cyber insurance policy is being negotiated or contemplated, the insured
should:

• Ensure that limits are adequate and retentions are sensible. Businesses should ask themselves
whether the cyber insurance is intended to cover relatively commonplace day-to-day incidents or,
more realistically, catastrophic losses or those impacting liquidity. An organisation should consider the
potential impact of cyber incidents and reach a decision as to how much cyber risk they are prepared to
retain (therefore determining how high a retention they are comfortable with). When choosing limits,
the available budget is of course likely to be a key determinant, as will any understanding as to what
similar businesses with a similar risk profile are purchasing. Some brokers can however assist with more
sophisticated risk quantification analytical tools, using a wealth of industry-relevant data to maximise
the value of the insurance program.

• Savings can potentially be achieved through prioritising different cyber coverages. If, for example, an
organisation’s bottom line will not be seriously impacted by an IT outage lasting several hours, but
they hold large numbers of personal data records on behalf of customers or employees, they should
prioritise data breach-related coverage (such as incident response, privacy liability and regulatory
cover) rather than business interruption cover. Sub-limiting the business interruption cover, or agreeing
a higher monetary or time retention, or, in extreme cases, discarding the business interruption cover
altogether, can lead to savings. Do not automatically equate cyber risks with cyber crime or other
malicious acts. Many organisations have been as much affected by accidental outages as by cyber-
attacks. Make sure you are clear about whether the cyber business interruption insurance you are
purchasing is triggered only by cyber-attacks or is also triggered by non-malicious “system failures”.

• Always consider the impact of third party system vulnerabilities. If an organisation is heavily dependent
on IT services available from third parties, and has little or no control over the cyber resilience of those
third parties, serious thought should be given to purchasing business interruption cover triggered by
third party IT outages (often known as outsource service provider, dependent business or contingent
business interruption cover).

• Avoid ambiguity and subjective language in the insured scope and exclusions which could result in
uninsurable loss.

• Be aware that not all cyber policies are equal: this line of insurance continues to evolve and there are
significant inconsistencies between different insurers’ products. Using a broker with thorough cyber
coverage expertise can make the difference between having an insurance claim paid or declined.

• Disclose any on-going or potential cyber incidents and risks to the insurers before inception of the policy.
Failing to disclose or concealing facts could negate cover for losses if the policy is governed by English law,
given the insured’s duty to make a fair presentation of the risk under the Insurance Act 2015.

• Be mindful of the policy exclusions as failing to understand how and in what situations the exclusions
may apply could exclude potential claims.

• When responding to a cyber incident, the insured should contact and engage insurers early in the process,
so clarity is provided on what is covered and the level of recoveries. This will encourage insurers to support
the insured through its response plan and potentially minimise coverage disputes in the future.

Reproduced from Practical Law Financial Institutions Sector with the permission of the publishers. Practical Law 17
For further information visit practicallaw.com or call 0345 600 9355. Copyright © 2020 Thomson Reuters (Professional) UK Limited. All Rights Reserved.