Intuitive Insurance Articles

Untangling Cyber Liability Insurance

As we delve deeper into the digital age, cyber risks are an increasingly important consideration for risks managers and company boards.

Previously, it was widely assumed cyber risks only existed for companies selling online. Nowadays, with a more onerous and volatile regulatory landscape (particularly the ever-changing privacy laws), more sophisticated hackers and changes in our use of technology, the impact of a data breach could have a severe impact on all companies; selling online or not. All firms now need to identify and assess their potential cyber exposures and develop strategic ways to manage these, which could include a cyber-insurance policy.

For those who currently purchase, or are looking to purchase cyber liability insurance, it is essential decision makers understand the type of risks these policies are designed to cover. Cyber liability insurance policies can offer a cost-effective solution to fill gaps that exist between a company’s current standard insurance coverage and their cyber activity. However, the insurance market for cyber risks, despite being around for more than 10 years, is very much in its infancy. The variation between one product and the next can be huge and there is no standard cyber liability policy form.

Below is an overview of the types of covers available, which aims to assist companies decide which areas of cover they should transfer to insurance and also help to identify the differences between the various products and what could potentially suit your business.

Cyber Liability

Provides cover for financial loss suffered by a third party that arises directly from:

  • A hacking attack or virus that has emanated from or passed through either your computer systems or a cloud computing provider’s system.
  • The inability to access either your system or a cloud computer provider’s system due to failure or impairment resulting from a hacking attack or virus.
  • Loss or theft of your data (including data held by a cloud computing provider), or data for which you are responsible, arising directly from a hacking attack or virus.

Privacy Liability

Privacy Liability arises from the failure to prevent unauthorised access to private, confidential information contained on a company’s computer system or the accidental loss of personal data in its possession for which it is responsible. Insurance policies in this area cover losses arising from either malicious attacks or accidental data loss or leaks and are generally applied to both electronic as well as physical assets.

This cover can be important as accidental data loss is often a larger exposure than one might initially expect. Consider, for example, the loss of a mobile device without appropriate security. This device could provide an unauthorised person with access to sensitive emails, cloud data storage, and other company or third party data.

It is important to note even if you outsource services involving your data, for example, to a payment processor, you are still responsible and would carry vicarious liability for any breaches. Often the indemnity provided by the supplier is limited to the value of fees paid.

It is also common for policies to cover costs associated with investigation, regulatory fines and penalties, as well as contractual obligations. Privacy laws are constantly changing and the fines and penalties able to be imposed are ever-increasing. For example, under the Australian Privacy Amendment Act which will come into force March 2014, the maximum penalty is $1.1 million for serious or repeated breaches by organisations.

Breach Notification and Remediation Costs

As privacy laws evolve and become more robust, more and more jurisdictions are including mandatory breach notification requirements. The costs of notifying customers of a potential release of personal information could be hefty and so cyber insurance policies have been designed to cover these expenses.

Coverage can also include other remediation or mitigation costs, such as the provision of credit-monitoring services to customers or impacted third parties, public relations and issues/crisis management expenses. Protecting the company’s brand reputation is an important element as an erosion of customer confidence and trust could lead to a significant reduction in revenue.

System Damage and Business Interruption

System damage provides cover for the cost of restoring or recreating data that is corrupted or destroyed as a result of a cyber-peril. A cyber-peril is generally defined as a hacking attack, virus, or malicious damage by an employee. Some policies may also extend to cover costs resulting from a cloud computing provider’s failure or impairment due to a cyber-peril.

Insurers also offer business interruption following system damage either as an add-on, or integrated section of their cyber policies. It is frequently assumed system damage only impacts e-commerce businesses transacting business online. However, with companies increasingly relying on systems and data to run their business and transact, any loss of vital business records or system downtime would have a significant impact on any business. If the system was hacked, there was a computer virus or a denial of services attack, the business could suffer a loss of revenue during this period.

Cyber Crime

Cyber ProtectionDigital or cyber-crime is the greatest and fastest-growing type of crime in the world – and enforcement agencies are losing the battle! It can take many forms from criminals attempting to obtain money or information, employees who may have malicious intent, competitors seeking to gain advantage or hackers who see cyber-attack as a challenge or that attack companies for ideological reasons.

Cyber insurance can protect organisations from some of the first party exposures resulting from cyber-crime. This could be an e-theft loss, which is direct financial loss due to the fraudulent input of data into or through a computer system or network. Coverage may also extend to direct financial loss due to extortion relating to ransoming of hacked systems.

Multimedia and Content Liability

This type of policy provides coverage for defamation, intellectual property rights infringement (such as trademark or copyright breaches) and/or other content liability arising from content created or disseminated by you or on your behalf or content for which you are deemed responsible. For example, this could include user-generated content disseminated through a social network.

Cyber-insurance is not designed to be a replacement for security standards. In fact, coverage would be far too expensive and difficult to obtain if there were no company data policies and other security measures in place.

While cyber-insurance can play an important role, organisations should remain cautious and be aware of what their insurance policy protects and what it does not. Cyber-insurance is intended to recover from an unexpected event but not a catastrophe.

When considering a cyber liability insurance policy, it is important to not only understand the breadth of cover available, but also the company’s vulnerability to a cyber-attack as well as the potential consequences of such an event. This will help determine the balance between the risk the company is prepared to take and the cost of protecting it from cyber-attack. At minimum, companies should obtain quotes in order to evaluate the risk-benefit analysis.

The general consensus is that stand alone policies offer the broadest cover, so it is important to be wary of cyber liability insurance as an add-on to other policies. These types of policies often provide low limits, bare-bones cover, and may be through an insurer with limited experience and an untested claims response.

If you would like more information, please drop us a comment, email or call Intuitive on (02) 9493 6111. We’d love to hear from you.

Subscribe to Intuitive Insurance News 

Enter your email on the right to get a free email including our latest articles with tips and advice for getting the most from your insurance spend.

Print Friendly, PDF & Email

2 Comments

  1. August 13, 2013

    Shane,
    Very interesting post – this is a critical business issue that isn’t getting a lot of Board or CEO time at the moment – despite clear acknowledgement of the risks.

    One question I had which you might consider addressing – to what extent will insurance providers reward customers with better coverage or lower premiums if the customer can demonstrate a comprehensive governance approach to managing these risks?

    cheers Mark

    • Shane Thaw
      August 13, 2013

      Hi Mark,

      Thanks for your feedback.

      Insurers’ application forms for this type of policy will ask general questions regarding the customers’ current management of their cyber exposures. For example, the application may include questions concerning the customer’s security measures, policies and procedures, whether explicit consent is obtained before sharing or selling identifiable data and if written warranties pertaining to originality of content, accuracy of content as well as authenticity of source are sought where content is supplied by a third party.

      These questions aim to provide enough information for the insurer to feel comfortable writing the risk, without being all-encompassing or specific to any individual company. Where a customer has comprehensive governance and controls in place already, it is the role of the broker to highlight these measures and negotiate the best deal possible (both in terms of price and coverage). Whilst a better insurance deal shouldn’t be the primary motivation (security should be first and foremost), good governance can certainly have an impact on the level of cover and the premium charged.

      Cheers,
      Shane

Drop a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.