Backing up the backups - a practical guide to cyber insurance

In brief

A common complaint from industry is that cyber insurance products are complicated, unclear, difficult to compare and have carve-outs that you could drive a monster truck through. The cyber insurance market in Australia is advancing rapidly but is still immature compared with such jurisdictions as the US. But times are a-changing – we have already seen a significant increase in the number of breaches reported in Australia since the notifiable data breaches scheme took effect in February this year, some consolidation of insurance policies and increased adoption of them. This guide explains cyber insurance – what it is, what it covers, common limits and exclusions – and how to work out whether cyber insurance is right for you. We also provide some tips for dealing with your insurer post breach.

Key takeaways

Some predictions

• The introduction of mandatory data breach notification requirements will increase the amount of available data on breaches and prompt the disclosure by affected companies of additional information in financial reports.
• The ability to capture, and model scenarios around, this data, as well as data from claims experiences on cyber insurance policies written to date, will lead to further refinement in cyber insurance products and may also impact upon pricing.
• Companies will demand more comprehensive coverage to account for a broader spectrum of cyber-related exposures, and insurers will start explicitly excluding coverage for these exposures in other business policies.¹
• We will see increased adoption of cyber insurance, especially as businesses and government agencies increasingly require that their vendors take out such insurance. We will also see increased claims on cyber insurance policies.

Cyber insurance should be a product of last resort – it is no substitute for good risk management

Cyber insurance might not cover cyber incidents where no precautionary measures were taken, or all costs of a data breach. Lloyd's recently modelled a malicious attack on a cloud service provider as resulting in approximately US$4.6 billion (for a large event) to US$53.1 billion (for an extreme event) worth of potential economic losses.² In these scenarios, Lloyd's estimated that insured losses would range from US$620 million (for a large loss) to US$8.1 billion (for an extreme loss), representing an insurance gap of US$4 billion (for a large loss) and US$45 billion (for an extreme loss).³

How to select a cyber insurance policy

• Focus on the potential impact of the breach on your business (including its systems and operations), rather than the potential types of attack that it may face. Understanding your specific risk exposure and the potential consequences for your business (as opposed to purchasing insurance reactively, based on a particular cyber event) is critical.
• Make sure your insurance product is fit for purpose.
• Understand precisely what first-party losses and third-party liabilities the policy covers, as well as the limits and exclusions.
• Explore these issues in detail with your insurance broker.

Help your insurer by helping yourself

In making their risk assessments, underwriters will look at a range of information about your business, including the amount and type of data stored and the security measures (including IT security spend) employed to protect it. Underwriters will also look at where your data is held, your security measures, your contracting arrangements with third parties, your organisation's cyber-awareness culture, your testing regime and details of any prior data breaches. However, any organisation with cyber-related exposure should be performing this analysis regardless of whether it is taking out insurance, in order to inform itself of its own risk – particularly when even the broadest cyber insurance policies will not cover you for all losses that might be sustained as a result of a data breach-type incident.

Know the conditions of your insurance policy

Many policies require that you notify your insurer as soon as practicable after you become aware of a cyber breach, even if no loss has been suffered. Some cyber security insurers are not obliged to pay out under the policy if they were not promptly notified of the breach. Be aware of key exclusions, and the types of costs and expenses that the policy covers.

Be prepared in the event of a data breach

Gather the facts and document the steps you took in response – insurers will likely require this information to work out whether cover is available under your policy. Before providing a document to your insurer, ask yourself, 'Is this privileged? Will this disclosure waive legal privilege?', and seek legal advice as necessary.

What is cyber insurance?

Cyber insurance is designed to help organisations manage their risk exposure by offsetting the recovery costs relating to a cyber security breach or similar event.⁴ The global market is growing rapidly, with Allianz predicting growth in global premiums from around $2–3 billion in 2017 to $20 billion by 2025.⁵ In the Australian market, the Insurance Council of Australia has identified cyber insurance as the 'fastest growing commercial segment'.⁶

What does it cover?

Cyber insurance can cover both first-party losses and third-party liabilities that an organisation incurs as a result of a cyber-breach.

First-party losses

First-party losses can include:

• business interruption losses, including due to a network or system shutdown, or a 'denial of service' attack;
• the cost of undertaking forensic investigations in order to identify what happened, the source of a cyber attack, the extent of the damage or risk, and how to contain, mitigate and repair the damage;
• obtaining professional (legal, PR and IT forensics) advice, including coordination with law enforcement;
• costs associated with notifying individuals affected by a data breach, and complying with regulatory requirements, such as the notifiable data breaches scheme;⁷
• credit monitoring services for affected, or potentially affected, individuals;
• extortion costs, such as paying ransoms to hackers in order to return, unlock or 'un-corrupt' valuable company data;
• reputational damage and the costs of managing a reputational crisis;
• loss of data and the costs of rectifying harm done, repairing and restoring systems that have been damaged by malicious acts, and re-creating lost intellectual property; and
• the costs of improving cyber security, in order to prevent or minimise the risk of future breaches.

Third-party liabilities

Third-party liabilities can include:

• liability in negligence or contract for failing to properly protect personal (eg customers') information against cyber attacks or misuse;
• liability for misleading or deceptive conduct that may arise out of a failure to comply with the company's own privacy policy or other statements or notices;
• fines imposed, or sought, by regulators (eg the OAIC or ASIC) on companies or individual directors; and
• claims by third parties arising from failure to disclose market-sensitive cyber-risk information in prospectuses or disclosure documents, or failure to comply with continuous disclosure obligations (relevant to listed companies).

Common limits and exclusions

Be aware that cyber insurance policies may contain limits that might restrict the utility of the policy for your organisation, including:

• territorial limits: claims, liabilities, losses or costs arising from acts committed outside the specified territories may be excluded;
• jurisdictional limits: claims first brought in a court outside the specified jurisdiction may be excluded; and
• retroactive date limits: some policies may limit coverage to insured events first committed on or after a particular date – and not provide cover for events that occurred before that date, even if they were not known to you.

Cyber insurance typically excludes bodily injury or property damage; dishonest, fraudulent, criminal or reckless acts; and existing claims.

Understanding risk

To understand your organisation's risk profile, potential loss and whether cyber insurance is a viable method of mitigating these risks and losses, ask yourself:

• What types of data does your organisation collect?
• How is that data used and stored? Where is it stored?
• What security measures does your organisation take to protect this data? Some insurers require an organisation to meet minimum security standards before they can qualify for cover. Other insurers may require the organisation to comply with ongoing audit and compliance obligations, to ensure that the policy remains current.
• What would the potential business consequences be if this data were compromised?
• To what extent are privacy awareness and compliance part of your organisation's overall risk-management framework?
• What are the terms of your contractual arrangements with third parties who have access to this data? (Please see our article How to create a cyber resilient supply chain.)

Are you already covered?

It is important to remember that cyber insurance is evolving as insurers seek to understand better the risk and financial impact of cyber attacks on businesses globally.⁸ Companies will demand more comprehensive coverage to account for a broader spectrum of cyber-related exposures.

Does your organisation already have some form of cyber insurance cover, whether as a standalone policy, bundled in with other policies or covered by existing policies?

An organisation's typical suite of insurance policies (eg commercial crime insurance and business interruption insurance) may, between them, cover losses or liabilities flowing from a data breach; however, not all loss and/or liability will be covered. (For more on identifying the gaps, please see our paper Insuring against cyber-risks: a changing landscape.) This exercise of gap identification is especially important given that insurers may start to explicitly exclude coverage for cyber-related exposures in other business policies.

If you are not sure whether cyber insurance is suitable for your organisation, it may be worth speaking to an insurance broker who is familiar with cyber risk and understands the specific cyber-risk exposures your organisation's industry faces.

Tips for dealing with your insurer post breach

• Know your policy. Read the policy carefully. If you do not understand any of it, discuss it with your broker, or with your lawyers. Make sure that you understand precisely what it does and does not cover.
• Notify your insurer promptly after you become aware of a data breach even if you have not yet suffered any loss. It is important to notify your insurer of a cyber breach, even if at the time of the breach you haven't suffered any loss, or think you are unlikely to suffer any loss. Notifying insurers of circumstances that might subsequently give rise to a claim can be important, in order to protect your rights in the event a claim subsequently arises out of those circumstances. Often, events that appear innocuous at the time can have unpredictable outcomes. Failing to notify insurers of those circumstances might then subsequently prevent you from pursuing a claim in the event that a claim does later arise. Insurers may also require other parties be notified (eg law enforcement agencies) where other elements, such as cyber extortion, are involved.
• Keep a running log of factual events that constitute the data breach and the steps you have taken in response. Insurers will likely require details of the facts (so far as they are known) in order to determine whether cover is available under your policy. They may also request a range of records. On learning of a breach, you should be prepared to gather this information.
• Be mindful of protecting privilege over documents that must be shared with your insurer under the terms of your policy. Insurers may request privileged documents (such as legal advice) to assist them in investigating claims. It is important to understand whether disclosure of a legally privileged document to your insurer will waive that privilege. In some circumstances (eg where the insurer has confirmed indemnity), you and the insurer may share a common interest, so privilege may not be waived on sharing privileged communications with your insurer. We recommend that you seek legal advice before disclosing any privileged documents to your insurer.
• Check your policy before incurring any expenses. Some insurers may require you to obtain their consent in general before incurring any expense (except eg where this is at your own cost).

For more on the state of the Australian cyber insurance market, the challenges of understanding cyber risk, and why responsibility for cyber security should rest with boards, listen to Valeska Bloch's interview with the General Representative in Australia of Lloyd's, Chris MacKinnon.