Businesses will face new disclosure challenges when seeking cyber risk cover under the Insurance Act, say experts

Out-Law Analysis | 18 May 2016 | 2:41 pm | 4 min. read

FOCUS: Businesses will face new disclosure challenges when seeking cyber risk insurance cover in the UK under the Insurance Act which comes into force this summer.

The Act will place businesses seeking insurance cover under a new duty of fair presentation. In practice the duty will toughen the demands on insured companies to identify the risks they face and communicate them clearly to insurers before an insurance contract is signed.

Adhering to the new duty when seeking cyber risk cover will present particular challenges for businesses given the complex nature of the threats they face to the security and integrity of their systems and data and the difficulties that can exist in identifying and translating for underwriters technical IT issues.

Failing to prepare to meet those challenges, however, could result in insured businesses having gaps in their cyber risk insurance coverage or facing higher premiums and amended terms to their insurance contracts. In the extreme it could mean loss of cover altogether.

The Insurance Act 2015

The new Insurance Act passed into UK law in February 2015 with an 18-month period of transition prior to its provisions taking effect. The Act will apply from 12 August this year.

Whilst most of the new provisions are insured friendly, one of the main changes the Act will deliver is placing insured businesses under a new ‘duty of fair presentation’.

When the Act comes into force, before entering into a contract of insurance, insured organisations will be required to disclose either every matter which they know, or ought to know, would influence the judgement of an insurer in deciding whether to insure the risk and on what terms; or sufficient information to put an insurer on notice that it needs to make further enquiries about potentially material circumstances.

Insured organisations will be presumed to know or expected to know matters that could be expected to be revealed by a reasonable search of information available to them, as well as anything known by a person responsible for their insurance, such as a broker.

In addition, they will also be considered to possess knowledge anyone who is a part of the organisation’s senior management, or who is responsible for their insurance, has.

Under the Act, disclosure must be made in a reasonably clear and accessible manner, material representations of fact must be ‘substantially correct’ and material representations of expectation or belief must be made in ‘good faith’. One consequence of the changes is that insured will no longer be able to 'data dump' information on insurers.

Cyber risk insurance and the Act

Cyber risk was recently described as "a clear and present danger" by the Bank of England's chief information security officer. The risk of cyber attacks is also being increasingly recognised by businesses, with cyber security rated a "high priority area" for 90% of large businesses in the UK, according to a recent UK government study.

One of the steps businesses can take to address cyber risk is to buy cyber insurance. Recent studies show that a growing number of businesses are purchasing cyber risk cover either via general insurance policies or through dedicated data breach or cyber insurance products, which are becoming increasingly popular. Reforms to EU data protection laws are expected to spur growth in the sale of cyber insurance in the coming years and insurance industry body the ABI has predicted that cyber insurance products will become "as common a purchase for UK businesses as property insurance" by 2025.

Under current UK insurance rules businesses seeking insurance coverage of any kind, including cyber risk cover, are required to disclose every circumstance that they know, or ought to know, which would influence an insurer in fixing a premium or deciding whether to underwrite a risk. This requires insured organisations to predict, without much guidance, what factors a hypothetical prudent insurer would be influenced by.

The new duty of fair presentation under the new Insurance Act will similarly require cyber risks to be disclosed to insurance companies by businesses seeking insurance cover for those risks. However, the new obligations raise questions about how businesses can identify and translate technical IT issues into statements underwriters can comprehend.

There's also a question about how broad 'cyber' is and to what extent businesses will need to disclose every possible threat they face and vulnerability they have to meet the 'fair presentation' duty.

It will be important for businesses to make proper enquiries of staff, including both internal IT and IT security teams, together with any retained external IT consultants, as to the material facts they need to know about the risks present which will need to be disclosed to insurers under the Act.

A number of new proportional remedies are open to insurers under the Insurance Act should businesses seeking insurance fail to observe the fair presentation duty.

In cases where there is a deliberate or reckless breach of the duty, insurers will still have a right to cancel the contract and refuse all claims.

If a breach is neither deliberate nor reckless, but insurers can show that they would not have written the risk at all had they had the relevant information, then insurers could still be entitled to terminate the insurance contract and refuse claims. If the right to terminate is not triggered under the Act insurers may nevertheless have a right to revise the terms of the insurance contract or reduce the amount they pay out in respect of any claim to reflect a business' failure to meet its fair presentation duty.

In practice it might be expected that insurers and the businesses they insure would renegotiate many contracts if there is a dispute over whether the fair presentation duty has been adhered to.

The provisions, however, highlight the potential consequences facing businesses if they fail to enhance their understanding of cyber risk and articulate the risks they face clearly.

Nick Bradley and Ian Birdsey are experts in cyber risk and insurance law at Pinsent Masons, the law firm behind