With cyber policy sales slow, companies are turning to D&O cover says expert

Out-Law Analysis | 02 Mar 2015 | 3:44 pm | 4 min. read

FOCUS: Cyber attacks can be devastating, eroding consumer trust, damaging a business's brand and saddling companies with significant fines and exposure to law suits. Yet a predicted boom in cyber risk insurance has not as yet materialised.

Where there is a lack of cover companies are looking to their existing policies to identify where uninsured cyber losses may be covered.

Cyber risk policies have been around since the 1990s but the need to take out specific cover has gained more attention in the wake of high profile incidents like those suffered by Sony Pictures last year and US retailer Target in 2013. A $1bn virus attack on over 100 banks publicised last month will focus minds further.

Cyber insurance is needed to cover both first-party and third-party losses. First party losses should cover everything from the loss or damage to the company's digital assets to business interruption from network failure to loss of reputation and customers as a result of a cyber-attack or data breach.

Third-party losses include the cost of compensating any customers or anyone else who incurs loss as a result of a breach, as well as any resulting litigation. Insurers are increasingly refining coverage limits as well as the specifics of what will be covered when a breach occurs and a firm has to notify all those affected. The numbers can be huge – 120 million customers of Target had to be notified, with potentially 40 million of those requiring ongoing credit monitoring.

Companies who suffer losses are increasingly looking to D&O policies to cover uninsured losses. The trend is most visible in the US but is likely to extend to the UK.

Where allegations of poor cyber risk management are made traditional side A cover, for losses that the director’s company can not or will not indemnify, will be affected, as will side B cover, for companies when they do indemnify their directors. However, the biggest impact will be on side C cover, or other entity cover, which covers the company's own liabilities as a legal entity. It is this part of a policy that contains the biggest scope for D&O insurers to pick up third party cyber losses where the company is targeted for any breach.

Despite this D&O cover will not insulate a business from all cyber losses. D&O policies contain exclusions, such as contractual liability exclusions, which exclude loss based on, arising from, or in consequence of any actual or alleged liability assumed under any written or oral contract or agreement. This may prevent the recovery of certain losses.

Companies should be assessing the risks posed by third parties who have access to a business’s customer data. A NetDiligence Survey found that 20% of all data breaches occurred at third-party vendors. Sound business practice might be to insist that all third parties have their own cyber insurance in place. At the very least a company should examine the contractual liability clauses in contracts with its third parties to make sure it is not exposed.

Headline-grabbing attacks have not led to as much growth in the sales of cyber risk insurance as predicted, but they should prompt all companies to take cyber risk seriously.

The UK Department for Business, Innovation and Skills (BIS) said last year that 81% of large organisations and 61% of small and medium sized enterprises experienced a security breach in 2013. The average resulting cost for SMEs was between £65,000 and £115,000, while for larger businesses it ranged from £600,000 to £1.5 million.

Regulators are paying more attention than ever – in the UK the Information Commissioner's Office and the Financial Conduct Authority have responded to the threat by issuing fines, bringing financial penalties and unwelcome attention to organisations including the British Pregnancy Advice Service; Royal Bank of Scotland; NHS trusts, and local authorities.

There is evidence that companies are taking cyber risk seriously. According to Allianz Global Corporate and Specialty’s 2015 Risk Barometer, cyber crime and data loss is now the fourth biggest business concern for businesses operating in the Americas, up from eighth in 2014. In Europe, the Middle East and Africa, it has jumped from ninth to fifth spot on the risk list.

All boards should be discussing cyber risks on a regular basis. A dedicated cyber risk sub-committee is a good idea and a board might even want to consider bringing in an independent security expert to provide a different perspective on the cyber risks facing the company.

One major advantage of putting in place a sound cyber plan is that it can help when defending court action. In a US case shareholders sued the directors of hotel group Wyndham when there was a data breach which exposed the personal information of 600,000 of its guests. The court dismissed the claim in part because Wyndham’s board discussed cyber-attacks at 14 separate meetings during the time period covered by the lawsuit, thereby demonstrating due diligence.

When designing cyber security plans businesses should take advantage of the cyber security best practice protocol published by the US National Institute of Standards and Technology and UK government department BIS's 'Cyber Essentials' scheme.

These schemes, which set national best practice for businesses tackling cyber risk, are increasingly being incorporated by the insurance industry into policy wordings: in particular with regard to what is reasonable behaviour by a company when protecting itself from attack.

It is possible that some cyber risk will be covered in a CGL policy, but whether a CGL policy will pay out is far from conclusive and dependent on both jurisdiction and policy wording. The US Insurance Services Office, an insurance industry organisation which develops standard insurance forms, introduced a number of data breach exclusion clauses in April 2014, which will further limit cover for cyber loss on CGL policies.

As part of a cyber risk plan companies should consider putting cyber-specific insurance in place. It should cover the two main kinds of cyber incident: cyber attacks where systems are disabled or used for malicious purposes, and data breaches where data is stolen by attackers or exposed when an employee loses a phone, computer, file or password.

Cover for notification and redress programmes, as well as regulatory investigations and fines, are standard on cyber risk insurance policies.

Chamika Hand is an insurance expert at Pinsent Masons, the law firm behind Out-Law.com