Cyber risks insurance: what does it do, what should you think about, and how far does it go? – Knowledge – Clayton Utz

You are here:
Cyber risks insurance has some unique complexities, and careful consideration of those and how they interact with your needs and risks is needed in this evolving (and hard) insurance market.
Cyber insurance has been with us now for more than 20 years and is so front of mind these days, for most people and organisations, that it is easy to forget that it is still an emergent and evolving class of business. It’s also one of the fastest growing markets in the global insurance industry’s current business book – and the hardest of hard insurance markets and unlikely to soften any time soon.
A key cause of this has been the recent growth in so-called “double extortion”. In a traditional ransomware attack, criminals encrypt and copy a target company’s confidential data, then charge ransom for the encryption key. Criminals have now extended their model to charge another ransom for not publishing the sensitive information at large. Backup files are also often compromised by the activation of previously introduced malware at the same time as or immediately after the primary attack trigger.
That combination of fluid, evolving parameters, inventive criminals and a hard market makes assessing your particulars needs from cyber risks insurance, and what you must consider, particularly challenging but not impossible. Here’s what you should be thinking about.
The first two questions are:
If the answer to the second question is “yes”, then unless you have a legal reason to have cyber risks insurance, it is not worth trying to insure against the risk in question and the money you would need to spend to do so could be better employed in mitigating it. Even if that answer is “no”, you will still have to make a commercial decision about the costs of the premium plus risk reduction measures, and whether they make the insurance uneconomical.
The recommended touchstone for evaluating a cyber insurance contract is that it provides business interruption coverage as wide as that available under first party property policies in cases of damage or disruption to a critical piece of insured property or business infrastructure owned by:
It is not necessary that the same policy language be used but from an accounting perspective, the basis of settlement needs to be similar.
Insurance contracts can vary widely even within line and business class, but most will have these main heads of coverage:
Each of these covers will usually have a separate insuring clause or sub-clause, along with its own suite of definitions, specific exclusions and operational requirements.
In practical terms there are two broad, recognised categories of Cyber insurance: Embedded Cyber and Standalone Cyber.
“Embedded Cyber” can refer simply to the extent to which coverage for communication, data-processing and storage-related losses may already be provided, intentionally, under a business’s property, liability and financial insurances (for example, the physical damage to computer hardware caused by a fire). But this only goes so far; if there’s no physical damage, it might not respond to losses caused by (for example) hacking.
By contrast, Standalone Cyber is the suite of dedicated insurance products which the industry has evolved, and normally purchased as free-standing insurance products. Consistently with the insurance industry’s usual penchant for fostering confusion through loose usage of terminology, the adjective “embedded” can often be found applying to a “standalone” cyber cover insuring clause, which does not in fact stand alone but is packaged up with other line insuring clauses as part of a bundled contract. Either way, this will have two parts:
The critical thing is that insurer and Insured both understand and clearly agree just what types of events and losses are being covered under the cyber insuring clause, for what amount(s) and on what terms, and therefore are presumptively excluded from all the other heads of cover. A vital consideration is the policy’s definition of Computer Systems – whether it extends to personal electronic devices of the Insured’s employees or contractors used in connection with the business, and cloud servers not actually owned or leased by the Insured.
A common feature of insurance contracts generally has some complexities in a cyber context: “risk mitigation terms”. These, assuming they are complied with, presumptively diminish the probability and/or magnitude of covered losses. They may be expressed as “so-called” “conditions precedent” or “warranties”, purporting to mean that if they are not complied with by the policyholder, the insurer may refuse a claim outright regardless of the effect or otherwise of the failure on the likelihood or magnitude of a loss.
There are some complex issues with how these can play out which are beyond the scope of this article, but given the importance of risk mitigation obligations especially in cyber class policies, it is likely that as the market hardens insurers will try to exclude, to the fullest extent legally possible, any statutory provisions which might diminish their effectiveness. Insureds will be well advised to proceed, therefore, on the assumption that all of the cyber risk mitigation measures which they are required by the policy to have and maintain over the period of insurance constitute fully enforceable obligations, breach of which may compromise their insurance coverage and/or ability to recover a claim in addition to any other consequences it may have.
The policy’s definition of “business interruption loss” should encompass revenue lost due to the breach, fixed costs to the extent they are not abrogated as a result of it, the forensic costs of restoring full productivity and any additional operating expenses imposed as a result. As indicated above, the method of calculation of income lost due to the breach is critical.
In addition to the usual range of exclusions found in most insurance contracts, there are some exclusions commonly found on cyber policies that appear to be specific to the class:
The importance of cyber risks insurance, and its value when carefully chosen and negotiated, has never been greater. If you are considering cyber risks insurance, that will require serious consideration of your needs and risks before you go to market. This high-level list of factors will at least help you understand the basic features of the cyber risks landscape before you do.
Want to dig deeper? We’ll explore each of these issues in depth in a series on cyber risks insurance.


Leave a Comment