I recently went to a seminar hosted by law firm, Clyde & Co, with this title. Although the question is aimed at insurers it could equally be rephrased as “Will Your Financial Institutions’ Insurance Policy Pay out on a Cyber Claim?”
Judging by the fact that there was standing room only, it seems that, either way, there is plenty of appetite for the answer to this question. Indeed I suspect this is one of the more challenging areas of insurance coverage in the market today. The underlying risks are constantly changing whilst the insurance protections are not (and cannot) evolve at anything like the same rate. This means that there is plenty of scope for unintended consequences and coverage disputes. That may be good news for the lawyers but less good news for everyone else.
One thing which is clear is that the problem is growing. The number of data breaches reported to the UK’s Information Commissioner’s Office has risen from 79 incidents reported in 2007-2008 to 723 incidents reported in the first half of 2013-2014.
In the US, where the reporting of data breaches is mandatory, the number of breaches is routinely measured in the hundreds of millions. Identity theft has cost Americans US$24.7 billion during 2012 which is US$10billion more than for all other property crimes combined. Whilst there is a rising and growing black market for stolen customer information, by no means all such thefts occur as a result of malicious attacks. (For more statistics and information involving financial institutions, here are the Clyde and Co slides: Is Your Financial Institutions’ Insurance Policy Vulnerable to a Cyber Claim?)
It seems that human errors or systems errors such as loss of unencrypted portable devices, stray emails and technical security failures constitute the single biggest cause of data breaches.That is not to say that cyber-attacks through “malware”, phishing scams etc. are not also a growing problem.
Threshold Coverage Issues
That reality alone gives rise to some interesting threshold coverage issues. Insurers tend to start from the premise that they are prepared to cover at least some of the financial consequences of a crime perpetrated on an insured. Perhaps understandably, they are much less enthusiastic about offering insurance protection for losses resulting directly from human or systems errors of the insured themselves. The trouble is that an insurance claim may and often does contain elements both of dishonesty and human error.
Let’s take a simple example. Those of us who play Monopoly may remember that one of the “Chance” or “Community Chest” cards reads “Bank error in your favour: collect £200”. Taking this at face value, let’s assume the bank error is a systems or human failure which would not be covered under an insurance policy. The bank may still try to present a claim to its insurers if you collect the £200 (on passing “GO”) but refuse to return it. The bank would say they have been the victim of your dishonest act in not returning it. The question is whether your “collection” (and implicit refusal to return the £200) does or does not represent a “crime” which your insurers would be prepared to cover.
Of course the facts are often much more complex than this. The nature and size of systems or human errors, the types of dishonesty and the numbers of companies and individuals affected make financial institutions claims some of the most complex in the market. When one adds in the fact that computer technology underpins most financial transactions, it is not hard to see why there is cause for concern.
What’s more, this question as to the direct cause of the loss is just one of several threshold questions to which claims for losses under insurance policies in this space often give rise. It would take a book rather than a blog to do justice to that topic in full, let alone to consider the D&O implications of these exposures.
Where These Problems Come From
Perhaps part of the problem here is that the insurance industry often starts with the twin questions:
- What is our appetite for risk?
- How can we fit that appetite into the straightjacket of an existing class or line of insurance?
That approach often breeds complexity.
An obvious example is the tendency to mix cover for legal liability with cover for first-party loss. Even D&O cover is not immune from a blended approach with some policies offering entity cover as well as cover for claims against directors.
Cyber Coverage Cafeteria
One approach which may at least point a way through this forest of complexity might instead be to ask what type of cyber claim a financial institution might want insurance protection for and go from there. Here are some obvious categories:
- Cover for regulatory investigations and proceedings
- Notification and reporting costs
- Third-party civil liability for data breaches (including shareholders and employees)
- Losses sustained as a result of criminal activity
- Business interruption in the event of major systems failure
- Reputational damage
- Personal liability protection for senior officers
Of course the nature, extent and cost of each of these insurance protections will vary considerably but if at least there is clarity as to what is in a particular client’s shopping list at the start of a negotiation (and that will vary widely according to trading jurisdiction and sector) there is a better chance of narrowing the expectation gap.