Quite often when underwriters have the foresight to develop products to address new risks the foresight is not reflected in the take up of new products. Fundamental misunderstandings of the risks and the mentality of “it won’t happen to us” (particularly with regard to products such as unauthorised trading policies) means that the take up of new products is often slow.
It is in the modern electronic communication environment in which we now exist that underwriters with the necessary vision have sought to develop products to address actual or perceived risks. And it is now that the risks are finding their way into market place that companies are now looking as to how to understand and manage the risks and allocate the risks between themselves and Underwriters.
Given that many companies now grow their businesses online (it has been predicted by this year that the number of online banking transactions will be in the region of 31 billion) any hiatus in communications with their clients can have serious reputational and financial consequences.
Coverages
So what generic coverages have underwriters addressed and how do these “map” into the current risk environment. Underwriters offer a number of coverages (often bundled together as a “modular” product i.e. the insured chooses what coverages it wishes to purchase) ranging from first party to third party covers with significant cover for expenses of varying kinds:
- Accidental damage or destruction e.g. physical damage to electronic media or power supply failure
- Negligent maintenance of systems or inputting of data/loss of data
- Breaches of security (including dealing with the aftermath, PR and advertising) (the loss of laptops and memory sticks has been a constant issue over the past decade)
- Security breaches (which can encompass computer crime and computer attacks e.g. unauthorised access; denial of service; malicious codes).
- Release of employee(s) information
- Defamation (email and website)
- Cyber extortion (for example from disgruntled employees and the failure to clean hard drives which inevitably fall into the “wrong hands”) and terrorism coverage (e.g. loss of income and business interruption expenses)
- Breach of confidentiality
- Copyright infringement
- Computer viruses and negligent transmission of viruses
- Loss control services
As can be seen the coverages run the full spectrum of potential risks and tend to fill the gaps between general liability policies and the more traditional covers such as bankers blanket bond (or commercial crime), property, computer crime (although there are Internet Banking endorsements e.g. NMA 2856) and professional indemnity (or civil liability). It is fair to say that these coverages, whilst representing a cross-section of potential indemnities are not common to all cyber liability policies.
Further, much of the coverage is directed at “electronic damage” (such as the transmission of viruses), damage (e.g. defamation), criminal rewards, expenses (such as reconstitution), loss of income, public relations (i.e. for more intangible losses e.g. goodwill and reputation) and business interruption.
The value of established policies has already been reflected in cases where credit card details have been hacked (or laptops lost) and abused for financial gain (e.g. bankers blanket bonds; computer crime), but until cyber liability made its appearance where credit card details were hacked, but not abused (or there was the threat of abuse), no cover was available.
Partly this was due to the lack of products and the understanding of the risks, but also many policies did not provide for the costs of the mitigation of losses (unlike “sue and labour” provisions in marine policies). Thus, a conscientious insured could take significant and expensive steps to cancel and reissue new cards and PINS and advertise the fact and, yet, no indemnity would be available.
The idea of indemnifying costs was a welcome addition to the panoply of coverages available. But it is nevertheless a salutary thought that given the almost blanket coverage of the worldwide web that the list of potential claimants is huge (and not just limited to, say, a customer base) and claims can be brought in a multitude of jurisdictions.
Of equal interest to those risk managers purchasing cover were the coverages which addressed third party claims. These coverages are now central to cyber liability covers e.g. defamation; dissemination of viruses and breach of copyright (any company with a website now has legal liabilities as a publisher – claims now being made often run in to the tens of millions of dollars (and the improper use of an individual’s image can give rise to suits for “fair market value”) and any new legislation continues to create new potential liabilities such as user privacy and infringement of owned domains).
One only has to read in the media (in whatever form) to see how cyber liability issues arise on a daily basis – the “fat finger syndrome” or an email where the recipient “replies to all”. In the introduction to this note we highlight two instances – an employee who trades whilst not completely in control of his faculties and an employee who chooses to widely disseminate a potentially defamatory email. Whilst it is fair to say that the wordings available would likely respond to the latter, in relation to the former an employee out on a frolic of his own may not be covered for such an act (particularly where the trading is proprietary (but possibly where the trading is executed for a client), although some form of specialist cover maybe available).
Further, increasingly in this age the occurrence of cyber attacks whether (seemingly) carried out by countries or by terrorist organisations is becoming a considerable concern (certainly, the former type of attacks have already occurred).
As with any insurance policy there has to be an allocation of risks between the insured and underwriters. An underwriter has the right to expect an adequate computer system with appropriate firewalls (quite often insurers will engage third party providers to test an insured’s system (“penetration testing”) (often by way of an added benefit to the policyholder)), back up copies of electronic files and compliance with the regulatory environment (e.g. Data Protection Act 1998). Further, given the crisis management indemnities speedy notification to Underwriters is required of the insured. As one might expect, consequential losses and global virus attacks which are not aimed at the insured are generally excluded.
Whilst the types of claims which are now arising may be anticipated by insured and Underwriters looking into their “crystal balls”, it is still the case (as with any form of cover which parties create in response to new risks) that certain scenarios catch all the parties on the “blind side”. However, cyber liability covers have tended to steal a march in terms of the imagination applied as opposed to the more traditional coverages.
John Barlow
Partner
john.barlow@hilldickinson.com
+44(0)20 7280 9146
