Cyber Losses and Traditional Insurance Policies
Having worked as an insurance broker for over thirty years, I know that most businesses are likely to have some sort of insurance cover in place covering risks such as:
Loss or damage to own property;
Many policyholders believe that standard insurance policies such as these will cover them for cyber-type losses which are mentioned in the news almost on a daily basis. This article aims to dispel such beliefs and why consideration should be given to additional forms of insurance cover.
A traditional commercial property policy may also be known as a fire policy or a material damage policy and is designed to provide cover in the event of loss of – or damage to – physical assets. The title ‘material damage’ is apt.
Policies will often define what is meant by property; for example, ‘material assets owned by the policyholder’.
Others may make reference to building, contents and stock. Again, the intention is to cover material assets.
If cover is arranged on a fire and special perils basis, then losses are only covered if the proximate cause of the loss is one of the insured perils such as fire, flood or earthquake.
A cyber breach involving the loss of data, whether accidental or deliberate by way of hacking is unlikely to be the result of an insured peril.
Even on the basis that the client’s server was damaged in a fire or flood, given that data is intangible property, it is unlikely to come within the definition of insured property.
Some policies may make reference to computer system records within the definition of contents but there may well be a sub-limit on the sum insured and even when cover does apply, it is limited to reconstituting data – covering the cost of materials and inputting of data only – not the value of the data itself.
If the property insurance is written on an ‘all risks’ basis then once again, the definition of insured property comes into play.
Furthermore, policies are likely to have some form of electronic risk exclusion applicable.
Such an exclusion is designed to exclude losses in respect of damage to data caused by any of the following:
unauthorised access to a computer system;
transmission or effect of any virus;
failure of a computer system.
Whilst policy wordings do vary, it is clear that many cyber losses will fall within this type of exclusion.
For example, a hacking attempt is likely to be considered unauthorised access to a computer system and would therefore be excluded.
A distributed denial of service attack (DDoS) may fall within the failure of a computer system exclusion.
Some policyholders may have taken out engineering insurance and believe such losses come within the definition of a breakdown. The definition of breakdown is likely to be along the lines of: The actual breaking, distortion or burning out of any part of the plant while in normal use, which is caused by mechanical or electrical defects in the plant resulting in sudden stoppage
A DDoS attack does not meet such a definition.
If we now turn our attention to the theft of data, we come up against the following issues:
The data is not actually ‘stolen’ because in most cases, a copy is taken and insurance has difficulty with the concept that you still have the data, yet it has been stolen.
Whether or not there has been an actual theft, most policies will be subject to a ‘forcible and/or violent entry to or exit from the premises’ wording so a claim under a theft policy is not triggered as the cyber criminal does not physically enter the insured premises.
If there is no claim under a property policy, it follows that a claim on a business interruption policy will also fail due to the application of the material damage proviso.
This proviso makes it a precondition of recovery that at the time of the loss, the insured has insurance in place to cover its interest in the property at the premises against loss and damage, and that payment is made or liability admitted.
Let us now look at third party losses.
These could include matters such as losses flowing from personal data being lost or stolen, or third party losses due to the transmission of a computer virus.
Under a public liability policy, cover operates in the event of bodily injury or property damage to a third party.
Liability policies typically do not respond to pure economic losses – that is, financial loss which is not accompanied by any physical damage to a person or property.
Taking bodily injury first, it is difficult to envisage a bodily injury occurring as a result of data being lost or stolen. Whilst the person whose data has been lost or stolen may suffer damage to their reputation or be exposed to identity fraud or indeed be severely inconvenienced, these are not considered to be physical bodily injury and accordingly, the policy would not respond.
Turning now to third party property damage.
Under English law, ‘data’ is described as intangible property and as many policies define property as material property, cover would not apply as there has been no loss or damage to insured property.
Consideration also needs to be given to the fact that an electronic risk exclusion may well apply to the liability section as well, thus most claims are unlikely to be covered.
Having established the limitations on traditional insurance policies, all businesses should give serious thought to their cyber exposure and the insurance protection that is available elsewhere in the market.
AXA Insurance Management Liability policy has recently been updated and provides cover for many of the cyber risks businesses face, in addition to the usual covers one would expect under such a policy (directors’ & officers’ liability, company legal liability and employment practices liability).
How rradar can help: