Decrypting Cyber Insurance: A Practical Framework for Organisations

Cyber security is an emerging risk area for the insurance industry. The threat of cyber-attacks is increasing and so too is the demand for cyber insurance. An attack can often result in major disruptions to service and business. It can lead to the theft of personal information from customers, while causing irreversible damage to a business’ reputation. 

Given the potential to trigger millions of dollars in losses, it’s prudent for businesses to consider cyber insurance as a means of mitigating the risks of hacking, data-encryption, phishing, scamming and data breaches. However, relative to Comprehensive General Liability (CGL) and Directors and Officers (D&O) insurance policies, the cyber insurance industry is in its infancy, and the extent of coverage offered by insurers varies greatly.

So, let’s consider cyber insurance in the digital age and the robustness of CGL policies in the face of cyber-attacks. We’ll also provide a framework for determining whether a particular cyber specific policy offers adequate coverage.

Why do we need Cyber Insurance?

According to the Australian Government, ‘worldwide, losses from cyber security attacks are estimated to cost economies around one per cent of GDP per year’.[1] For Australia, this could be upwards of $17 billion annually. In fact, the World Economic Forum has determined cyber-attacks to be the 12th largest risk to doing business in 2017 – ahead of natural catastrophes and infrastructure breakdown.[2] According to Gemalto, a global leader in digital security, Australia is among the worst affected countries in terms of data breaches, illustrating the importance of robust coverage.[3]

Organisations worldwide are facing an uphill battle against hackers as they become increasingly sophisticated in phishing, scamming, spamming and cyber-attacks. The proliferation of software and software developers in today’s tech-savvy culture, the increased use of open-source software, and the failure of businesses to update their old software has only amplified the issue.[4]

High profile hacking cases have put cyber insurance on the radar. Recently, we observed the hacking of ride-sharing monolith Uber,[5] the infiltration of Sony’s PlayStation systems and the breach of dating website Ashley Madison. More locally, inadvertent data breaches by the Red Cross and Telstra and the theft of personal customer information following the compromise of Kmart’s online operations, makes it difficult to overlook the implications of cyber-attacks.

In the face of this rapidly changing digital world, businesses are becoming increasingly reliant on cyber insurance to shift the risk of unforeseen cyber-attacks and data breaches to insurers. The Australian Government expects demand for cyber security services including legal services, insurance and risk management to grow by 21% from 2016 – 2021.[6] This is not surprising considering the pace at which technology continues to evolve. If we accept that, at the very least, some coverage against cyber-attacks is necessary, then the real issue becomes how to select the ideal policy for you.

CGL Policies – are they sufficient to cover cyber incidents?

The integrity of CGL policies against cyber-attacks was brought into question in the high profile US case of Zurich American Insurance Co V Sony Corp of America (Sony).[7]

Hackers infiltrating Sony’s popular PlayStation network compromised the personal details of approximately 77 million account users. Numerous class actions were filed against Sony, who sought to rely on the ‘Personal and Advertising Injury Coverage’ under their existing CGL policy.

Unfortunately for Sony, the New York Supreme Court held that the hacking incident did not trigger coverage under Sony’s CGL policy. The actions of third party hackers did not constitute ‘oral or written publication in any manner of the material that violates a person’s right of privacy’ as required by their policy.

In the wake of the Sony decision, a proliferation of cyber insurance policies have been made available. But does this in and of itself suggest that CGL policies are inadequate to protect policy holders, or are the new policy offerings simply opportunistic?

Although Australian courts have not yet had to determine a case with the magnitude of Sony, American jurisprudence suggests that CGL policies are not always comprehensive enough to cover cyber-attacks on organisations, particularly when this was never contemplated by the insurer in preparing the policy.

When assessing your own CGL policy, consider the following:

• CGL policies often insure against claims for invasion of privacy when personal information is published to the world at large. However, Sony highlights that where information is published by a third party hacker, as opposed to the policy holder, coverage may not extend to protect the policy holder. Additionally, US courts have had to grapple with whether data needs to be accessed by the public before it is considered to be published, or whether sheer availability is enough to satisfy ‘publication’. Responses on this issue have differed.

• CGL policies often contain exclusions for statutory violations (of privacy legislation). That is, if the cyber-attack has led to the policy holder breaching state or federal privacy legislation, there may be no cover.

• Although CGL policies usually contain a provision for property damage, electronic data is often explicitly excluded, making it important to carefully consider the policy terms and conditions.

• Due to the proliferation of separate cyber insurance policies, new CGL policies are likely to explicitly exclude cyber-attacks. In the US, an ‘Access or Disclosure of Confidential Personal Information’ exclusion endorsement is often used to bar coverage in CGL policies.

Choosing the right cyber insurance

According to Lloyd’s Bank, ‘buyers lack understanding of cyber risk about what is and isn’t covered under existing insurance policies’.[8] Unlike D&O insurance, cyber insurance policies vary widely. Coverage is inconsistent, in part due to the dynamic climate of the digital world and the relative novelty of cyber insurance as a product compared to CGL and D&O.

In recent times, it has become increasingly common for hackers to access networks, encrypt important business files and demand ransom from business owners to recover access to their own documents. For example, the CryptoLocker ransomware attack in 2013-2014 used malware transmitted via email to encrypt data. The attackers threatened to destroy the encrypted data and demanded payment to unlock the files. Consequently, businesses must take into account whether a particular policy reflects advancements in technology and the changing method of attack.

Notable variations in cyber policies may include:

• The definition of a computer system. Some policies cover systems owned by cloud providers who hold data on behalf of an organisation, while other policies only cover systems directly under the policy holder’s control.[9]

• Notification requirements. Most cyber insurance policies contain coverage for costs incurred by the policy holder in notifying customers that their data has been breached. However, when notification is not legally required by privacy legislation, but simply desired from a public relations perspective, coverage will not always extend. From 13 February 2018, organisations covered by the Privacy Act 1988 (Cth) will have to notify individuals affected by a notifiable (serious) breach of privacy. These entities must also report to the Information Commissioner.

• Professional and legal fees. Although most policies provide for legal and expert fees (to investigate and respond to a cyber-attack), it is important to consider whether policy holders are entitled to choose their own lawyers or experts. Some policies do not cover expert witnesses for trial. Other policies exclude cover if the policy holder has received and acted contrary to legal advice with regard to dissemination of data.

• Time of cyber-attack. Policies may not cover cyber-attacks that occurred prior to the policy holder purchasing insurance. Time-based considerations are integral to selecting the right coverage because cyber-attacks are often identified long after they occur. On average, it takes organisations 210 days to discover a data breach, at which point, the business may have suffered significant financial damage or had commercially sensitive information stolen from it. Such damage is likely to be exacerbated by a lengthy delay on the insurer’s part. Business owners must also consider whether their policy requires them to certify losses within a particular time period.

• Software updates and licenses. Some policies bar policy holders from coverage if they have failed to update their software or virus protection as soon as updates are made available. Policies may not cover an organisation if they have not complied with software licences (for example, if they have exceeded the agreed number of users for a particular software, and that software is hacked).

Other issues to consider when selecting the right policy include:

• Whether the policy covers social engineering, such as phishing scams;

• The extent to which third party liability is covered, which is particularly relevant in circumstances involving data security and privacy-related litigation;

• Ongoing audit and compliance obligations;

• Whether the policy covers:

  • Data breach costs;

  • Costs arising in relation to the theft of customer information, including credit card details (such as costs imposed by credit card providers) and forensic investigation costs;

  • Costs of rebuilding an IT system;

  • Costs stemming from notification requirements; and

  • Theft of crypto-currencies such as ‘Bitcoin’.

Implications for businesses

As part of your businesses annual health check, be sure to consider whether you could be doing more to protect it against malicious cyber-attacks. In light of the range and unpredictability of cyber-attacks, the time for increased vigilance is now.

The best approach to cyber insurance is a measured one, taking into account the needs of your business relative to the different types of coverage offered under certain policies offered by different providers. The right policy is one that is responsive, affordable, adaptive and comprehensive.

Understandably, few people fully comprehend the complexity of issues surrounding cyber insurance and the policy terms available. As the scope of D&O insurance has developed in the market, many clients have sought independent advice from their lawyers about policy coverage for their directors and officers. We suggest a similar approach should be taken in regards to cyber insurance, in order to ensure that your insurance policy aligns with your business needs.

---

Corrs Cyber is a rapid-response cyber security team, created to help organisations prepare for and recover from a cyber-attack or data security breach. Our multidisciplinary team provides access to data breach management specialists, including legal advisers, IT forensic investigation specialists, cyber risk and incident response consultants, and crisis and reputation management services. With the ability to respond to any type of cyber incident, the Corrs Cyber team offers a complete, solution-based round-the clock cyber incident service.

---