managing and insuring cyber risks - chamber of commerce seminar 21 may 2015, tim johnson

Tim Johnson

Cyber insurance – overview of policy coverage Tim Johnson – May 2015

• ‘typical’ cyber policy

• available covers

• common pitfalls

Not all cyber policies are the same!

• new and developing sector

• insurers have different appetite to risk / different

target markets

• limited claims history / information

• no (limited) legislative framework

• first party losses

– breach costs

– business interruption

– hacker damage

– cyber extortion

• third party liabilities

– privacy claims / investigations

– media liability

What has to go wrong?

Unauthorised

– acquisition

– use

– loss

– disclosure

of personal data

What might the policy pay?

• IT forensic costs (for cyber breach) – to identify

and shut down a breach

• legal fees – to manage your response to the breach

• notification costs – to notify data subjects and

regulator

What might the policy pay? - cont’d

• credit monitoring costs – where required by law

• call centre costs – to deal with queries from data

subjects

• PR / Crisis management costs – to manage media

fallout

What has to go wrong?

An interruption to your business caused by a

– hack

– (distributed) denial of service attack

What might the policy pay?

• loss of income /gross profit

• increased costs of working

• additional increased costs of working

What has to go wrong?

• disruption, misuse, damage or destruction etc. of

your computer system

• copying, stealing or damaging computer programs

or data held electronically

caused by a hacker

What might the policy pay?

Costs incurred to

• replace or repair damaged programs (e.g.

rebuilding website)

• reconstitute electronically held data

What has to go wrong?

Third party threatens to

• damage, destroy, copy or steal your computer

systems, programs or data held electronically; or

• disseminate personal data held by you

unless you pay a ransom

What might the policy pay

• ransom payable to hacker

• value of goods / services surrendered

• expert costs to negotiate and deliver ransom

What has to go wrong?

Following loss, theft or unauthorised use of data

• a third party brings a claim against you

• a regulatory body (e.g. ICO) commences an

investigation or prosecution

What might the policy pay?

• compensation payable to third party

• legal fees to defend claim / investigation /

prosecution

• IT forensic costs

• regulatory fines (only where legally insurable)

• PCI charges

What has to go wrong?

A third party brings a claim against you for

• defamation

• breach of intellectual property rights

arising from your internet, website, e-mail and other

electronic media

What might the policy pay?

• compensation payable to third party

• legal fees to defend claim

• IT forensic costs if website etc. altered by a hacker

• most policies require compliance with a certain

level of security

• generally either compliance with

– your declared precautions

– reasonable precautions

• equivalent of an intruder alarm condition in a

material damage policy

• all policies will have a dishonesty exclusion

• dishonesty exclusions vary widely between policies

• whose dishonesty is excluded

– all employees?

– (senior) managers?

– board directors?

• breach by supplier

– you are still liable to your customers for the breach

– many policies will only cover a breach by you (as

opposed to breaches for which you are liable)

• attack on cloud provider

– again, you remain liable to your customers

– many policies exclude breaches by cloud providers

(either specifically or as a third party supplier)

• geographical / territorial and jurisdictional limits – geographical/territorial limit – where the loss occurs

– jurisdictional limit – where a claim is brought

– where is your data? where is the breach? where is cyberspace?!

• breach by data centres – who owns the servers?

– breach by you or breach by supplier (see pitfall 3)?

• theft of commercially sensitive information – high risk area but may be excluded

– does policy only cover personal data?

• business interruption time excess – length of an interruption before cover kicks in

– what is your business model?

– how effectively can you work if your systems go down?

• PCI charges – are you a member of the PCI scheme?

– charges are often excluded as contractual fines, but can represent a

substantial loss

• not all policies give the same cover

• understand the risks to your business

• understand the cover provided (and where cover is

not provided)

• cover is flexible to meet your specific needs

• take advice!

Follow the NEW technology showcase page for news,

legal updates, real opinions and training about

managing cyber security risks.

Tim Johnson, Partner

e: tim.johnson@brownejacobson.com

t: +44 (0)115 976 6557

m: +44 (0)7825 229767