Date post: | 30-Jul-2015 |
Category: |
Law |
Upload: | browne-jacobson-llp |
View: | 89 times |
Download: | 1 times |
Tim Johnson
Cyber insurance – overview of policy coverage Tim Johnson – May 2015
• ‘typical’ cyber policy
• available covers
• common pitfalls
Not all cyber policies are the same!
• new and developing sector
• insurers have different appetite to risk / different
target markets
• limited claims history / information
• no (limited) legislative framework
• first party losses
– breach costs
– business interruption
– hacker damage
– cyber extortion
• third party liabilities
– privacy claims / investigations
– media liability
What has to go wrong?
Unauthorised
– acquisition
– use
– loss
– disclosure
of personal data
What might the policy pay?
• IT forensic costs (for cyber breach) – to identify
and shut down a breach
• legal fees – to manage your response to the breach
• notification costs – to notify data subjects and
regulator
What might the policy pay? - cont’d
• credit monitoring costs – where required by law
• call centre costs – to deal with queries from data
subjects
• PR / Crisis management costs – to manage media
fallout
What has to go wrong?
An interruption to your business caused by a
– hack
– (distributed) denial of service attack
What might the policy pay?
• loss of income /gross profit
• increased costs of working
• additional increased costs of working
What has to go wrong?
• disruption, misuse, damage or destruction etc. of
your computer system
• copying, stealing or damaging computer programs
or data held electronically
caused by a hacker
What might the policy pay?
Costs incurred to
• replace or repair damaged programs (e.g.
rebuilding website)
• reconstitute electronically held data
What has to go wrong?
Third party threatens to
• damage, destroy, copy or steal your computer
systems, programs or data held electronically; or
• disseminate personal data held by you
unless you pay a ransom
What might the policy pay
• ransom payable to hacker
• value of goods / services surrendered
• expert costs to negotiate and deliver ransom
What has to go wrong?
Following loss, theft or unauthorised use of data
• a third party brings a claim against you
• a regulatory body (e.g. ICO) commences an
investigation or prosecution
What might the policy pay?
• compensation payable to third party
• legal fees to defend claim / investigation /
prosecution
• IT forensic costs
• regulatory fines (only where legally insurable)
• PCI charges
What has to go wrong?
A third party brings a claim against you for
• defamation
• breach of intellectual property rights
arising from your internet, website, e-mail and other
electronic media
What might the policy pay?
• compensation payable to third party
• legal fees to defend claim
• IT forensic costs if website etc. altered by a hacker
• most policies require compliance with a certain
level of security
• generally either compliance with
– your declared precautions
– reasonable precautions
• equivalent of an intruder alarm condition in a
material damage policy
• all policies will have a dishonesty exclusion
• dishonesty exclusions vary widely between policies
• whose dishonesty is excluded
– all employees?
– (senior) managers?
– board directors?
• breach by supplier
– you are still liable to your customers for the breach
– many policies will only cover a breach by you (as
opposed to breaches for which you are liable)
• attack on cloud provider
– again, you remain liable to your customers
– many policies exclude breaches by cloud providers
(either specifically or as a third party supplier)
• geographical / territorial and jurisdictional limits – geographical/territorial limit – where the loss occurs
– jurisdictional limit – where a claim is brought
– where is your data? where is the breach? where is cyberspace?!
• breach by data centres – who owns the servers?
– breach by you or breach by supplier (see pitfall 3)?
• theft of commercially sensitive information – high risk area but may be excluded
– does policy only cover personal data?
• business interruption time excess – length of an interruption before cover kicks in
– what is your business model?
– how effectively can you work if your systems go down?
• PCI charges – are you a member of the PCI scheme?
– charges are often excluded as contractual fines, but can represent a
substantial loss
• not all policies give the same cover
• understand the risks to your business
• understand the cover provided (and where cover is
not provided)
• cover is flexible to meet your specific needs
• take advice!
Follow the NEW technology showcase page for news,
legal updates, real opinions and training about
managing cyber security risks.
Tim Johnson, Partner
t: +44 (0)115 976 6557
m: +44 (0)7825 229767