21 March, 2018
.jpg)
Please click on the image to load the video.
Transcript
Hello, I'm Rehana Box. I'm a partner in the Sydney office of Ashurst and I specialise in insurance. And obviously in insurance, one of the key risks that people are dealing with at the moment is cyber.
So in this session what we want to do is take a few minutes to look at the issue of cyber insurance and how you can use it as one of the tools available to you to manage cyber risk. Insurance is not going to eliminate cyber risk, but cyber risk just can't be eliminated these days and insurance is one of the key tools that you have available to you as a corporate or as an individual to manage this risk.
Insurance is full of concepts and jargon which confuses a lot of people and disempowers people from dealing with insurance. What we hope to do today, and what we will do, is actually untangle some of those and make it easier for you to understand, but there are a few basic concepts that we will need to discuss so that we can actually go on with the discussion. One of those is that you need to make a differentiation between what is called a first party loss and a third party liability because they're insured differently.
First Party Loss or Third Party Liability
A first party loss is a loss that you're going to suffer yourself as a result of a cyber breach or a cyber event, and some of those include things such as your data restoration costs, crisis communication costs and dealing with your customers, notification expenses which Sophie's talked about, investigations and forensic costs to determine how the breach has occurred, possibly your own ransoms that you might be exposed to having to pay to get your data back or stop it being exposed and possibly losses that you might suffer as a result of business interruption or by crimes that are committed against you. So they're losses that you're suffering yourself as an insured.
The other category of insurable risk is third party liability risk, and so when we're talking about third party liabilities we're talking about things such as your liability to third parties for a breach of their privacy, a breach or disclosure of their confidential information, vicarious liability, you might have even for what your outsourcers have done and we'll talk a little bit more about that in a moment, IP infringements of third parties, defamation and slander, your damage you might cause to third parties' IT systems, your liability for fines and penalties, crimes by your employees or even third party physical injury and damage that might be caused. For example, I mean if you're a manufacturer of a car and you've had say many of the car manufacturers in the US now being exposed and showing that they can be hacked, you can hack into a computer system of a GM car or a BMW car, take it over and cause the party injury and possibly death and also third party damage. So one of the things it might be, if you're a car manufacturer, have you been negligent in the way you've designed your systems and sold your cars that allows it to be hacked.
So certainly there is the risk there now of tangible injury, death, property loss and damage resulting from cyber risks.
First Party Loss or Third Party Liability?
It's not always easy, as easy as you think it would be, to determine if something is a first party loss or a third party loss, and we had an example of this last year where we were advising one of the major banks and doing some scenario testing for them. We looked at the issue of what happens if someone got into their systems or into a customer's account and siphoned off all the money, and at first the bank was looking at its liability policies and saying well where am I covered for my liability to make good the customer. When we looked at it legally, in fact it wasn't a liability at all. The relationship between a bank and its customer is one of debtor and creditor and that hadn't changed, the debt was still there to the customer. What was the difference was that now the bank had actually had a loss, and so it was a first party loss situation and not a liability, and so sometimes it's just not as clear as you might think it is to determine which category these things fall into and what policy you have that might respond.
Moving on to what I would do when I'm first looking at a client and looking whether or not they have cover for cyber exposures.
Range of Insurances
The first thing I do is look at their existing insurances and they should not be overlooked and they often provide very valuable cover, so I'm looking at things such as their professional indemnity insurances, their public liability or general liability insurances, their industrial special risks insurances, D&O (Directors and officers) insurance, kidnap and ransom, crime, fines and penalties and any other insurances they have around that might provide cover.
What you find when you look at the liability covers that are around in Australia and what you will likely have, any of you who are involved in corporate insurances, is you probably have quite broad cover already. Where we find that there is often a gap for corporates is in relation to their cover for first party losses. Their own losses, for example their own business interruption, their own liabilities to notify third parties where there's been a compromise of their information and their own sort of costs, for example of credit card replacement and the like, and in that area a lot of Australian corporates are under insured or not insured at all, and so that's the area where particularly we're finding there is a pick-up of cyber insurance. But generally I should actually say that the pick-up of cyber insurance in Australia to date has been fairly slow, I think that's partly been because there hasn't been the notification requirements that are just coming in now, and we've found that generally it seems to be the SMEs (small and medium enterprises), interestingly, as well as those high end corporates that have high exposure such as banks and the health industry, by way of example, who have picked up cyber insurance, but the general corporate community has been a bit complacent and has generally often run bare of having full cyber coverage. That's slowly changing and I think we're going to see an acceleration of the pick-up of cyber insurance very quickly over the next couple of years.
So once we've looked at a corporate's own insurances and we've looked at where there might be exposures that aren't currently covered in the cyber space, then you look at whether or not you're going to effect a cyber policy.
Cyber Policies – First Party Loss or Third Party Liability?
These types of policies can cover various first party and third party liabilities. Those types of losses, for example in the first party sphere, can include things such as reputational expenses, so the costs of retaining public relations firms to help minimise the damage to your organisation where there is a cyber event and a very good example of how to do that, well probably with the Red Cross last year, where they had a breach of their data and they handled it so well in the media many would say they came off better as a result of that breach than if it hadn't happened in showing how concerned and how they dealt with that breach appropriately and properly and promptly. So you can turn it to your advantage as well if you use it well.
Other types of first party losses that can be insured include customer support, so the obligations to notify and notifications where you do that voluntarily as well as monitoring customer accounts, setting up call centres to deal with people who are concerned where a cyber event has occurred and how that might have affected them. You can also get cover for your own data recovery, your own business interruption, contingent business interruption, which is an unusual term, but that means where your business is affected because there's been a cyber event at a customer or a supplier of yours, so for example if your supplier has a major internet outage it might affect their ability to actually service you, which then has a flow on effect to your ability to actually stay in business or perform and your obligation to service your customers.
Other types of first party losses that can be insured include your cost to comply with regulatory investigations, defence costs, IT forensic costs are very important and there's been data around that says that it's around $3 million per breach to actually do the IT forensics, so around whether or not a breach has actually occurred and if it has occurred where it's occurred and how can that be plugged to prevent that from happening again or to at least eliminate the current threat. Cyber extortion can be insured, and we've seen a lot of examples of that, many people have all heard about friends and people have even had their own personal computers locked down where you get people from the eastern block or somewhere asking you for money to actually unlock your computer. Equally it can be an issue of threats to actually expose information that you have on those sites, and we've seen those sorts of examples, both used for possibly political means in some cases that I can think of, and also just pure extortion, so particularly, and it's happened with some major law firms in the UK and it's been well reported where they had their information compromised around major merger and acquisition deals and the threat to release that unless a ransom was paid. And finally, I'll also just mention the fact of clean-up costs. It's an enormous cost to get back data that's been released onto the world wide web, and that shouldn't be underestimated, and more recently these policies are providing cover for that.
Third Party Liabilities
And then turning to third party liability risks that can be insured under a cyber policy, again it's quite a long list and includes such as where you are a technology provider, your own professional liability if you negligently provide those services and as a result cause some sort of cyber liability, for example the introduction of a virus into someone's system, multimedia liability which can include liabilities arising out of information an entity provided through its multimedia including its websites, its publications, advertising material, breaches of copyright for example, liable/slander, infringement of privacy and so on. And then we're looking at things such as the liability for breaches of someone's privacy, and that can include personal data and people often just concentrate on customers but also think about your own employees, equally you're holding a lot of their data which if exposed can lead to liabilities, and then you also need to think about corporate data, both your own and third party corporate data that you're holding. As we mentioned a few minutes ago, the risk of release of sensitive market data for example can be significantly damaging and costly if it was to occur. And then of course you've got liability for criminal fines and penalties and civil fines and penalties to the extent they're insurable at law, and you've got outsourcing risk where you might have liabilities for the acts or omissions of your own outsource providers. So there are also a lot of additional benefits that people get from these policies, and a lot of actual insureds are actually affecting small value policies to actually get these benefits alone.
Additional Benefits
One of those benefits is that the insurers will generally work with their insureds very early on, often at the time of placement, to actually do risk assessments which the insured can also use to look at where their exposures are and of course if you're an insurer working in the cyber space and writing cyber risk you're going to have a lot of resources built up and a lot of IP around identifying cyber exposures. You also get the insurers acting as breach coaches and Sophie and I in particular have acted with some insurers in actually setting up breach coach facilities and helping both the insurer itself to actually work through its own breach coach offerings and working with their insured, so that's a very common offering these days. And the insurers will often also work with you on scenario testing and actually sort of cyber war gaming to actually help people prepare for when a cyber event occurs, because at that time obviously it's all about dealing with the breach and you shouldn't be worried about how you're going to go about it at the more general basis' that can be certainly worked out beforehand.
And not to be underestimated is the fact that most insurers will have a panel of experts and it's generally a global panel, so you might be quite comfortable that if something happens in Sydney, Melbourne, Perth or wherever you are, that you can actually know who to call, but if it happens in South Korea and you happen to have some operations there, who do you call. So often by having access to the worldwide panels that the insurers have set up is a very valuable resource, and quite often you have access to those panels even if you're not insured at the panel rates that the insurer has negotiated. So for all those reasons, a lot of people are effecting these policies for the add on benefits and not just for the actual coverages themselves.
Issues
But there are some issues that come up when you're looking at these policies.
And first and foremost it's actually reviewing the policies carefully with the help of people who are experts in these sorts of areas of wordings to ensure that you actually first of all know what you actually have bought and what you have covered and where there are gaps, and importantly where you do identify gaps or issues with the wordings to think about negotiating with the insurers early to actually close those gaps and we've had a lot of success, in fact sometimes we're more successful than we expect to be, in actually getting insurers to change their wordings, to meet the requirements of a particular client so that there aren't as many gaps in respect of the cover that's provided. One of the issues that comes up too in looking at these wordings if we were very careful is that a lot of the insurers have what's called aggregation or anti-stacking clauses on their policies and that means that they're concerned because they're writing a lot of these policies and if there is a large denial of service then there can be a risk that an insurer suddenly has millions of policies that are responding, so as a result of that insurers often put what's called an aggregation or an anti-stacking clause on it that says that their total liability arising out of the same event for all insureds is capped to a certain amount. Now, that can significantly undermine the protection you're being given by your policy, and it may be we're working on a first come, first served basis so you might have nothing and you've got say a denial of service attack that is broad across the community. So it's important to look for those sorts of clauses and see if they're there and consider whether you're happy with them and whether they can be removed.
The other issue I've got there is DIC/DIL, that means difference in conditions/difference in limits, and that's a term that means that one policy will basically supplement the first policy, so that if it's broader than difference in conditions its conditions will apply to fill in the gaps of the first policy, and the difference in limits means that the second policy's limits will apply on top of the first policy's limits. Now, why am I talking to you about this? That's because when you are effecting cyber insurance you might want to think about where it sits in your insurance program. A lot of people are effecting cyber so it sits outside of the existing insurances we talked about a moment ago that you might have that will cover you for cyber liabilities and losses, so it's on a difference in conditions/difference in limits basis. If you do that, your existing policies will respond first and the cyber policy will only respond in the event there isn't already cover. Now, that can reduce the premium of a cyber policy, so that's one of the reasons to do it, the alternative is of course you might want to protect your existing policies, and this needs a lot of review of your actual circumstances, so that actually the cyber policy responds first, but that's just highlighting something you need to think about, where do you want your cyber policy to sit in your overall program and do you want it to respond first or last.
The last thing I just wanted to comment on before we move on to some more specific wording issues is the issue of the fact that at the moment a lot of the policies we're seeing is a one size fits all, and that can be problematic because we're not all the same and that the exposure of corporates to cyber risks varies greatly. It also means it's quite disappointing sometimes for insureds where they see a section, and I know one insurer for example has a reputational damage section they won't offer to large corporates, so you see it there but you can't buy it, so again just from a PR exercise and customer satisfaction exercise for insurers it's not necessarily a great thing, but we are starting to see the market fragment and we're starting to see cyber policies that are actually tailored to particular market segments. An example of that is Aon late last year launched a product purely for energy, utilities and resources companies who are willing to pay for good quality cover and they've actually tailored that policy wording for the particular risks that those types of entities have.
For further information, please contact:
Rehana Box, Partner, Ashurst
rehana.box@ashurst.com
