In the insurance industry the term ‘cyber insurance’ is regularly batted around and discussed, however, due to the broad nature of the term there is often some confusion as to what exactly this means and what insurance is available.
Since the introduction and evolution of the internet the technology industry has faced, and continues to face, many risk exposures; some of these could fall into a cyber insurance camp or a professional indemnity camp.
The term cyber liability which in its simplest form relates to a company being held responsible (by a claimant who has suffered the damage), after a cyber event arises, for a loss that the company caused or contributed to. Given that professional indemnity insurance (PII) is by nature designed to cover third-party claims being brought against a policy holder whereby the policy holder is alleged to have been in breach of the duty owed to their client which then results in the client suffering financial loss, it is easy to draw comparisons.
In light of the above, based on the nature of the services offered by the tech industry and its link to the general definition of the term ‘cyber’ (“relating to or characteristic of the culture of computers, information technology, and virtual reality.”), in terms of insurance and potential liability there will be some instances where there is an overlap between cyber liability and PII policies.
This guidance, purely designed for information purposes only, aims to highlight some of the key needs, similarities and differences and also how the GDPR will increase the exposure for all businesses, particularly the tech industry.
The Micro and SME PII market for technology risks is an attractive pool for many insurers and syndicates who have flooded the market with capacity. This has led to a highly contested landscape where policy wordings are generally broad and prices are very competitive.
The broadening of the policy wordings in the majority of the sectors of the tech PII market has resulted in some PII policies responding to third-party claims that are classified as a ‘cyber event’, for example, a failure to prevent a virus attack which caused the destruction of the client’s data and operating systems.
Technically speaking, as long as a PII policy wording is provided on a civil liability basis without a specific exclusion relating to cyber, or cyber liability, then generally the PII policy should respond to claims involving cyber events that are brought against a policy holder by a third-party claimant looking to recover the financial loss they have suffered which was caused or contributed to by the policy holder. All tech companies, with the help of an experienced broker, should check the specific nature of their PII policy to determine the extent of the cover.
Tech companies’ risk to cyber events/claims is not solely tied to them having to defend against claims brought by a third party who have suffered a financial loss – the risk exposure is far greater.
Cyber events can trigger both first and third-party losses to organisations and according to the World Economic Forum’s Global Risks Report 2018, cyber-attacks are the third most likely risk facing the globe (behind extreme weather events and natural disasters) and therefore tech and other industries have a heightened risk of suffering financial and reputational harm if they fall victim to a cyber-attack.
Cyber-crime, particularly ransomware attacks, is widely reported as the highest cyber risk facing UK domiciled businesses.
The below table has been designed to establish some general understanding of the key needs for having a comprehensive cyber insurance policy. A comprehensive cyber policy should include breach response services where the company has access to specialist lawyers, PR experts and IT forensics to assist in the event of a claim.
We believe that the simple answer to this is no. As most tech firms will have experienced, PII has long been a condition imposed under contracts and as far as we can see, this requirement does not challenge the abilities of the tech firm who is asked to take out the cover.
We think that the same view should be taken when tech firms incorporate a cyber insurance policy to their portfolio and its inclusion should be seen as a mark of diligence and not necessarily weakness. In any case, with the change in data protection law it is anticipated that contractual obligations to hold cyber insurance will be imposed on tech firms prior to winning contracts – similar to the resulting impact in the USA after data protection and breach notification laws were updated. Expert legal advice should always be sought prior to agreeing to contractual terms.
The tech industry has been revolutionary in helping to shape and automate our everyday/business lives and although in most cases we can rely on them to keep our systems active and confidential information secure, the risk of issues arising will always exist (commonly from human error or lack of resources) and therefore cyber insurance should be included as part of a holistic approach to effectively manage cyber risk. For the avoidance of doubt, insurance should not be used as a substitute for implementing security controls and measures.
Despite the impossibilities of predicting exactly what is going to happen come 25 May 2018 and thereafter, one thing is certain, the level of expectation and accountability of organisations when processing personal data will increase. This rise will heighten all companies’ risk exposure and the impact on the tech industry is expected to be among the largest.
A key principle of the GDPR is accountability and this will result in the obligations and potential liability of both controllers and processors becoming more onerous than under the previous data protection law and in some cases, the potential liability for processors could even become aligned with the controllers.
Given that most tech companies will operate as both a processor and controller they could face the following claims in respect of breaches to the GDPR:
1. The company and its senior management team being investigated by the ICO
2. When acting as a processor, they could be sued for causing a financial loss to the controller
3. They could face claims from individuals (including employees) who have suffered loss/harm (including mental harm) as a result of their information being leaked/illegitimately used after a data breach
We think that generally tech firms should obtain a comprehensive package of cyber, professional indemnity, directors’ & officers’ liability and public/employers’ liability insurances to help provide a good suite of protection against the ever-evolving risks linked to technology, including regulatory updates like the GDPR.
Combining all covers with one tech-focussed Insurer is widely recommended as it eliminates the chances of an ‘Insurer v Insurer’ dispute over who is responsible for paying any related insurance claim.
As an experienced Broker in this field, PIA is more than happy to assist any tech firms with effective insurance programs and we welcome all enquiries.