Cyber criminals will attempt to exploit any disaster and coronavirus is no exception.  Experts have reported increased threats of phishing, malware and ransomware, vulnerabilities have been found in well-known cloud based services and security flaws in the home office present an increased risk when working remotely.  Disgruntled workers also pose a new insider threat with furloughs and redundancies.

With all this in mind, it is worth having appropriate cyber insurance in place. Cyber incidents can have a large financial impact, ranging from the costs of investigating and remediating the breach, through to regulatory notifications, investigations and fines, and even (in some extreme cases) ransoms that might need to be negotiated and paid.

Clearly there are benefits to having a comprehensive cyber insurance policy in place.  Businesses are under huge financial strain due to the current pandemic. It will remain crucial for businesses to have access to the resources required to respond to a cyber incident and to have insurance for the liabilities that may arise.
But cyber insurance does not cover everything.  The scope of cover and exclusions in insurance policies are usually very carefully drafted and can often contain a number of pitfalls for the insured.

Here are some of our top tips on cyber insurance:

1. Make sure you have specific cyber cover

There have been a number of high profile cases involving insurance cover that did not expressly cover or exclude cyber risks.  This so-called ‘silent cyber’ or ‘non-affirmative’ cyber cover has made the headlines on various occasions, including in Mondelez International, Inc v Zurich Insurance Company, in which a dispute arose as to whether or not property damage resulting from a Notpetya cyber attack was covered.  In the UK, the Prudential Regulation Authority wrote to all general insurance firms’ Chief Executives in January 2019 expressing the need for firms to manage unintended exposure to non-affirmative (or silent) cyber risk.  Businesses should have specific cyber insurance in place, if they expect to have cover at all.

2. GDPR-related liabilities are not thoroughly covered

Cyber policies tend to provide cover for liabilities that arise out of personal data breaches.  However, cover rarely extends to regulatory fines and does not always extend to the costs of handling and managing regulatory investigations.  Often only compensation due to data subjects arising out of a personal data breach is within the scope of cover.  Other privacy violations are typically excluded.  It is essential to understand what GDPR-related liabilities are and are not covered by insurance so that practical mitigations can be adopted where required.  Particular consideration should be given to regulatory fines that may arise under the GDPR, as their potential scale is often the very reason why businesses seek cyber cover at all.

3. Cloud services are often not included in the description of the computer networks and systems that are covered

Most insurance policies will provide cyber cover for the insured’s computer networks and systems.  However, the definitions do not always extend to cloud-based services that the insured might use.  For a data controller, a data breach will be serious whether or not the data is compromised on its own systems or on a third party’s system.  It can, however, make a difference to cover.  It is critical for businesses to consider carefully how their cyber insurance policies will be interpreted on this issue and that additional endorsements are sought from the insurer if required.  Many cloud vendors accept very limited liability for failings associated with their services and so insurance cover is vital for cloud security failures.  This is perhaps more important than ever given the extensive use of cloud services during the pandemic.

4. Consent is…

 

Read The Full Article

Leave a Reply

Check Also

Protection of critical cyber systems: Canada introduces new legislation under Bill C-26

On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…