In the insurance industry the term ‘cyber insurance’ is regularly batted around and discussed, however, due to the broad nature of the term there is often some confusion as to what exactly this means and what insurance is available.
Since the introduction and evolution of the internet the technology industry has faced, and continues to face, many risk exposures; some of these could fall into a cyber insurance camp or a professional indemnity camp.
The term cyber liability which in its simplest form relates to a company being held responsible (by a claimant who has suffered the damage), after a cyber event arises, for a loss that the company caused or contributed to. Given that professional indemnity insurance (PII) is by nature designed to cover third-party claims being brought against a policy holder whereby the policy holder is alleged to have been in breach of the duty owed to their client which then results in the client suffering financial loss, it is easy to draw comparisons.
In light of the above, based on the nature of the services offered by the tech industry and its link to the general definition of the term ‘cyber’ (“relating to or characteristic of the culture of computers, information technology, and virtual reality.”), in terms of insurance and potential liability there will be some instances where there is an overlap between cyber liability and PII policies.
This guidance, purely designed for information purposes only, aims to highlight some of the key needs, similarities and differences and also how the GDPR will increase the exposure for all businesses, particularly the tech industry.
In what instances should a tech professional indemnity insurance policy respond to a ‘cyber’ event?
The Micro and SME PII market for technology risks is an attractive pool for many insurers and syndicates who have flooded the market with capacity. This has led to a highly contested landscape where policy wordings are generally broad and prices are very competitive.
The broadening of the policy wordings in the majority of the sectors of the tech PII market has resulted in some PII policies responding to third-party claims that are classified as a ‘cyber event’, for example, a failure to prevent a virus attack which caused the destruction of the client’s data and operating systems.
Technically speaking, as long as a PII policy wording is provided on a civil liability basis without a specific exclusion relating to cyber, or cyber liability, then generally the PII policy should respond to claims involving cyber events that are brought against a policy holder by a third-party claimant looking to recover the financial loss they have suffered which was caused or contributed to by the policy holder. All tech companies, with the help of an experienced broker, should check the specific nature of their PII policy to determine the extent of the cover.
“So, if I have a broad PII policy why do I need cyber insurance?”
Tech companies’ risk to cyber events/claims is not solely tied to them having to defend against claims brought by a third party who have suffered a financial loss – the risk exposure is far greater.
Cyber events can trigger both first and third-party losses to organisations and according to the World Economic Forum’s Global Risks Report 2018, cyber-attacks are the third most likely risk facing the globe (behind extreme weather events and natural disasters) and therefore tech and other industries have a heightened risk of suffering financial and reputational harm if they fall victim to a cyber-attack.
Cyber-crime, particularly ransomware attacks, is widely reported as the highest cyber risk facing UK domiciled businesses.
The below table has been designed to establish some general understanding of the key needs for having a comprehensive cyber insurance policy. A comprehensive cyber policy should include breach response services where the company has access to specialist lawyers, PR experts and IT forensics to assist in the event of a claim.