What’s covered in a cyber insurance policy?

Part 1 of ‘One Byte at a time: a series on Cyber insurance’ looks at what a typical cyber insurance policy covers using 10 different scenarios.

If we compare cyber insurance to other classes of business such as CTP (vehicle accidents) or Home & Content policies (theft or damage), it offers quite a spectrum of coverage.
 
This came about due to the evolution of the product and how the market has responded to customer demands. The following table gives a brief overview of what a typical cyber product covers:
 
 

First Party

Third Party

  • Incident response –  costs of responding to a cyber incident such as investigation, crisis management, notification costs, credit monitoring costs and reputation / public relation costs
  • Business interruption
  • Data restoration
  • Cyber extortion – Cybercriminals rendering valuation data unusable and holding it for ransom or threaten to release it publicly).
  • Cyber crime
  • PCI DSS fines – Payment Card Industry Data Security Standard is a set of policies to protect credit card holder information from misuse. Credit card companies (such as Visa) can fine retailers for losing their customers’ data.
  • Privacy and Confidential liability
  • Network liability – liability to third party due to a virus transmission from your computer
  • Media liability – copyright infringement

 

 

 

 

1) There’s some kind of malware on my network, and I can’t run my business…. I’m losing revenue!

Yes it’s covered. Malware is generally part of a cyber event definition. The policy will cover all the incident response costs and also business interruption costs (lost revenue).

 

2) All my files are encrypted, someone is demanding I pay Bitcoin to get them back!

Yes, it’s covered. This would be a typical ransomware attack and where legally permitted, the ransom can be paid for by the insurance policy.

 

3) I got fooled into paying money to a criminal via an email, I thought they were a supplier who just changed bank details!

Sometimes covered if there is an extension for “Social engineering” losses.

 

4) The furnace in our steel mill has been hacked into, we can’t shut it down!  It’s causing so much damage!

No, it’s not covered as “property damage” is not covered under a cyber policy. This is actually a real case in 2014 where a German steel mill was hacked and extensive damage up to 20 million euros resulted.

 

5) We had a massive data breach and now our share price has plummeted!  We’re being sued because we didn’t disclose it immediately!

No it’s not covered under a cyber policy, but under a Directors & Officers policy. A high profile case is Yahoo where its data breach-related securities class was settled for USD 80 million.

 

6) My computer network has been mining cryptocurrency without my knowledge!

Yes it’s covered. This usually involves malware, which is a cyber incident. Cryptojacking is an increasingly popular cybercrime where the cryptojackers take advantage of compromised computers and use those computers’ CPU to mine cryptocurrencies elsewhere. It will slow down a computer’s processing power which can cause the system to falter, slowness, overheating, and potentially downtime or even blackout.

 

7) Our car manufacturing factory was hacked and someone got injured by the robotics when it went haywire!

No it’s not covered as bodily injury is not covered under a cyber policy.

 

8) Our autonomous bus got hacked and crashed into a house!  There’s so much damage to the house!

No it’s not covered because third party property damage is not covered under a cyber policy. Although as autonomous vehicles industry develops and the insurance industry evolves to adapt, where the liability falls might change in the future.

 

9) I accidentally breached someone else’s trademark on my website, now they’re trying to sue me!

Yes it’s covered. This would fall into ‘media liability’ coverage if you have to pay for legal assistance and/or infringement. Depending on what’s legally permissible, the infringement fine may be covered too.

 

10) One of my customers is suing me because the software I built for them doesn’t work properly!

No it’s not covered as breach of professional duty is not covered under a cyber policy. This may be covered by a Technological Errors & Omissions (Tech E&O) or a Professional Indemnity policy.

 

As you can see, in some scenarios, policyholders and brokers need to have a clear understanding of what is covered by a cyber insurance policy or not.

Not all ‘IT-related incidents’ will fall back onto a cyber policy.

A good understanding of coverages under other insurance policies in such scenarios is just as important.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.

Comments

Image of Ashish Chaturvedi
Ashish Chaturvedi says

13 October 2019

Excellent comparison of different scenarios. Loved to read the German steel incident. Great job


Comment on the article (Be kind)

Your comment will be revised by the site if needed.