A couple of years ago, a report was published (2018 Cyber Breach Insights Key Drivers Behind Cyber Insurance Claims) based on Law Firm Clyde and Co’s experience as monitoring council for cyber insurance. In their experience the average duration of a cyber insurance claim was three and a half years (from first notification to insurers to the settlement of the final invoice). This does not mean an insured needs to wait three and a half years to receive their insurance settlement. What it demonstrates is that a single cyber incident can result in multiple insurable impacts and each will evolve at its own pace. A cyber insurance policy has various insuring clauses, loss under each clause will be settled when the loss value is known and can be proven.
A cyber extortion event is a great example to highlight the scope of coverage that can be provided in a cyber insurance policy and the timeline of costs incurred.
Initially, you will have the extortion demand. We want x in exchange for y. This will lead to immediate costs, to investigate the demand and to possibly pay the demand. You will know your costs pretty quickly, most of the extortion demands have a very tight timeframe. These costs can be tendered as a claim to insurers. Depending on your policy language it may cover IT forensics costs on your behalf as incurred (but only if you are working with approved vendors) and indemnify you for the ransom demand.
If the extortionist had access to your system, you are likely to be in for further costs.
If you cannot disprove access to sensitive information, there may be privacy breach-related expenses. Some of these will be quick to discover, such as breach investigation, notification costs, and credit monitoring; whereas other costs might take years to develop. These costs can be tendered as a claim to insurers. Depending on your policy language it may cover certain fees on your behalf as incurred (but only if you are working with approved vendors), but total costs cannot be known until the matter is ultimately settled. This is when the settlement amount is known and the vendors issue their final invoice.
- It may be relatively quick for IT forensics to identify the cause and scope of an issue, but remediation efforts may play out over time. A claimant will need to experience loss and establish they have a cause of action before they can bring a third-party claim, for example identify fraud costs.
- On the other hand, privacy regulatory investigations can take years of cooperation and negotiation before a final finding is issued. For example, it took over two years for the UK ICO to issue GDPR fines to British Airways (BA) after their privacy breach in 2018. Initial reports showed the fine could have been nearly £184 million, but it was ultimately £22 million. BA will be responsible not only for the fine, which may or may not be insurable according to law, but also years worth of highly-specialised lawyers’ billable hours required to prove their case for the lower fine.
If your data or systems are inaccessible, this could result in your inability to trade as usual. You might incur extra expense in order to meet your deliverables or you may face loss of net income or profit. These “business interruption” costs can be tendered as a claim to insurers, and depending on your policy language it may indemnify loss, as defined, in excess of your retention during the “period of restoration” (or indemnity period).
The nature of a cyber incident means that the consequence, or damage, that follow will not all be known immediately, this obviously dictates timing on claims settlement.
Insurance policy language can also impact timing on settlement – both in terms of how loss is defined and in terms of understanding how the policy works.
Each claim to insurers will be settled once the loss can be valued, or known. For example, loss of income claims (BI) are adjusted once the period of restoration ends because only then can the net loss to be known. The longer the period of restoration, the longer it may take to establish the net loss. Additionally, to adjust BI loss the insurer may appoint a specialist forensic accountant to enable coverage discussions. Bringing in third parties inevitably will impact settlement timelines.
Misunderstanding coverage parameters can cause disputes; and disputes necessarily delay settlement. Disputes commonly arise over “insurer consent”, scope of coverage, valuation of the loss and, amongst other things, insufficient proof of loss information. If you work with your insurer in connection with binding you can reduce the potential for disputes before a crisis situation.
Most cyber insurance is written on a duty to defend basis – this means the insurer choses the vendors to investigate an incident and/or to establish a proof of loss. Under a duty to defend policy if the insured selects a vendor, it may be a breach of the policy terms and conditions. If the insured does not get explicit consent to engage vendor services, those costs are technically not covered.
We recommend working with insurers’ vendor panel or requesting to have your choice of vendors specifically approved. Try to ensure these vendors work across all of your business units.
- Scope of coverage:
There can be confusion about how the policy works. Does the cyber incident trigger coverage? Is the “damage” or impact of the incident covered, in whole or in part? Does the insured’s response to the incident align with the policy requirements?
For example, in order to prevent loss of income, some organisations may seek to rebuild entire networks or replace all the compromised Info Tech whereas the main objective of others may be to get the core system up and running. Either response may be relevant; but insurability will entirely depend on the insured being able to 1) establish that the insuring clause has been triggered and 2) to prove that they have met the policy requirements – that the steps they have taken were “reasonable and necessary” for their business model in order “to reduce income loss”.
How an insured may want to address the situation may be in contrast with the insurer’s experience and expectations. If the insured’s behaviour falls outside of the policy terms and conditions the insurer has grounds to deny that part of the claim. Bridging the gap on these perspectives can take time to work out.
We recommend providing a comprehensive submission that includes statements of values for your Info Sec assets, information about your revenue model, and your philosophy toward business continuity.
This is always tricky, for any insurance. Consider coverage you might have for a stolen watch. Do you have replacement costs coverage (as would benefit something that appreciates in value over time) or are you to be reimbursed on the basis of what you spent (as would benefit something that depreciates in value over time)? Now, think of that in terms of the software an organisation runs. If that software is rendered useless, does the policy reimburse the insured the amount spent on Windows 7 or will it reimburse the upgrade cost to install the current version?
We recommend providing a comprehensive submission that includes statements of values for your Info Sec assets and discussing with your insurer their philosophy on restoration expenses.
- Proof of loss:
As with any insurance, the insurer will need to establish that the event triggers the insuring clauses and that the loss incurred is an insured loss. They can only do this if information is shared. We’ve seen a lot of claim documentation so heavily redacted nobody can tell what has happened. Negotiating for acceptable levels of information can delay claim settlement.
We recommend sharing details with insurers on what happened, how it was discovered, and steps taken to remediate it. This should include a Statement of Work from vendors and detailed invoices.
Cyber risk is complex. The potential damage following a cyber event can manifest according to its own timeline. Cyber insurance is also complex. The potential settlement of a cyber insurance claim will be influenced by the policy terms and conditions – but policies are negotiable. You can reduce the potential for settlement delays due to disputes by ensuring your insurer understands your business and coverage expectations.
For more information on how best to approach the cyber insurance market, speak directly to our Cyber team by contacting:
T +44 (0)20 7280 8228
As a market leading Cyber practice with a wealth of technical, broking and claims experience with a team of 16, we place and manage claims on behalf of some of the largest and most complex cyber, technology and media programs in the world.
We develop propriety products and partner with recognised legal, IT and forensic specialists to offer risk identification and risk management services to our clients which range from start-ups through to Fortune and FTSE 100 businesses.
We can also provide standalone media and Intellectual Property insurance solutions.