Gotcha! Three cyber policy traps to look out for
Cyber insurance is projected to experience major growth in the years ahead and new insurers are regularly entering the market. While this is creating greater competition and providing more choice for customers, some insurers are still testing the waters in terms of the coverage they give. This has created a lack of standardisation in cyber policies, with different insurers taking different stances on particular coverage areas.
This lack of standardisation across wordings can sometimes result in businesses buying a cyber policy and assuming that something is covered, only to get a nasty surprise when it comes to making a claim. So to make the process easier, we’ve highlighted some of the most common “cyber gotchas” that brokers and clients should be looking out for when advising on or purchasing a policy.
1. Data re-creation vs data recovery
Most modern businesses rely on data to some degree, whether it be customer data, financial data or simply their own intellectual property. If a business loses access to their data because of a cyber attack, there can be a major operational impact.
And yet many cyber policies only provide cover for the cost to recover or restore data from back-ups, and in some cases where they include data as a defined term, they specifically state that the data has to be subject to regular back-up processes. This means that if a business doesn’t back-up their data or if their back-ups fail for whatever reason, then the policy won’t cover the costs to re-create that data from scratch.
At CFC, we have seen a number of cases where back-ups were compromised as part of an attack or had been failing for a number of years. This required us to help the insureds to re-create the data from scratch (not just try to recover an electronic version of it), and this can be very costly and labour intensive process. The difference between a policy that only offers data recovery and one that offers data re-creation can therefore make a big difference to an insured.
2. Call back warranties
An effective way of tackling certain types of funds transfer fraud is through the use of call back procedures. Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the organisation in question validates the request by having an employee call the person or company requesting the change on a pre-verified number to confirm that it is legitimate.
In some cases, insurers include a call back warranty on their policies. So if the process outlined above or some other form of multi-factor authentication is not carried out, the claim will not be covered. This kind of warranty isn’t always clearly highlighted in the policy, but it can usually be found in the policy conditions, exclusions and definitions or sometimes as part of the application form.
The problem is that although call back procedures are a very effective way of reducing the risk of certain forms of funds transfer fraud, employees don’t always comply with them, especially new or inexperienced staff members who may not be aware of such processes. The vast majority of funds transfer fraud claims that we have paid at CFC would not have been covered if we had included a call back warranty. Policies containing such warranties can make it much more likely that claims of this nature will be declined.
That’s a big problem. Funds transfer is causing serious financial harm to businesses around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred as a result of business email compromise scams and funds transfer is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no sign of abating. The difference between a policy that contains this kind of warranty and one that doesn’t could therefore make a big difference to an insured when it comes to making a claim for this type of loss.
3. Aggregate limits
Traditionally, cyber insurance policies have been written on a single aggregate limit basis for both first party and third party claims. This means that once the policy limit has been paid, there will be no money left for any subsequent claims during the policy period. This is primarily due to the fact that cyber insurance has been seen as a liability class of business, and many liability policies operate on an aggregate limit basis.
However, the idea that cyber insurance is all about liability is misleading. According to our own cyber claims data, third party claims make up less than 5% of the claims total, with the vast majority of cyber claims being first party incidents that cause a direct financial loss to the insured themselves, such as breach notification costs, system damage, system business interruption and funds transfer fraud.
Cyber insurance is therefore very much about first party exposures. But if you were to look at the typical first party covers that businesses buy, such as traditional property damage and crime policies, you’d find that these polices are not written on an aggregate limit basis. Instead, limits and sums insured are reinstated following each claim, allowing a policyholder to claim up to the limit for each and every claim that they make. For any client that is used to buying traditional first party policies, it can come as a bit of a surprise to find the first party sections on a cyber policy being subject to an aggregate limit, especially if they exhaust that limit and then suffer another loss later on in the policy period.
At CFC, we've recognised this, and that’s why we provide cover on an each and every claim basis for all our first party cyber covers. This includes cyber incident response costs, which have a separate limit under our policies, giving you two sections of cover that are reinstated following every claim.