Directors can read two types of article on cyber security. The first recommends companies pick up an IT shield to defend themselves against imminent cyber breaches.
The second recommends Australian companies contact their nearest insurance broker to take up one of a handful of emerging cyber insurance policies. These are both crucial in the face of companies’ increasing use of technology, and the subsequent risks.
However, a third type of article is sometimes overlooked, which supposes that:
- Some cyber risks are just old risks dressed in new clothes.
- When considering a cyber wording, companies should take the opportunity to also carefully review their existing suite of insurance protection to best assess what type of cyber cover they will need to fill any gaps.
At first blush, cyber risks would seem to be novel and unknown: existing beyond the scope of D&O, management liability, property and crime policies. However, many ‘cyber risks’ are merely dressed-up versions of risks we already know, such as a negligence class action against a retailer.
Most companies may already have some type of cover for at least some cyber risks. Now, though, the key exercises for a company are to thoroughly consider its online exposure, to assess its current suite of insurance, and to conduct educated discussions with its brokers to decide on the most suitable cyber insurance policy.
Crime, war or neither?
The rhetoric surrounding the topic of cyber security focuses on war, attack and invasion. Popular terms include hacktivism, shellshock, and ransomware. This language appears to be changing the way civilian companies are required to think about business.
Cyber terrorism and attacks are to commercial offices a little like hijack and ransom are to shipping companies. In the shipping world, events such as the Maersk Alabama hijacking catalysed greater uptake on private vessels of private military contractors. In that vein, companies open to cyber attacks are taking up greater IT security services and arming themselves against an attack. Attack, defence and protection: all symbols of the battlefield.
To the extent hyperbolic language is used to describe data breaches as ‘war’ or ‘terrorism’ when they are not, such language is unhelpful and obscures a proper appreciation of the risks. However, some cyber attacks might genuinely involve criminal or terrorist activity.
Some of these risks might be first party crime losses masquerading as a cyber attack.
Depending upon the policy, an act of war, terrorism or crime can be a hindrance to insurance cover. In a world being pressed by cyber ‘attacks’ and ‘invasions’, major insurers are therefore prudently offering bespoke and general cyber insurance protection for companies to combat the hyperbolic rhetoric surrounding cyber security. The challenge lies in properly categorising the risks.
As already argued, some cyber risks might be first party crime losses masquerading as a cyber attack. Other risks might be third-party claims against directors for negligence in keeping personal information safe. In the US, the recent Neiman Marcus case was an example of the company’s customers alleging that negligence, breach of contract or breach of statute (by the company) led to their losses.
Depending on the company’s policy suite, the claim against the company might fall within a standard management liability policy and any claim against directors might fall within a standard D&O policy. In that context, the question for companies is whether they know their current suite of policies well enough.
For instance, do they know if their traditional policy suite has any data security exclusions or carve-outs? Does the claim involve significant first party losses not covered under their property policy? Ultimately, it comes back to whether a company’s current suite satisfactorily covers the field or whether there is a chance it has gaps that need to be filled by a cyber policy.
So the question remains: is cyber security in fact a new risk sitting outside the spectrum of existing risks?
It is too early to decisively tell but what can be seen in the latest US cases is that some cyber breaches may simply be the same old risks, disguised as something else.
It is important to recognise where those risks will fall within a company’s current insurance policies. However, it is equally important to recognise that some portions of cyber risk are indeed new and might not fit squarely into a company’s current suite.
As this area grows, it is now (more than ever) crucial that directors familiarise themselves with the cover they do have, and assess what might be missing. They may be surprised to see they have more cover than expected.
On the other hand, now is as good a time as any to consider what (if any) gaps appear in their insurance suites in order to properly choose the best cyber insurance to complement their existing protections.
James Stanton is an Associate with Yeldham Price O’Brien Lusk.