A prolonged hacking attack on a popular parenting website has highlighted serious issues with how many cyber policies approach claims for multiple attacks.
The UK-based Mumsnet has been under attack since 11 August, when a distributed denial of service (DDOS) took the site offline.
Subsequent attacks hacked the accounts site users, as well as sent armed police forces to the homes of the site’s co-founder and a user via phony reports of emergencies (also known as a swatting attack).
Barry.Nilsson Lawyers Special Counsel Megan O’Rourke says the attacks raise important questions about aggregation clauses in cyber insurance policies.
“Aggregation clauses are of course intended to enable two or more separate but ‘related’ losses or events, covered by the policy, to be treated as a single loss or event for the purpose of applying deductibles and limits of insurance,” she says.
“There can be a lot at stake for either the insured or the insurer in the way aggregation clauses operate.
“For example, depending on the circumstances and policy wording, an insured may wish a multiple attack situation to be treated as a single cyber claim so that they need only pay one excess. On the other hand, it may be in the insured’s interests to argue there is more than one claim so that they get the benefit of a separate sum insured for each event (even if the price to be paid is multiple excesses).”
NIBA’s cyber insurance explainer video.
O’Rourke says a review of of four currently available stand-alone cyber policies in Australia revealed that each had differently worded aggregation clauses, with the potentual for wide-ranging insurance consequences for claimants.
“The message of course is that insureds (and their brokers) must beware,” she says.
“In an age where cyber attacks can spark multiple losses and lead to ‘spin-off’ attacks by unknown perpetrators, it’s imperative to pay close attention to cyber policy aggregation clauses, policy limits and deductibles, and work diligently with underwriters to negotiate the widest possible terms.”