All Posts By

Simon Gilbert

Network downtime insurance: A parametric solution

By | Blog

Network downtime insurance provides coverage for financial losses and other negative impacts following an unexpected interruption to a third-party supplier’s network services. Downtime may be caused by power outages, natural disasters, equipment failure, or any other event that prevents a service from running normally.

Digital transformation means there is now a high dependence on suppliers’ technology infrastructures such as the cloud services to support business activities. While technology is a boon for business efficiency, a network failure is a serious operational risk – especially for businesses that rely on continuous availability, such as retail, healthcare, and professional & financial services and manufacturing.

Even a single hour of downtime can have a huge financial impact. According to recent research from the Uptime Institute, the number of outages costing over US$100,000 has soared in recent years, and over 60% of failures result in at least US$100,000 in total losses. Moreover, a 2022 report from Information Technology Intelligence Consulting (ITIC) puts the hourly cost of downtime at more than US$300,000 for 91% of SMEs and large enterprises.

Network downtime insurance

The cloud is now the backbone of many businesses and is certain to become even more important with the relentless growth of digital services via the internet. Network downtime insurance is a parametric solution to protect businesses from losses arising from network service providers, such as Amazon, Google and Microsoft.

Large businesses usually depend on more than one cloud platform, which means they are less vulnerable than businesses that run on a single vendor’s platform and have highly competitive, time-sensitive models. For these businesses, network downtime insurance can be invaluable, particularly given the growing complexity of networks.

Service interruptions at cloud providers such as Amazon Web Services, Google Cloud, and Microsoft Azure, can be hugely damaging. For example, the major outage at AWS in 2021 affected millions of users and disrupted everything from Netflix to fast-food delivery. Given the potential financial impact of an outage, insurers are challenged to quantify the business risks. A client’s loss is an opportunity cost, so how do you calculate a precise figure? Because traditional measures don’t apply, normal loss-based indemnity won’t work, so for a policy to cover network downtime, insurers must use alternative risk parameters.

With parametric insurance, the cover is triggered when the insured’s cloud is down for a period specified in the policy, subject to a time-based deductible and possibly an indemnity per hour, which can simplify the claims process. This approach could be used to monitor cloud downtime, which can shut down e-commerce worldwide.

A network downtime monitoring agent – rather than the insured – would inform the insured and the relevant risk carriers when the policy was triggered, resulting in a swifter claims service. Policyholders would need only confirm that they have suffered a business loss.

Cybers insurance versus network downtime insurance

Although standard cyber insurance covers cloud downtime due to security failure, operational failure, or system failure of the insured’s own operations, it typically does not cover downtime due to non-malicious cyber events at a third-party network service provider.

Most of the carriers that Elmore works with offer business interruption payments actioned by a cyber security incident, however the business has to be affected for a period (depending on the policy) ​​ranging from 8-24 hours or more.

In contrast, parametric solutions are designed to pay after just one hour and so are a useful supplement to cyber insurance policies, where business disruption provisions are triggered only after a longer period.

Like other parametric insurance products, network downtime insurance is based on pre-defined parameters – hence the name ‘parametric’ – and there is no need to negotiate losses or file claims for damages.

Bridging the protection gap

Parametric downtime cover is a valuable way to bridge the protection gap, as cyber insurance is not a blanket solution and a business can be left exposed when normal operations are interrupted by third-party non-malicious cyber incidents. In addition, with the growing reliance on cloud technology, there is even more need to seek adequate cover, particularly for businesses that depend on continuous service.

To understand your downtime risks, speak to an Elmore Cyber Client Executive. We provide insurance reviews to assess your current coverage, whether for cyberattacks or downtime threats from non-malicious third-party events, and will advise on the best insurance for your needs. Contact us today.

How solar flare events impact cyber insurance

By | Blog

The European Space Agency defines a solar flare as ‘a tremendous explosion on the Sun that happens when energy stored in twisted magnetic fields (usually above sunspots) is suddenly released.’ On Earth, a solar flare could have a devastating impact on power grids and cause widespread damage as a result of interconnected risks.

Although there has been little modelling of the risks and minimal loss experience, scientific research is now creating a better understanding of the phenomenon, underlining the severity of the threat and the need to be prepared for solar flare events. For example, the Helios Solar Storm Scenario, a report published by The Cambridge Centre for Risk Studies, provides a catastrophe scenario for a US-wide power system collapse after a solar flare. Furthermore, the Carrington Event, a solar storm in 1859, provided a real-life demonstration of the threat to critical infrastructure – and that in an age without the technology and power systems that would be at risk today.

Counting the cost

The Helios Solar Storm Scenario report highlights the risk exposure across various systemic shocks and serves as a stress test for managers and policymakers. Three different scenarios explored damage distributions and restoration periods, with US insurance industry losses estimated to be between US$55 billion and US$333.7 billion. This range, at the low end, is approximately double the insurance payouts for major natural disasters like Hurricane Katrina and Superstorm Sandy.

The Helios Solar Storm Scenario imagines direct and indirect damage resulting in power blackouts, insurance claims, and economic losses. Global supply chain disruptions are estimated to be between US$0.5 and US$2.7 trillion while the global GDP impact is put at between US$140 billion and US$613 billion. The report proposes three scenario variants (S1, S2, and X1) to capture different levels of damage and restoration times, emphasising the uncertainty surrounding extreme space weather impacts.

The limits of cyber insurance

Typically, cyber insurance policies will not specifically exclude space weather events (yet); however, there is a more general and far-reaching exclusion for infrastructure failure. Namely:

“Electrical failure, including any electrical power interruption, surge, brownout or blackout.”

A cyber insurance policy might also exclude space weather events more directly, as follows:

“Electromagnetic fields, radiation, earthquake, windstorm or other natural peril or any pollution or alleged or threatened discharge, dispersal, seepage, release or escape of pollutants or contamination of any kind.”

Note that cyber insurance policies will usually only cover non-physical damage from a cyber event. Therefore, interruption to revenues, loss of profits, and the increased costs of working as a result of a major space weather event, are likely to be excluded. However, it might be possible to claim some cover if the infrastructure which is impacted by the organisation is owned and operated by the policyholder and not a third party.

Given that the probability of a severe space weather event is similar to that of a global pandemic, it is a risk that should not be ignored. It is vital to understand the potential impact of an extreme event such as a solar flare and the strategies which can be deployed to minimise the impact to network operations as well as insurance policy coverage.

For more information and to understand how your insurance portfolio may be impacted by a space weather event, please contact the ElmoreCyberTeam@elmorebrokers.com.

Aligning technology terms of service with professional indemnity insurance provisions

By | Blog

SaaS and technology professional services providers face risks in undertaking and implementing their
supply of services, including security risks, compliance risks, supplier risk and most importantly
execution risk. One way a firm can manage the fallout if these risks materialise is to have a clear
terms of service/master service agreement with their customer.

The first line of defence
Technology firms are typically entrusted with managing, accessing, and safeguarding sensitive data
and digital assets. As such, they can face challenges as digitalisation increases and bad actors
become more adept at exploiting vulnerabilities. Having watertight terms of service is the first line of
defence, not only do they establish the rules of engagement but also serve as a legal framework to
mitigate a variety of risks.

Professional indemnity insurance (PII) is an added safety net that provides financial protection
against when the terms of service are frustrated as a result of errors, omissions, or negligence in the
provision of technology products and professional services. The interplay between standard terms of
service and changing insurance policy terms and conditions is key to managing evolving risks and
having the requisite policy coverage in place.

The devil is in the detail.
Many technology PII policy wordings include clauses that can be broadly interpreted as excluding
coverage for certain types of liabilities. For such policies, there are some key terms that should be
considered in relation to a firm’s service agreement with its clients:

1. Conditions precedent to liability – if there are any conditions in the policy of this nature,
they can require the policyholder to meet certain onerous obligations to be eligible for
cover. Accepting liability provisions that align with the services rendered is crucial to ensure
that the coverage provided by PII is not inadvertently rendered ineffective.

2. Exclusions for some types of liability – there may be gaps between the liability being
accepted in the services agreement and the types of liability being indemnified in the PII
policy wording. It is important to run through the PII exclusions to ensure that they do not
contradict with your terms of service.

3. Notification restrictions in contract – in cases where the PII insurance or accompanying
cyber insurance have strict notification requirements, they can conflict with the terms of
service. This may prevent notification in line with the policy requirements.

4. Force majeure – acts of God are usually quite broad in contracts; however, a narrower set of
scenarios may be present in the PII policy, possibly allowing a wider scope in contract.

5. Disputes – these will typically trigger a notification to PII insurers if they remain unresolved,
and there will usually be a mechanism in a PII policy to handle disputes. It is important to
ensure alignment with the mechanisms offered in the terms of service.

Expert insights
The relationship between a technology firm’s terms of service and PII liability provisions should
never be underestimated or overlooked. It demands a proactive and collaborative approach, where

legal experts craft terms of reference that not only reflect the nature of the services but also align
seamlessly with the protection offered by PII.
As the technology landscape continues to evolve, firms must pay close attention to potential
alignment issues and ensure that they don’t fall short when matching terms of service with PPI
provisions.

For further information and advice on managing infosec risks, contact the Elmore team.

Cyber insurance: The facts

By | Blog

Is cyber insurance a regulatory requirement for firms? What type of business would benefit from cyber insurance? What does cyber insurance cover? We’ll answer these questions here and look at how insurance can mitigate cyber risks.

Cyber insurance is not usually a regulatory requirement in the same way that professional indemnity insurance (PII) is mandatory for some firms that offer professional advice as part of their service. However, given that a cyber insurance policy offers resilience in recovering from a cyberattack, it is expected that more and more regulators will require firms to have cyber insurance in place. And even for firms where regulations don’t apply, it is highly advisable to have cyber insurance and observe good cyber hygiene to mitigate the growing threat from cybercrime.

Cyber risk is a concern for every company, from start-ups to global brands, and the more businesses move online and rely on technology, the greater the vulnerabilities and the risk of a cyber incident. This was highlighted by Forbes in Cyberattacks 2022: key observations and takeaways, which describes how digital transformation is “significantly expanding the cyberattack surface and the number of critical failure points”.

Insurance should be part of an overall strategy to limit the damage from a cyberattack when security countermeasures fail, but cyber risks are not normally covered in standard commercial and general insurance policies, so it is important to consider cyber exposure as part of a wider risk analysis.

Ransomware on the rise

Ransomware is malicious software that disables computer systems until a sum of money (the ransom) is paid. Although it is hardly new, the frequency and sophistication of attacks have been increasing over the last three years, and IBM predicts that attacks will spike in 2023. If a system is breached, whether through ransomware or another type of cyberattack, such as hacking or phishing, there is a risk to:
• Data privacy
• IT infrastructure and operations
• Information governance

Resilience and recovery

Having a comprehensive cyber insurance policy will help to protect a company from financial and reputational damage and allow it to recover more quickly if cyber risks materialise. There are three main areas of cover in cyber insurance:
• Event Management
This involves the incident response expenses of an investigation by third parties to establish the extent of the breach; consultation on how to manage legal and regulatory issues; notification management via a crisis communication strategy; the establishment of a call centre to field queries; and the provision of credit monitoring.
• Financial Loss
Coverge for the loss of profits and increased costs of working during an interruption, along with the ransomware cost to manage an incident and the ransom it-self. Some policies also cover theft of funds by computer crime.
• Third-party liability – this covers your liability from a third party’s loss. For example, for a failure to protect third-party data, or third parties seeking compensation for financial losses from hacking or virus transfer from your network. Cyber insurance can provide defence costs and any resulting damages from multi-jurisdictional claims, and in some cases insurable fines from regulators and the PCI.

Protection before a claim

Elmore has partnered with cyber security firm Asceris to demonstrate how best practice and better controls can prevent cyber events and avoid insurance claims.

When you approach Elmore for a quote, you will gain an understanding of the strengths and weaknesses of your business’s current systems. We will identify vulnerabilities and advise on how to improve security. From risk assessment and finding the most appropriate cover for your needs, to smooth claims handling and resolution, we provide a comprehensive service for cyber insurance.

Best practice and better controls

Talk to us now and find out how we can protect your business and your customers.

Written by Charlie Sorby – Junior Client Executive.

Will hacking lead to an Australian-style legal system in the UK?

By | Blog

If the Australian example is anything to go by, It won’t be long before UK skyscrapers have law firms’ names in bright lights at the top like their Australian counterparts. That’s because New South Wales is the most litigious place in the world, with ‘no win no fee’ law firms and funding for litigation driving a thriving claimant culture. As a result, recent legislation has placed a cap of 30% on returns for litigation funders. For UK firms, it’s more than 35%.

The recent spate of data breaches and cyberattacks in Australia is triggering class action lawsuits. Optus, Australia’s second largest telecommunications provider, has been called to account, and now the private health insurer Medibank is facing litigation from three class action firms after ransomware hackers caused a major data breach.

British Airways: A British test case

The UK is some way behind Australia in class actions but a recent British Airways (BA) settlement following the data breach of 420,000 BA customers in 2018 could signal what is to come.. In the insurance industry we say there is a tail in liability claims, as it can take several years for claims to play out through the courts and ultimately be settled. The BA case just shortened that tail and gave it added sting. This case has several firsts:

• One of the largest GDPR fines to be issued by UK regulators: GBP183m (USD249m)
• The fine was reduced to GBP20m (USD27m) to reflect the impact of Covid-19
• One of the first major successful collective action settlements in the UK
• Of the 420,000 impacted customers, 17,000 individuals are involved in the action, representing a 4% take-up rate
• Participants in the collective action didn’t need to show pecuniary/financial loss as emotional damage/inconvenience was sufficient
• BA reportedly settled for GBP2,000 per impacted individual leading to a GBP34m (USD46m) loss from the first wave of collected actions.

The last point is of particular interest and possibly the start of the ‘Australisation’ of UK society. The law of costs in England and Wales is typical of common law jurisdictions, whereas in the United States each party pays their costs even if they win or lose. In the UK the losing party must pay the costs of the other party. This has now developed into a choice for organisations when faced with a class action legal battle and legal costs and damages on both sides mounting to circa GBP5,000 per individual. With the offer of a swift settlement of GBP2,000 rather than the uncertainty of a five times greater loss, it’s understandable why BA was so fast to settle.

It started with one…now the gates are open

There a number of different claims an individual can bring in the UK against an organisation for compensation, and the landmark case of Vidal-Hall v Google, Inc. [2015] significantly changed the legal landscape for non-pecuniary damages as a result of a breach of data. This case, along with BA cases, further enables well-funded law firms to push through more cases.

In Australia, people are encouraged to bring claims for minor matters which may have passed by in other jurisdictions. Law firms have become all powerful and the Australian legal system has reached the point where so many claims are in progress that judges are sometimes individually handling 800+ cases at any one time. When you compare the proposed BA settlement with compensation of up to AUD20,000 per person in the Australian system, UK companies may well experience significantly more liability in the future.

Insurance as a last protection

The landscape for cyber insurers could not be more challenging, with countless ransomware claims impacting profitability and threatening the sustainability of business models. It will lead to further challenges if the other part of a cyber insurance policy – the cyber liability section – begins to be used in fast settlements like the BA case.

The challenge to business is to ensure the high standards for a textbook breach response, which arguably BA had provided. But, ultimately, it was the ‘numerous measures BA could have used [but didn’t] to mitigate or prevent the risk of an attacker accessing the BA network’ that resulted in the lack of defence to both the regulator and the civil actions.

Lesson learnt

Law firms are going to target firms with big pockets, but hackers are indiscriminate and firms of all sizes will experience cyberattacks if basic cyber hygiene is not followed. Given that it’s so easy to prevent half of most unsophisticated cyberattacks by using multi-factor authentication and suitable data backups, it’s surprising that more firms are not giving it greater attention. Regardless of cyber security, one thing is certain: in future we’ll see more names of law firms on our skyscrapers as a result of social inflation.

Written by Simon Gilbert – Founder & Managing Director.

Building resilience: How insurers can protect crypto exchanges and their customers in 2023

By | Blog

Insurance is based on the sound principle that underwriters should cover only acceptable and clearly understood risks. Following last year’s challenges in the crypto world, crypto exchange insurers are increasingly focusing on more rigorous controls in this fast-moving and dynamic space. One thing is certain: crypto exchanges with a transparent and strong culture of governance, risk management and compliance will fair better in 2023 than those without.

The collapse of FTX has been called a ‘Lehman moment’, and it capped a shaky year of plunging values, large withdrawals, high-profile thefts and regulatory action. But that doesn’t mean we won’t see confidence restored in 2023 and the market grow again. A key part of this recovery is for firms to have the right safeguards in place and rebuild credibility with their numerous stakeholders.

Volatility and uncertainty go hand in hand with technological developments and trends – think of the dot-com boom and bust – it takes time for all new marketplaces to evolve and implement the right checks and balances. This is why insurance is an essential tool for long-term stability and continued growth. It allows crypto exchanges to align with industry best practice risk management, while protecting the balance sheet should a risk event occur.

Working with the ‘good actors’

It would be a mistake for the events in 2022 to tarnish the reputation of all the good players in the digital asset industry and more widely the emerging world of Web3. There is huge potential for fruitful partnerships between insurers/reinsurers and well-run digital asset businesses, and, according to Cointelegraph, digital asset insurance is a ‘sleeping giant’ with only 1% of investments covered. However, following the collapse of FTX, there has been a big increase in requests for insurance.

The lesson from FTX is that the industry needs stronger controls, better (and more transparent) governance, and more rigorous risk and compliance management. Analysing FTX’s collapse, the rating agency AM Best flagged the “complete failure of corporate controls” and “a complete absence of trustworthy financial information”, which are both prerequisites for insurance. AM Best highlighted the lack of a board of directors, the lack of experience amongst the senior management team, and the concentration of power in the hands of Sam Bankman-Fried.

Crypto exchange risk

The collapse of a crypto exchange is a warning to investors that crypto accounts lack guaranteed protection if they go bust. Crypto exchanges are not the same as banks and other financial institutions: they don’t hold fiat currency, they haven’t been as heavily regulated and will not be protected by insurance and government guarantees. While no investment is totally secure, the legal and regulatory framework for crypto exchanges is still evolving and requires the same basic safeguards enjoyed by traditional finance.

Customer protection insurance

Exchanges have been keen to show customers that assets are secured and protected by a range of audits in the past weeks, and now there is a new area of protection that is adding value for exchanges seeking new customer deposits: customer protection insurance. This effectively covers customers’ individual funds in a wallet if they are stolen in a cyberattack. It’s a valuable form of protection that is often bundled as an additional benefit for customers with premium trading accounts. This insurance can also be extended to a wider range of perils, offering protection for an individual’s data and technology against different types of cyber events.

At Elmore, we have in-depth knowledge of crypto exchange insurance. We work with crypto exchanges and all types of Web3 market infrastructure, gaining insights and expertise that help us provide the right cover for our clients across professional indemnity (PI), cyber, crime, and directors and officers (D&O) insurance. We also undertake detailed insurance due diligence reviews to identify risks and advise on appropriate insurance cover.

Contact us to find out more and discuss your needs.

Written by Simon Gilbert – Founder & Managing Director.

Risky business: finding insurance in the volatile crypto marketplace

By | Blog

The last two years have been tumultuous for cryptocurrency. From its peak in November 2021, the market has shed more than $2 trillion in value, and some leading crypto companies have been either deeply wounded or gone under. For example, the cryptocurrency platform Celsius Network is a recent casualty, filing for bankruptcy this July, while other crypto companies have announced layoffs and frozen withdrawals.

The ever-changing Web3 space is risky for entrepreneurs and investors alike, and unfamiliar territory for insurers. So, what cover is available for Web3 firms through the peaks and troughs, and how are insurers responding?

Crypto

The quest for insurance

Web3 firms the world over have struggled to protect their nascent and volatile industry. Insurers have mainly stood back and monitored developments, wary of the unknown but also keen to explore opportunities for new Web3 business lines. While cold storage insurance is widely available for digital assets, insurers have found it challenging to cover more specialised risks such as cyberattacks, internal and external crime, professional liability, and directors and officers liability.

Although conventional insurers remain cautious when considering cover for crypto firms, the landscape is changing. Bermuda-based Relm Insurance is one insurer that has made a name for itself in both the crypto and insurance communities. Relm began life as a captive insurer for its parent, Deltec bank, an institution used by many crypto businesses for the storage of their fiat treasury. In just a short time, Relm has become a leading insurer of hard-to-place digital asset risks and recently achieved an A rating from the US rating agency Demotech.

For more established insurers, with recognised S&P/AM Best A ratings, which can sometimes be a deal breaker for institutional businesses, risk appetites are growing. Beazley, which manages several syndicates at Lloyd’s of London, recently opened a pilot using its Lloyd’s innovation budget to determine whether digital assets is a class they could write more widely for cyber and professional indemnity. Beazley has also launched CryptoGuard, a specialist D&O solution to protect senior executives in crypto companies, reflecting a growing interest in this sector.

AM Trust is another example of an insurer that is now more receptive to writing crypto insurance, while Avertas calls itself “The world’s first cryptoasset insurance company.” Other insurers will follow as crypto becomes more mainstream despite its inherent volatility. Indeed, crypto insurance is sure to become more important given the instability of the cryptocurrency ecosystem and the need for balance sheet protection from operational risks.

What types of insurance do crypto businesses need?

The latest crypto crash comes as a reminder that digital assets carry extra risks and that regulatory uncertainty exacerbates those risks. Crypto businesses and insurers must focus on the following:

Professional liability – protection against claims from third parties who allege they have suffered a loss as a result of a failure in professional/technology services
Cyber– protection against cyberattacks, business interruption, ransomware, denial of service and liability from a cyber event
Crime – protection against losses resulting from employee or third-party fraud
Directors and officers’ liability (D&O) – protection for senior executives who are liable for the decisions they take on behalf of their companies.

Crypto and the future

Whatever the highs and lows of crypto, it will play a growing role in the global economy and should be firmly on insurers’ radars. Insurers must continue to monitor crypto developments and deepen their understanding and knowledge of digital assets. As an insurance innovator and digital specialist, Elmore is helping to guide the industry and manage risk in this fast-moving marketplace.

Written by James Love – Junior Client Executive of Elmore Insurance Brokers.

Elmore Insurance Brokers Limited.

Employers Work From Home Liability

By | Blog

Multitasking

The kitchen table has never been in such demand. Cereal is cleared by 9am for it to become a conference stage, complete with virtual background, for the first meeting of the day. The hours that follow include a series of emails, calls, meetings and frantic deadlines, followed by a surface for jigsaws at 5pm, before dinner is served at 8pm. For some, this is the busiest they have ever been.

That aesthetically pleasing bench that was so elegant for friends and family to gather on may not seem like such a good buy now you’re forced to teeter on it for hours, peering into your dainty screen. Or perhaps you’ve been relegated to the bedroom, trying to type whilst balancing your laptop on your knees as you battle the fully stretched and very comfortable house pet for space.

Physical and mental health

Few were lucky enough to have home offices up and running before the coronavirus crisis unfolded, so these challenges are a daily reality for many of us. Two months into lockdown, and we’re starting to notice contemporaries complain of back and neck pains, stiff shoulders and sore wrists. The physical side-effects of home working are taking their toll as most were woefully under-prepared for spending such a long period away from the office.

Our mental health is under pressure too. We’ve lost most of our normal daily structures and routines, our social lives have been confined to screen time and some of us are under serious financial strain as well. A lot of those who were living with depression or anxiety before the crisis have found their symptoms worsening under lockdown and others are finding themselves developing symptoms for the first time as they struggle with isolation in circumstances they have never faced before. It’s not only those facing lockdown alone that are suffering, with relationships coming under strain as couples and families are now forced to live, work and socialise exclusively together under one roof. No one imagined a 24/7 marriage as they glided down the aisle that happy day.

These physical and mental challenges make the management of work-related stresses and strains much more difficult. Moods are fractious and necks are stiff. As an employer, the work-related physical and mental health of your staff is your responsibility and you can be held liable for any injury incurred by your employees if this arises from a failure in your duty of care to them.

The realities of self-isolation are unlikely to end in the near future. Those living with vulnerable persons cannot return to the daily train commute for fear of returning home with the virus and, if desks and other work-stations need to be at least two metres apart, it is estimated that there will be only be space for a third of us to return to work at any one time. Sadly, at the present time a safe return to the office in ‘back to normal’ mode looks months away.

You’re not moving my sofa

The employer’s duty to minimise the risks to its employees means that there is currently no alternative to staff being required to work in unregulated home-working environments. Undertaking home-workplace assessments becomes a duty of every employer and those employees that do not meet the necessary standards will either have to forego any liability or take action to meet the employers work from home requirements.

At the time of writing, there is almost no direct government guidance on employers’ responsibilities to prevent physical or mental injury to their employees for prolonged periods of home working. The Chartered Institute of Personnel and Development (CIPD) is one of the few bodies providing guidance for employers, with free work-from-home risk assessments and policy updates. Other sources include the Health and Safety Executive (HSE) and ACAS, whose advice can be found via the following links:

Potential Claims

As homeworking looks set to continue, employers may soon be reaching for their Employers Liability, Employment Practices Liability and Directors’ & Officers’ Liability insurance policies and may need assistance from their insurance advisers to deal with claims. Some examples of how claims might arise out of homeworking include:

Employers Liability:

  • An employee suffers repetitive strain injury or back pain because the computer equipment has not been set up in a way that minimises the likelihood of these conditions;
  • Bodily injury if the employee contracts COVID-19 because they were exposed to an unsafe environment, which may include having no alternative but to commute on a crowded train.

Employment Practices Liability:

  • Allegations of discrimination if the company is managing risks differently in relation to different locations, teams or individuals;
  • Constructive dismissal if an employee believes they were retaliated against because they opted out of a work-related event or meeting due to concerns over coronavirus.

Directors’ & Officers’ Liability:

  • An employee directly names a director as responsible for a failure to protect their physical or mental health;
  • Claims for lack of preparedness and poor contingency planning – companies may find themselves facing allegations that they were under-prepared to address virus-related operational risks whilst at the same time ensuring staff well-being.

Cyber Liability:

  • An employee may accdiently or intentionally cause a breach of other employees peronal data that leads to a legal action against employers
  • The Company may misuse details of employees working conditions/requirements which could be deemed a breach of privacy.

For now there are no contagious disease exclusions on these policies but this may change, as a ‘covid-19 exclusion’ is currently under consideration in the insurance market.

About Elmore Insurance Brokers

Elmore Insurance Brokers Limited advises its clients to actively manage risk to optimise insurance.  Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement risk management best practice.

Written by Simon Gilbert, Founder & Managing Director, Elmore Insurance Brokers Limited.

Social Inflation Risk To Directors And Officers

By | Blog

The spread of social inflation

The speed at which the coronavirus has spread around the world illustrates the effectiveness of globalisation. In just a few months, one virus in China has infected 2.2 million people and reached over 180 countries. It isn’t just viruses that travel at this speed. Globalisation and greater global connectivity have allowed social trends to travel from backwater to high-rise within hours, and therein lies one of the major risks facing today’s Directors and Officers.

Trust in corporates and politicians has been undermined by the perfect storm of financial crisis, political scandal and poor corporate practice, among other themes. This social trend may have started small, but globalisation has allowed it to reach every corner of the globe. We’re now seeing an exponential rise in litigation action against corporates and their Directors and Officers, supported by the tailwind of increased third-party litigation funding. The trend is known as social inflation: an increased rise in claims as the same social trends are repeated throughout the world, and it’s something a Director or Officer can insure against.

Repeated failure

The economic instability and anti-corporate sentiment that followed the 2008 global financial crisis gave rise to societal unrest. Those that lost their livelihoods and homes wanted answers and they didn’t trust the mainstream politicians to provide them. Society began to look to the politicians who broke the mould and suddenly support had risen for populist parties across the globe. As society looked for answers in a new political landscape, they also became less enamoured by the corporate machine that powered the wheels that drove the financial crisis in the first place.

This dissatisfaction with corporate culture and the political mainstream has coincided with a rise in social empowerment and third-party litigation funding, giving this anti-corporate sentiment serious financial and crowd backing. Third-party litigation funding is now a significant industry in itself and one which is reshaping litigation around the world.  In 2019, the management of Burford Capital (one of the leading litigation funders) felt the might of the crowd as it was targeted by Muddy Waters, the infamous short seller, resulting in a 50% drop in their share price. There is serious weight to the threat of social inflation, no one is immune.

Implications and actions

This trend has now reached every corner of the corporate landscape and with it, a significant rise in the potential for litigation. In many jurisdictions around the world, if the decisions made by directors and officers of corporations lead to adverse outcomes for the company or its stakeholders, those individuals can now be held personally liable. The personal consequences are more acute if Directors and/or Officers can be shown to have acted in an imprudent or unprofessional manner. As such, Directors and Officers must be more vigilant than ever to follow best practice and ensure good corporate governance is at the heart of their business.  This is a challenge at the best of times, but under remote working and times of crisis this will be even more difficult, with lines of communication and protocol inevitably overlooked or side-stepped in the need to respond. This causes immediate risk.

Directors and Officers that are doing all they can to promote best practice, act with necessary and appropriate due diligence, and operate with corporate social responsibility at the core of their organisations culture will be less likely to fall foul to such forces. Boards can go further to protect Directors and Officers by taking out Directors and Officers insurance to offer indemnity against many of the issues they face.

In light of this rising trend, buyers of Directors and Officers insurance should seriously consider the adequacy of their limits of indemnity and review their wider insurance position.

About Elmore Insurance Brokers

Elmore Insurance Brokers Limited advises its clients to actively manage risk to manage down premiums.  Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement information security risk management best practice, which includes cyber insurance.

Written by Simon Gilbert, Founder & Managing Director, Elmore Insurance Brokers Limited.

Cyber Insurance In A Health Pandemic

By | Blog

Cyber criminals prey on the vulnerable

Isn’t there enough to worry about at the moment without the additional risk of a cyber-attack? The saying, “it never rains but it pours” is the cruel reality that some individuals and businesses find themselves in, fighting a war on both sides.  This is the environment in which cyber criminals thrive.

As fear and uncertainty grip the world, we are not just fighting the deadliest global pandemic in a century, but also operating under the enhanced threat of cyber-attacks.

The risk to individuals and business is growing as the global shift to remote working gains momentum.  Laptops and pcs are now in short supply and many businesses are scrambling for resources.  One IT Security expert from Blackfoot Cyber Security said, “some workers are reverting to remote working on poorly configured networks, with unsecured devices and inferior security practices”.

With many business continuity plans now activated there is additional risk that these plans are not tested or designed for prolonged exposure.  Standard business security posture is typically reduced significantly with remote working.  Controls, processes, systems and data are exposed.  Even national critical infrastructure such as mobile networks are creaking with the rise in voice calls leading to dropped calls and major outage.

Mitigate the impact

Businesses can take some quick actions to improve their remote working security:

  1. Require VPN to access the Internet, with 2FA to access company resources.
  2. Run AntiVirus on startup – users should not be able to change AV settings.
  3. Make workstation AV logs available to central systems admins.
  4. Train workers on the risks of working remotely.
  5. Follow the work from home guidance from NCSC

The impact of a pandemic on cyber insurance

Cyber insurance has never been tested by a global health pandemic, but generally the policy should respond to most types of cyber-attack.   At the time of writing, there are no specific exclusions in relation to the pandemic but that is likely to change soon.  Insurance regulators have instructed UK insurers to be ‘flexible’ when considering policyholders’ responses and claims in view of the pandemic.

Cyber insurers typically underwrite assuming an incident response plan (IRP) disaster recovery plan (DRP), and most relevant now, a business continuity plan (BCP) is in place to ensure a business can operate should a major disruption occur.  For many businesses that means staff are remote working.

Insurers would expect a policyholder to be following the same processes as if the workforce was operating from their offices.  If insurers discover the controls disclosed were not complied with at the time of a claim, cyber insurers will have to consider the impact of that and whether the business acted in reasonable best efforts to operate as was disclosed to insurers.

Don’t forget the small print

There are exclusions in a cyber insurance policy that might be triggered by a health pandemic:

  • Change in risk profile

Some insurers will expect to be notified if devices being used for work purposes do not have the same level of security as the corporate network.  Similarly, if the security methods used by the workforce to connect to Gsuite/O365 have changed due to remote working.

  • Government-mandated shutdown

Typically, cyber insurers do not cover mandated shutdown of a business’s computer system by order of any governmental authority.  However, it’s unlikely that a government order of ‘stay at home’ or ‘lockdown’ would trigger this restriction in cover.

  • Failure of mobile networks

This is a standard exclusion in most cyber insurance policies and extends to include the failure of any other utility providers (i.e. power, satellite, internet and water) causing a cyber insurance loss.

  • Physical events

Any fire, flood, earthquake, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, act of God or other physical event which has a physical nature to it will typically be excluded by cyber insurance.  There could be grey areas of coverage if sickness were to be the trigger for a physical event that became the cause of a cyber event.

  • Acting as prudent uninsured

There may be restrictions to this due to incapacitation of the workforce.  Typically, insurers would expect a response in a timely and reasonable manner as if the policyholder was acting as a prudent uninsured.  However, at times where the workforce neither has the access or capability to provide a standard response, it could increase the scale and threat of a cyber-attack.  This would need to be reviewed on a case-by-case basis by insurers.

Making a claim during a pandemic

Cyber security incident response is one of the few emergency services that can be provided remotely to investigate and, in some cases, remediate a cyber-attack.  Cyber insurers typically engage best-in-class cyber security incident response experts who have the capability and expertise to handle incidents virtually and not in person.

The first 72 hours after the discovery of a cyber attack are the most critical to managing the consequences and potential fallout.  For a business to manage the simultaneous effects of a major cyber-attack during a pandemic situation, it is essential to establish a successful partnership with cyber insurers’ incident response providers that is both timely and effective.  Cyber insurers’ 24×7 around-the-globe response capability should still apply, with on-the-ground assistance if needed.

Of critical importance in the earliest stages is the need to communicate the situation to all members of the workforce as swiftly as possible, with clear instructions on any action individuals might need to take to support the recovery process or, possibly, to avoid because of the risk of potentially worsening the situation. Clearly, off-line communications channels need to be firmly established in order to ensure that this contact cannot be interrupted or prevented by the cyber event.