It’s a normal day, then out of the blue, you receive a sheepish call from your IT Director announcing the company databases have been hacked and some 30,000 customer details could have been compromised. Immediately a meeting is called with all available Directors, and it is clear that help from outside experts to advise on correct protocols and investigations is required. Prior to appointing any external consultants, a quick look at your Professional Indemnity Insurance (PII) policy is made to see what notification requirements the contract requires and what cover there is to help get you out of this emerging crisis. After double checking with your broker, reality dawns that the PII policy you have may not provide the cover you need.
There are two types of PII policy, the first being called ‘Negligence, Errors and Omissions’, which provides protection where a client may make a claim against you for a negligent breach of professional duty. Not necessarily the case in this scenario.
The other type of PII wording is titled ‘Civil Liability’, and is much broader in the scope of coverage. This gives protection for any claims from clients against you for civil wrong or wrongdoing, actionable at Law including breach of trust or a breach of fiduciary duty.
Importantly the trigger in most PII policies is a claim brought against the company by a client. The cover traditionally is limited to defence costs and damages if the action is successful. Therefore, businesses are covered for an element of data privacy liability risk under the PII policy (subject to the terms, conditions and basis of the wording); however, it would not normally pay for the costs and expenses in managing a cyber-attack, nor the resulting interruption to the business, loss of income, fines and penalties or extortion demands. The insurance industry calls these types of losses ‘1st party costs’, as it is the costs you incur as a business unrelated to your customers.
Cyber Insurance is a policy designed to help you in the event of a data breach or cyber-attack. The breadth of cover can vary widely and there is little uniformity across different insurers, which is why it pays to enlist the services of a cyber insurance expert when choosing your policy.
Some key considerations when considering Cyber Insurance:
Difference in Conditions Clause: Essentially this endorsement should be included in order to specify which policy reacts first in the event of a claim. If properly worded, it will allow the insurance protection you have in each policy to be at its most effective.
A comprehensive Cyber Insurance policy which includes:
• Access to a breach response team who will co-ordinate your rescue plan (IT, Legal, PR)
• Business Interruption protection
• Fines and Penalties including PCI awards
• Cyber Extortion negotiation and digital currency pay-out
If you possessed an adequate Cyber Insurance policy the dreaded IT Director phone call scenario could have been under control and in the hands of experts as soon as you called the helpline provided by insurers.
This type of claim scenario is not uncommon. It is a sobering thought that in 2016 over 50% of UK firms fell victim to ransomware attacks according to Information Week. In addition a third lost revenue and 20% had to halt trading.
It is important for corporations to have a clear and comprehensive cyber insurance policy to mitigate the risks of doing business digitally. Fears of cyber attack is making cyber insurance one of the fast growing areas of insurance. It is estimated that the total written premium globally is £2bn with double digit growth each year. Although this number seems quite high, it still represents a very small proportion of protected business. Many businesses are currently uninsured for the significant risk of cyber-attack.