The following is an article published by CFC Underwriting, a leading cyber insurer based in London. The original article appears here.
Cyber insurance is projected to experience major growth in the years ahead and new insurers are regularly entering the market. While this is creating greater competition and providing more choice for customers, some insurers are still testing the waters in terms of the coverage they give. This has created a lack of standardization in cyber policies, with different insurers taking different stances on particular coverage areas.
This lack of standardization across wordings can sometimes result in businesses buying a cyber policy and assuming that something is covered, only to get a nasty surprise when it comes to making a claim. So to make the process easier, we’ve highlighted some of the most common “cyber gotchas” that brokers and clients should be looking out for when advising on or purchasing a policy.
- Data re-creation vs data recovery
Most modern businesses rely on data to some degree, whether it be customer data, financial data or simply their own intellectual property. If a business loses access to their data because of a cyber attack, there can be a major operational impact.
And yet many cyber policies only provide cover for the cost to recover or restore data from back-ups, and in some cases where they include data as a defined term, they specifically state that the data has to be subject to regular back-up processes. This means that if a business doesn’t back-up their data or if their back-ups fail for whatever reason, then the policy won’t cover the costs to re-create that data from scratch.
At CFC, we have seen a number of cases where back-ups were compromised as part of an attack or had been failing for a number of years. This required us to help the insureds to re-create the data from scratch (not just try to recover an electronic version of it), and this can be very costly and labour intensive process. The difference between a policy that only offers data recovery and one that offers data re-creation can therefore make a big difference to an insured.
- Call back warranties
An effective way of tackling certain types of funds transfer fraud is through the use of call back procedures. Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the organization in question validates the request by having an employee call the person or company requesting the change on a pre-verified number to confirm that it is legitimate.
In some cases, insurers include a call back warranty on their policies. So if the process outlined above or some other form of multi-factor authentication is not carried out, the claim will not be covered. This kind of warranty isn’t always clearly highlighted in the policy, but it can usually be found in the policy conditions, exclusions and definitions or sometimes as part of the application form.
The problem is that although call back procedures are a very effective way of reducing the risk of certain forms of funds transfer fraud, employees don’t always comply with them, especially new or inexperienced staff members who may not be aware of such processes. The vast majority of funds transfer fraud claims that we have paid at CFC would not have been covered if we had included a call back warranty. Policies containing such warranties can make it much more likely that claims of this nature will be declined.
That’s a big problem. Funds transfer is causing serious financial harm to businesses around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred as a result of business email compromise scams and funds transfer is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no sign of abating. The difference between a policy that contains this kind of warranty and one that doesn’t could therefore make a big difference to an insured when it comes to making a claim for this type of loss.
- Aggregate limits
Traditionally, cyber insurance policies have been written on a single aggregate limit basis for both first party and third party claims. This means that once the policy limit has been paid, there will be no money left for any subsequent claims during the policy period. This is primarily due to the fact that cyber insurance has been seen as a liability class of business, and many liability policies operate on an aggregate limit basis.
However, the idea that cyber insurance is all about liability is misleading. According to our own cyber claims data, third party claims make up less than 5% of the claims total, with the vast majority of cyber claims being first party incidents that cause a direct financial loss to the insured themselves, such as breach notification costs, system damage, system business interruption and funds transfer fraud.
Cyber insurance is therefore very much about first party exposures. But if you were to look at the typical first party covers that businesses buy, such as traditional property damage and crime policies, you’d find that these polices are not written on an aggregate limit basis. Instead, limits and sums insured are reinstated following each claim, allowing a policyholder to claim up to the limit for each and every claim that they make. For any client that is used to buying traditional first party policies, it can come as a bit of a surprise to find the first party sections on a cyber policy being subject to an aggregate limit, especially if they exhaust that limit and then suffer another loss later on in the policy period.
At CFC, we’ve recognized this, and that’s why we provide cover on an each and every claim basis for all our first party cyber covers. This includes cyber incident response costs, which have a separate limit under our policies, giving you two sections of cover that are reinstated following every claim.
Given the recent well-publicized hacks at CCH Axcess (here) and Redtail (here) the quality and comprehensiveness of cyber coverage is very important. For example, many CPAs suffered a business interruption due to the outage and incurred significant additional costs arising from the CCH hack. Most cyber policies do not cover business interruption arising from an attack on a vendor’s facility. However, CFC’s most recent cyber policy contains the following clause:
SECTION D: DEPENDENT BUSINESS INTERRUPTION
We agree to reimburse you for your income loss and extra expense sustained during the indemnity period as a direct result of an interruption to your business operations arising directly out of any sudden, unexpected and continuous outage of computer systems used directly by a supply chain partner which is first discovered by you during the period of the policy, provided that the computer systems downtime lasts longer than the waiting period and arises directly out of any cyber event or system failure.
“Supply chain partner” means any:
a. third party that provides you with hosted computing services including infrastructure, platform, file storage and application level services; or
b. third party listed as a supply chain partner in an endorsement attaching to this policy which we have issued.
* CFC policy – Cyber, Private Enterprise v3.0
So, according to the underwriters at CFC, the circumstances of the CCH Axcess (subject to all policies terms, conditions and exclusions) would likely have been covered. Of course, you should check with your insurance professional and appropriately qualified counsel for a final determination of coverage.
If you are interested in terms from CFC for a cyber policy, please contact me (the undersigned).
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org.
- Police Warn of New ‘Line-Trapping Technology’ Being Used to Scam People Over the Phone
- Example Disengagement letters
- Security Policy for CPA firms – a template
- UP IN SMOKE IV – A Bill to end marijuana prohibition in the U.S. passes key committee
- Outsourcing – malpractice risk management perils concerning subcontractor’s indemnification provisions.