New research from UK-based insurance governance company Mactavish has revealed significant flaws in specialist commercial cyber insurance cover, and sparked concern over the potential for policies to not pay out.
The company, which recently launched a new Cyber Risk Consulting Practice, undertook a thorough review of dozens of ‘off-the-shelf’ cyber insurance policies and identified seven major common flaws:
- Cover can be limited to events triggered by attacks or unauthorised activity, excluding issues resulting from accidental error or omission.
- Data breach costs are often limited, for example only covering the costs that the business in question is strictly legally mandated to incur.
- Systems interruption cover can frequently be limited to only the period in which the network was interrupted, with no facility to cover the knock-on revenue impact in the period immediately afterwards while restoration takes place and business remains disrupted.
- Cover for the systems provided by outsourced service providers – which Mactavish cites as a significant exposure for most businesses – is often either limited or excluded entirely.
- It is common to find exclusions for software that is still being developed, or systems that are in the process of being rolled out.
- If a contractor causes an issue such as a data breach, but the company is legally responsible, many policies will not respond.
- Notification requirements are frequently highly complex and onerous.
“There are a number of new cyber insurance policies being launched,” said Bruce Hepburn, CEO of Mactavish, “but despite a sharp increase in cyber incidents, this market is very immature and in many respects untested. Perhaps some of these policies have been rushed to market by insurers eager to capitalise on the growing cyber risks facing organisations, and their desire to spend significant amounts of money to protect themselves against this. Very few claims have been made on these new cyber insurance policies, but my bet is that many will be disputed, or settlements will be much lower than clients expected. However, this can be avoided if organisations first understand the cyber risks they face, and then secure a bespoke policy to meet their needs.”