Cyber insurance requirements in commercial contracts: getting it right

Cyber incidents have the capacity to cause many different types of loss. Insurance coverage exists for at least some aspects of cyber risks in the UK market. However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts. Our recent article considers these issues in more detail and can be found here. 

This article was first published in the December 2017 issue of PLC Magazine.

Across the EU the cyber insurance market is growing rapidly and the adoption of the GDPR and the Cyber Security Directive are likely to further expand the market as organisations falling under the scope of this legislation seek to protect themselves. In response to the rapid growth of the cyber insurance market the European Union Agency for Network and Information Security (“ENISA”) published a report on the commonality of risk assessment language in cyber insurance on 15 November 2017. The report proposes two sets of recommendations that aim to support the evolution of language harmonisation that would facilitate the expansion of the EU cyber insurance market without stifling innovation.

This follows guidance at the national level from the Prudential Regulation Authority (“PRA”) earlier this year. The PRA issued a Supervisory Statement (the “Statement”) in July 2017 setting out its expectations of all UK non-life (re)insurance firms within the scope of Solvency II in relation to the management of their cyber insurance underwriting risk. The Statement was issued following a cross-industry consultation conducted between October 2015 and June 2016 and publication in November 2016 of the key findings of that consultation. The PRA also published a Policy Statement alongside the Statement.

The PRA says in the Statement that it “expects firms to be able to identify, quantify and manage cyber insurance underwriting risk”. Cyber underwriting risk may take one of two forms:

• affirmative cyber risk, i.e. insurance policies that explicitly include coverage for cyber risk; and
• non-affirmative (or ‘silent’) cyber risk, i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk. The Statement says that this includes all property and casualty covers which could give rise to cyber risk exposure from physical and non-physical damage.

In order to identify, quantify and manage cyber insurance underwriting risk, firms are expected to:

• introduce measures that reduce the unintended exposure to non-affirmative cyber risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board. This includes making adequate capital provisions against this risk. The measures may also include adjusting the premium to reflect the additional risk and offer explicit cover; introducing policy exclusions; and/or attaching specific limits of cover;
• have clear strategies on the management of cyber risks, which are owned by the board and reviewed at least annually. The strategy should include a clearly articulated risk appetite statement with both quantitative and qualitative elements, for example defining target industries to focus on, strategy for managing non-affirmative cyber risk, specifying rules for line sizes, aggregate limits for industries, splits between direct and reinsurance etc.; and
• understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk (including both affirmative and non-affirmative risk). This knowledge and understanding should be aligned to the level of risk and any growth targets the firm has in this field, and should cover all three lines of defence (business, risk management, and audit).

The PRA’s Statement will focus insurers on the need to get a better handle on their cyber exposure, particularly their ‘silent’ cyber exposure. There are currently numerous policies in the London market which include ‘silent’ cyber risk merely by virtue of the fact that cyber risks are not excluded from cover. For example, unless cyber risks are excluded, property and business interruption policies may respond to a cyber-attack which causes physical damage. Likewise, a liability policy might respond where the liability results from a cyber breach which is not excluded. It will be no small task for (re)insurers to identify, quantify and manage these ‘silent’ cyber risks. One option for (re)insurers to manage their risk is to include cyber exclusions in non-cyber insurance products. However, particularly in a soft market, it remains to be seen whether they will have the ability or appetite to do this.

We recently presented a related webinar titled "Cyber Insurance: understanding the insurance response" which can be accessed by clicking here.

The ENISA report on the commonality of risk assessment language in cyber insurance can be found here.

The PRA’s Supervisory Statement can be found here.

The PRA’s Policy Statement can be found here.