Cyber insurance – castles made of sand fall in the sea, eventually.
December 16, 2016
Setting the scene
The risk of a cyber incident and financial consequences that could then arise are both factors that are evolving and increasing in severity, not least through the harsh regulatory environment introduced by the General Data Protection Regulation. Boardroom decision makers therefore can often feel that they need insurance in order to be shielded from exposure to the full financial damage that a cyber incident can inflict. Losses can surface through a variety of angles, including reputational damage, intellectual property loss, data subject compensation claims, litigation by third parties and regulatory sanction.
We see this not only through experience in servicing our clients but also through empirical evidence - the PwC Global State of Information Security Survey identified that 45% of organisations had purchased cyber insurance in the 2014 edition. This increased to 51% in the 2015 edition and 59% of organisations had done so according to the 2016 edition.
Changes to insurance law
Up until recently, the Marine Insurance Act 1906 was the primary piece of legislation governing insurance in the UK. It therefore will come as no surprise that a law that is over 110 years old is now looking a bit rough around the edges and unfit for purpose. With this in mind, the Insurance Act 2015 has been introduced in order to better reflect 21st century commercial practice.
The Insurance Act 2015 (IA2015) received Royal Assent on 12 February 2015 but did not fully enter into force until 12 August 2016, in order to provide a lead in time and allow businesses to adjust to the new regime.
A purchaser of commercial insurance is now under a duty of “fair presentation of the risk”, which must meet, amongst other things, the following criteria:
- Disclosure of every material circumstance that the insured knows or ought to know, or which otherwise gives the insurer sufficient information to be on notice that it needs to make further enquiries to reveal those material circumstances. The IA2015 compels an organisation to undertake a reasonable search for information that it ought to know.
- Every material representation as to a matter of fact is substantially correct, and every material representation as to a matter of expectation or belief is made in good faith.
The state of an organisation’s cyber security and knowledge of previous breaches are evidently material to the risk posed by that organisation and the legislation is designed to allow an insurer to be aware of both of those issues when analysing the risk of that organisation.
The remedies for a non-disclosure or misrepresentation are for the insurer to: (1) refuse the claim; and, (2) not return the premium paid.
There will be a range of organisations that do not properly engage with a cyber security programme or give adequate attention to their exposure to risk and, instead, seek to insure against an incident and leave it at that. Such an approach would be misguided to say the least.
The IA2015 compels an organisation to make reasonable inquiries of its cyber security position – and this may require the services of third party providers – and to then provide insurers with that information. A presentation of information that is less than full and frank can leave an insured in a position in which a claim can be invalidated on this basis.
The requirement under the IA2015 precludes this approach and an organisation therefore needs to be in a mature position with respect to their cyber security posture, in order to give a proper and fair presentation of its cyber security strengths and weaknesses. To do otherwise would leave an insured party vulnerable to having their policy invalidated in the circumstance of a claim due to a cyber incident.