David Legassick, Head of Cyber, Tech & Life Science reviews the recent Mactavish Cyber Risk & Insurance Report and compares the common flaws highlighted in the report against CNA Hardy’s cyber insurance offering.
Cyber is a growing and complex threat, our latest Global Risk & Confidence research shows that business leaders expect it to become the leading risk in 2019, with 49% of respondents predicting the threat to rise. Bruce Hepburn, chief executive of Mactavish rightly points out that “despite a sharp increase in cyber incidents, this market is very immature and in many respects untested”. However, in spite of the market’s infancy, a lot of important work is being targeted at cyber risk and its accompanying exposures to ensure products are fit for purpose.
The Advantages of Working With A Specialist
Working with a specialist broker and insurer can help businesses fully understand their exposures, resulting in both comprehensive and reliable coverage.
We have highlighted some of the differences between an ‘off the shelf’ product analysed in the report and how we, at CNA Hardy, approach cyber coverage:
Mactavish Flaw 1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions.
Our response:
- Our Business Interruption coverage extends to include system failure (sometimes known as operational error) and also extends to errors made by IT outsourced providers, such as cloud data services or web based software.
- Our coverage also includes the vicarious liability a policyholder has for their employees. The recent Morrisons case (A disgruntled employee posted the personal data of 100,000 employees online) demonstrates its importance.
- Human error is a common cause of a cyber breach, and we have supported clients in many different scenarios including employees losing encrypted USB sticks, mobiles or laptops and even sending emails to the wrong recipients.
Mactavish Flaw 2. Data breach costs can be limited, ie: covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice).
Our response:
- We cover the client’s legal liabilities, their costs and expenses. Coverage also extends to scenarios such as voluntary notification (even in countries that don’t have compulsory notification legislation) and also in respect of confidential corporate information, which is rarely covered by privacy legislation.
- Reputational damage is an issue for clients, a negative social media post or a bad review can quickly spiral out of control and impact shareholder value as well as reputation.
Additional services are available to help reduce the impact of a breach on the client, such as PR expenses, legal costs and credit scoring.
Mactavish Flaw 3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted
Our response:
- We offer up to 365 days of coverage for business interruption, and also include the extra expenses which can often be incurred.
Our experience is that whilst businesses may suffer from an initial financial profit loss following an incident, the vast majority win back customers and fully recover financially with the additional support we provide.
Mactavish Flaw 4. Cover for systems delivered by outsourced service providers - many businesses’ most significant exposure - varies significantly and is often limited or excluded
Our response:
- Our flexible coverage extends to include IT outsourced service providers, including errors or omissions as full coverage. Many businesses outsource parts of their systems and processes to third party providers, such as SAAS, PAAS and data centres.
Mactavish Flaw 5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems
Our response:
- We don’t have this exclusion or limitation. We agree it would be detrimental for the client to have these types of exclusions.
Mactavish Flaw 6. Where contractors cause issues such as a data breach, but the business is legally responsible, policies will sometimes not respond
Our response:
- Our policy includes coverage for actions of subcontractors that the business is legally liable for. Data is often passed to other parties (usually for data processing) and our policy also covers data breaches caused by sub-contractors and third party custodians.
Mactavish Flaw 7. Notification requirements are often complex and onerous
Our response:
Clients have a single phone number or email address to notify us of an issue, 24/7. Our breach response provider is deemed as first referral, so if an incident occurs the client needs to make one phone call to begin the process.
Our aim is make the process as simple as possible.
Mactavish Flaw 8. During a cyber incident, businesses often have no freedom to choose their IT, PR or legal specialists, as the policy only covers insurer appointed advisors.
Our response:
We recognise some clients prefer to use other advisors, and our only stipulation is to agree rates and control costs in advance, or at the start of the policy period.
However, we believe that access to trusted advice is a vital benefit that many of our clients value, particularly if they don’t have the funds, time or resource to set up contracts with multiple specialist advisory firms in their time of emergency. Using our preferred expert partners means that we can also guarantee the quality of the technical support and response, particularly for complex issues and for certain situations where timely PR, Legal, IT and Forensic expertise is urgently required. Clients also benefit from £0 excess in respect of their costs of using these suppliers.
Mactavish on Claims - There is a high level of disputed, discounted and delayed claims settlements.
Our response:
Our experience of claims is different to the Report. As a specialist insurer, our claims commitment is a core service that demonstrates how we stand apart from our competition. In 2017, our service was voted the Market Leader in the Gracechurch Mid- Market Claims Full Year Review by brokers. It revealed which insurers were excelling in delivering on their claims promise, and CNA Hardy was voted as the best by brokers.
”Their speed of response and their commerciality help me to deliver better customer service”.
Broker
”They are professional, efficient and flexible. They look at it from both angles; they don’t throw it out - they speak to you first to get all the facts”.
Broker
Interested in finding out more?
Read David Legassick’s Insurance Day article - Cyber Risk Requires Careful Handling
“Underwriters must be mindful not to jump on the bandwagon, and underwrite cyber risk carelessly without a clear understanding of the potential size of potential losses.
We also need to help clients understand their policies and, what they can do to improve their own cyber risk protection, and this requires education – a lot of education.”
Read more here