Definitely, (Not) Maybe: Cyber Insurance And Disclosure

shutterstock 519713296 - Definitely, (Not) Maybe: Cyber Insurance And Disclosure

Let’s face it, the world of insurance can seem complicated to many people who don’t work in it.

At its best and most effective, it’s a three-way process – a clear dialogue between those wanting cover, their brokers and the underwriters employed by insurers.

Nevertheless, some individuals and small businesses prefer to deal directly with insurers. Given that they may not be absolutely familiar with what is entailed, there is at least the potential of problems arising.

One difficulty is in relation to disclosure, the full and frank provision of information by intended policyholders to ensure that cover is appropriate.

When it comes to certain types of policies – such as cyber insurance, which can by its very nature be rather technical – disclosure can be complex, even for brokers well-versed in other areas of business insurance.

Insurers, therefore, often put in place questionnaires to guide customers as to what details they require but they can lead to issues of their own.

The forms are based in part on assumptions about the kind of risk management arrangements which might in place.

In the case of cyber cover, those assumptions can refer to what technologies capable, for instance, of preventing hacks have been adopted.

Although the procedure might seem a straightforward “yes” or “no” exercise, it is not always the best way to cover the sort of information needing to be dealt with.

That is particularly true given that any mistakes can have very significant implications as one very recently concluded court case in the United States has demonstrated.

Rather than being of relevance in North America alone, I believe that the proceedings could well have consequences for firms elsewhere around the world wanting cyber cover and the insurers which make it available.

The case was brought in the federal court in Illinois by Travelers, one of America’s biggest insurance companies.

Travellers took action against a business called International Control Services (ICS) following a claim that it made after it was the target of ransomware in May this year.

ICS describes itself as an “industry leader” in electronic management services and works as a supplier to companies operating in the aerospace, medical and communications sectors among others.

It had taken out cyber cover with Travelers after a previous ransomware attack in December 2020.

In its application, ICS had mentioned that episode and highlighted how it had subsequently beefed up its defences, particularly in respect of its use of multi-factor authentication (MFA).

Nevertheless, after its systems were compromised earlier this year, Travelers investigated the case and found that MFA was only used to protect a firewall put in place by ICS and not its main servers.

As a result, Travelers refused to pay out and moved to have the ICS policy rescinded.

It is a step which insurers are permitted to take under US law if, once a policy has been issued, they discover that clients either misrepresented themselves or concealed relevant facts.

Travellers maintained in court that, had it known about the selective application of MFA by ICS, it would not have provided cover.

At the end of last month, ICS agreed both to withdraw its claim and to the recession of its policy.

In my opinion and in the circumstances, the result is to be expected but it is still a situation which could far-reaching impact.

It underlines the importance for companies wanting cyber cover of being thorough in disclosing all details which could have a bearing on whether the policy is provided.

Anyone flicking through the pages of our national newspapers will be aware of why that’s important.

The number of cyber attacks is large and growing more frequent, as figures published by the Information Commissioner’s Office (ICO) make all too clear.

In the final three months of the last financial year, cyber issues accounted for just over one-fifth of the 2,172 data breaches.

There are those who might believe the answer to be systemic, as though spending even more on IT and security software or protocols will be sufficient to nullify the increasing threat.

The ICO data illustrates why that position is false. The vast majority of data breaches were not the result of malware, ransomware or phishing but human error.

Nearly 400 instances were simply due to confidential information being e-mailed to the wrong person.

No amount of hardware and workplace regulations will necessarily guard against a member of staff sending the right material to the wrong place.

That is why insurance is a vital part of the defence for businesses of all shapes and sizes.

To work as it should, cyber cover requires a robust, joined-up approach, the central element of which is clarity.

Every conversation which I have with clients currently touches on cyber security in some form or fashion. It is that important and that much of a priority.

If you’re in doubt about what insurers need to know, speak to a broker.

We deal with underwriters all the time and we understand what is required and how it should be presented.

The alternative is to risk a similar experience to ICS – the double compromise of an attack and finding that your policy is redundant because of an oversight.

HEADSHOT MARTIN LILLEY e1637778514991 - Definitely, (Not) Maybe: Cyber Insurance And Disclosure


Written by Martin Lilley, Director of Corporate

Go to Top