Cyber Insurance – Risk management after the inevitable cyber incident

IT Security has become a focus point for the European and German legislators and, therefore also for companies’ risk managers in all industrial sectors. This is especially true for the so-called critical infrastructures in the EU and in Germany. IT Security means, in the first place, that a company takes organizational and technical measures preventing the cyber incident. However, we all know, there is no perfect organizational or technical protection. Accordingly, cyber insurance is another indispensable part of the appropriate risk management. It does not replace risk management, but it complements the process.

What is cyber insurance?

Cyber insurance mostly helps the insured company coping with the consequences of an inevitable cyber incident, i.e. with the challenges and damages caused by a hacker attack, a virus infection, or a bug installed by an extortionist. The insurer offers immediate cyber incident services as well as coverage for first party and third party damages including repair and advisors’ costs. Before the insurer provides cyber insurance, a thorough underwriting process is key. In the German market, currently, this process takes one to three years. This is because the insurer requires from the potential insured company certain IT security standards, which often have to be installed first. Moreover, silent cyber risks in the insured’s existing insurance coverage need analysis and remedy – since there should be no double insurance of the same cyber risks. Here, the instructed insured’s broker(s) as well as legal advisors play an important role.

Which coverage is available?

The standalone cyber insurance currently offered follows a modular concept. Depending on the insured’s main needs, the insured may choose various coverage modules, either in respect of its own risks (“First Party Risks”) and/or in respect of the risk to become liable vis-à-vis third parties (“Third Party Risks”):

First Party Risks

Data Breach Costs: Covers expenses to

  • retain a computer forensics firm to determine the cyber incident’s scope and to stop it,
  • obtain legal services to comply with data protection law requirements and to enforce recourse claims against known contravener, and
  • retain public relations or crisis management advisors to notify and provide credit monitoring services to affected individuals, and to safeguard or restore the company’s reputation.

Data Loss: Covers costs incurred by insured to restore or recollect data impaired or destroyed by the cyber incident.

Business Interruption: Covers loss of income arising out of the interruption of network service caused by the cyber incident to the insured or to outsourcing and service partners (e.g. Cloud, Internet as a Service, Software as a Service, Platform as a Service).

Extortion: Covers extortion payment and associated expenses arising out of a criminal threat to disclose sensitive information or bring down the insured’s network, unless payment to the extortionist is made.

Third Party Risks

Professional and Public Liability: Covers insured’s acts, errors or omissions when providing technology services or trading with technology products, or when providing services other than technology services.

Data Protection Liability: Covers any liability or loss caused by the insured’s failure to protect sensitive personal or corporate information.

IP Liability: Covers infringement of copyright or trademark, defamation, or negligence arising out of the content on the insured’s internet website.

The coverage of punitive damages or contractual penalties is currently not available in German Cyber Insurance. It is disputed whether such risks are insurable in compliance with German insurance contract law. Therefore, currently, German Cyber Insurance covers such risks “to the extent these are insurable under German law”. However, a relevant binding German High Court ruling or guidance by the German insurance regulator BaFin are not yet available. BaFin provided guidance in respect of the extortion payment coverage permissible within certain limits.

The German Cyber Insurance market is seen as the future growth market in industrial insurance business. Currently, insurers earn an estimated annual premium income with cyber insurance of below EUR 100 million. In comparison, in the USA the concerning premium income is several billion USD. Therefore, the sector expects enormous growth potential in Germany. Insurers as well as their reinsurers should prepare and position themselves accordingly.

Silent Cyber Risks

The German market for standalone cyber insurance is still quite young, and only recently insured companies have started to experience cyber losses and thereby develop interest for corresponding new insurance cover. What we regularly see in our legal advisory practice these days, is that irrespective of whether the affected insured company has or has not yet taken out a specific standalone cyber insurance, it expects cyber loss coverage under their traditional property and liability policies. However, the traditional insurance products were originally designed without cyber exposure being in the mind of the insurers. Correspondingly, the traditional property or liability insurance policies neither implicitly include nor expressly exclude cyber risks coverage. The insurers may have to pay claims for cyber losses, as courts may hold the policies to contain the coverage of such so-called “silent cyber risks”. The market players are currently discussing several ways of solving this issue.

The preferred solution is to provide standalone cyber insurance and agree with the insured company on a clear cyber risks exclusion in their existing traditional property and liability insurance policies. However, many insured company do not (yet) want or initiate or pursue this route. In such case, some insurers decide to stay inactive and do not affirmatively confirm that their policy is meant to provide cyber-related exposure, but they do not deny the coverage either. The challenge is that there are global property and casualty insurance programs written decades ago with outdated exclusions. To replace them is easier said than done and will take several years. Consequently, in the next three to five years we expect a very high number of difficult negotiations of industrial insurance packages against the background of silent cyber exposure.