Insurance Firms Urged to Challenge Cyber-Insurance Policies
May 29, 2019 • News • management • Cyber Security • insurance
Mactavish urges brokers to challenge insurers more over the quality of their cyber policies.
In November last year, Mactavish published a report entitled ‘Cyber Risk & Insurance Report’, which identified eight common flaws in cyber insurance policies. This includes, for example, cover being limited to events triggered by attacks or unauthorised activity and excluding cover for issues caused by accidental errors or omissions.
Another flaw is only providing systems interruption cover for the brief period of actual network interruption, as opposed to the more significant knock-on revenue impact during the period after IT systems are restored but the business is still disrupted. In the last two weeks alone Mactavish has reviewed cyber insurance policies for a large British business and a medium sized business. Both of these policies had three or more of the flaws. Mactavish warns that despite insurance industry denials, the eight flaws are widespread.
Bruce Hepburn, Chief Executive Officer, Mactavish, commented: “Many in the industry have challenged our findings but we continue to find these issues affecting the actual policies we review that are being offered to UK businesses, and we will be publishing a second paper on the sector next month providing more details on our findings. “However, in the meantime, we are calling on brokers to challenge insurers more on the quality of the cyber cover they provide and push for improvements. If they can’t achieve this, they need to warn their clients of the omissions in their policies to give them a better understanding of what they are buying.”
Mactavish has issued a challenge to insurers and brokers to guarantee that the eight common flaws it has identified in policies will never be used as reasons to refuse pay-outs on cyber insurance claims unless they can show that a client has been informed but decided not to buy the additional cover. The eight flaws outlined in the Mactavish Cyber Risk & Insurance Report are:
1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions;
2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice);
3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted;
4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded;
5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems;
6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond;
7. Notification requirements are often complex and onerous;
8. Businesses are forced to choose IT, legal or PR specialists appointed by their insurer.
In November last year, Mactavish published a report entitled ‘Cyber Risk & Insurance Report’, which identified eight common flaws in cyber insurance policies. This includes, for example, cover being limited to events triggered by attacks or unauthorised activity and excluding cover for issues caused by accidental errors or omissions.
Another flaw is only providing systems interruption cover for the brief period of actual network interruption, as opposed to the more significant knock-on revenue impact during the period after IT systems are restored but the business is still disrupted. In the last two weeks alone Mactavish has reviewed cyber insurance policies for a large British business and a medium sized business. Both of these policies had three or more of the flaws. Mactavish warns that despite insurance industry denials, the eight flaws are widespread.
Bruce Hepburn, Chief Executive Officer, Mactavish, commented: “Many in the industry have challenged our findings but we continue to find these issues affecting the actual policies we review that are being offered to UK businesses, and we will be publishing a second paper on the sector next month providing more details on our findings. “However, in the meantime, we are calling on brokers to challenge insurers more on the quality of the cyber cover they provide and push for improvements. If they can’t achieve this, they need to warn their clients of the omissions in their policies to give them a better understanding of what they are buying.”
Mactavish has issued a challenge to insurers and brokers to guarantee that the eight common flaws it has identified in policies will never be used as reasons to refuse pay-outs on cyber insurance claims unless they can show that a client has been informed but decided not to buy the additional cover. The eight flaws outlined in the Mactavish Cyber Risk & Insurance Report are:
1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions;
2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice);
3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted;
4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded;
5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems;
6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond;
7. Notification requirements are often complex and onerous;
8. Businesses are forced to choose IT, legal or PR specialists appointed by their insurer.
Leave a Reply