When is a hack attack an act of terror and which insurance policy should respond?
In an era dominated by a global consciousness of the threat, if not a precise understanding of how to tackle it, there is growing fear regarding the likely impact of terrorist driven cyber-attacks.
Many suggestions have been made as to how best to confront such issues, from sanctions to security measures. While opinion remains divided, one certainty remains; terrorist driven cyber-attacks are becoming an inevitable part of the society in which we live. So, what is the insurance industry doing to negate the risks and provide security?
Cyber insurance and kidnap and ransom (K&R) policies both have the ability to provide some form of cover for the losses arising from a maliciously targeted cyber-attack. K&R insurance provides cover in case of kidnap, extortion, illegal detention and hijacking; essentially physical acts of terrorism. Cyber liability insurance is designed to provide indemnity for losses arising from a breach of technology and systems (maliciously targeted or otherwise). In the case of cyber liability, if an insured is subject to a breach, the policy provides a response service designed to restore the organisation to as close to their original state as possible while also reimbursing losses incurred.
Exactly what is included under each of these policies will vary, however, there are elements of crossover between the two, such as computer virus extortion (e.g. CryptoLocker malware) that is, currently, likely to be covered under both K&R and cyber offerings. The vital difference between the two is that cyber insurance principally focuses on damage to systems, while K&R confronts physical ‘acts of terror’.
What if a cyber-attack is also considered an ‘act of terror’? For example, computer virus extortion carried out by a recognised terrorist organisation. Previously, cyber policies would not cover terrorist related attacks because they excluded attacks ‘committed for political, religious, ideological or similar purposes’. Unfortunately, neither would indemnity be afforded under a typical K&R policy, unless cover for cyber-attacks was specifically written into the wording.
Recently, however, many cyber insurers have broadened their policy wordings by removing explicit exclusions relating to ‘acts of terror’. ‘Acts of war’, which carry a specific definition within the insurance industry and are differentiated from ‘acts of terror’ by motive and civilian involvement, continue to be excluded by the majority of insurers across most commercial insurance products.
An increased awareness of the impact of cyber-attacks coupled with forthcoming regulatory changes has encouraged many businesses to take steps to improve the management of the risks associated with data and technology. This may be encouraging, but the level of understanding regarding the application of insurance to enhance the management of risk remains limited.
While we hope that very few firms will be impacted by a terrorist driven attack, managing risk via both internal controls and cyber insurance is imperative at a time when ‘acts of terror’ are becoming increasingly prevalent and concerns continue to grow as to when cyber-attacks are likely to cause physical damage, rather than solely financial harm.
For the full article, please visit http://www.howdengroup.co.uk/en/knowledge-base/professional-indemnity/double-trouble/
This article was submitted to be published by Howden Group UK Limited as part of their advertising agreement with Today’s Conveyancer. The views expressed in this article are those of the submitter and not those of Today’s Conveyancer.