Exposures to cyber risk for non-cyber insurers
Cyber risk is an area of great interest to businesses at present. With the frequency and severity of high-profile risks on the up, it is unsurprising that the World Economic Forum’s Global Risk Report places ‘cyber attacks’ as the technological risk of highest concern for 2015 and predicts it will remain so for the next 10 years.
As the profile, impact and scale of cyber risks has grown, the cyber risk insurance market has also shown considerable growth and that trend is expected to continue. Cyber risk is not, however, an exposure that should be considered exclusively relevant to specialist cyber insurance books of business. On the contrary, there are considerable potential exposures to cyber risk in other classes of insurance. Some of these risks are significant, not least because non-cyber specialist underwriters do not ordinarily expect to have to consider exposures to cyber risk as part of the underwriting and rating process. Indeed, the vast majority of ‘traditional’ insurance products were never designed to cater for exposures presented by cyber attacks or other related causes.
When considering the areas in which cyber exposures may arise and how non-specialist policies may respond, it remains important to have in mind the fundamental principles of insurance law, especially in respect of issues of causation and the application of exclusions. Establishing the cause or source of a loss is vital to assessing whether any given policy will respond or if an exclusion operates to the insurer’s benefit. Similarly, careful drafting of definitions and exclusions will be crucial in trying to set out the coverage for cyber risk under non-specialist policies.
Central to dealing with matters of causation and the applicability of exclusions is being able to establish the proximate cause of the loss. The proximate cause is said to be the ‘dominant’ or ‘effective’ cause of the loss. It does not necessarily have to be the first or last cause in time and there can in fact be more than one proximate cause. Identifying the cause which made the loss in question an inevitability is often characteristic of the proximate cause of the loss.
It is worth considering these ideas in the context of some common forms of non-cyber insurance, such as property insurance and marine insurance.
Property insurance is of course designed to respond in the case of damage to the insured’s property. There are two key forms of property insurance: a ‘named peril’ policy and an ‘all-risks’ policy (ARPI policy). Where a named perils insurance policy is in place, the policy will only respond to those risks which fall within one of the specified heads of cover. Contrast this with an ARPI policy, whereby the policy responds to damage caused by any risk, subject to the exclusions stated. In most cases the standard or expected perils that are considered include things such as fire, storms, flooding or even vandalism. It is often suggested that the common requirements for there to be ‘damage’ to the insured property will mean that the exposure of such policies to cyber attacks will be significantly limited. It has now become clear, however, that cyber attacks are capable of causing substantial physical property damage. One example of this is the deployment of the Stuxnet ‘worm’ against an Iranian nuclear facility in 2010, which caused the mechanisms operating centrifuges to malfunction, resulting in physical damage. More recently, in December 2014, hackers infiltrated the operating systems of a German steelworks and were able to intentionally shutdown one of the furnaces, resulting in extensive physical damage. With many companies still reluctant to take up standalone cyber insurance policies, it is very likely that in such instances insureds will turn to their existing insurances to claim.
Insurers should carefully consider how property policies, especially ARPI policies, may respond to damage or losses that are caused by a cyber event or alternatively where the cyber event is one of the causes in a larger chain of events. This may also be relevant in the context of claims for business interruption, which is often included in property policies. Subject to the application of an effective exclusion, if the cyber-related cause is deemed to be the proximate cause of the loss, it is likely that the policy will respond. By way of example, consider a server room has been hacked into and the cooling systems shutdown. The result of this is for servers to overheat and catch fire causing damage to the data contained on the system, physical damage to the server unit itself and also destroys a large part of the building. The insured claims under an ARPI policy. In this instance, it is likely that the proximate cause of the damage caused to the server unit would be the hacking and the proximate cause of the building damage would be the fire. If no exclusions for cyber attack or fire were included, both losses are likely to be recoverable. If the policy included an exclusion in respect of loss resulting directly from a cyber event, it is likely that the server unit loss would be excluded but the building damage would be recoverable. However, if the insured could prove that both causes were concurrent proximate causes of the damage to the building, then the cyber exclusion would operate to exclude all of the loss. As one can see, the variables are broad and inclusion of a basic cyber exclusion would not always be effective – insurers may need a broader or more specific exclusion which would have to be very clear in its intended application.
The importance of exclusions can also be highlighted by reference to marine insurance policies. A common market standard ‘cyber exclusion’ is often incorporated into marine insurance policies. This clause is known as the CL380 clause. In summary, this clause is designed to exclude losses which are caused by malicious cyber attacks. However, this clause does not deal with non-malicious cyber issues, which are in many cases just as common. The causes of such issues might include system malfunction, failed upgrades or even human programming errors. In these instances, the CL380 clause would not be triggered and the insurer may face liability.
Definitions are also vital and there are two angles from which to approach definitions in the context of cyber exposures. Firstly, it is important to review definitions dealing with the property to be covered as these definitions may or may not exclude data, electronic information, software or other intangible property. By making the definitions relating to the property covered as clear as possible and including express carve-outs for intangible property, this will reduce exposure. Secondly, insurers should consider definitions relating to the cause of the damage. This may include malicious cyber-attacks, viruses, software errors or other similar non-physical damage. If the intention is for the insurer to avoid liabilities arising from such ‘cyber-related’ sources, these ought to be clearly carved out from relevant definitions. Similar considerations would be relevant to general liability policies.
As we become more reliant on technology and as that technology becomes more sophisticated, the risks that businesses and individuals face become more complex and more difficult to manage. Individuals, companies and even governments have responded to these new risks and there is a greater sense of awareness than there has been previously. The insurance market has developed many new products designed to address these risks. However, there are types of traditional insurance policies, most of which have been provided in the London market for many decades, which were of course not originally designed to cope with the new era of cyber risks. It is important for insurers to bear this in mind when assessing risk and exposures overall but also at the point new policies are being underwritten. The accuracy of insurers’ wordings is of paramount importance if unexpected cyber exposures are to be avoided.
Authors: Simon Cooper, Sam Batchelor