Cyber insurance picture remains opaque

The need for comprehensive cyber coverage has been highlighted by the recent Maersk attack. Credit: Press Association
The need for comprehensive cyber coverage has been highlighted by the recent Maersk attack. Credit: Press Association

The recent cyber attack on Maersk has highlighted the scale of cyber threats, but given the complexity of the commercial insurance sector, having comprehensive cyber coverage in place could prove challenging.

The insurance market offers a range of products that offer specific cyber coverage, based on a variety of risks and mitigation measures. In terms of the fundamental costs that attacks could create, products will cover cyber extortion, breach costs, business interruption, hacker damage, and crisis containment (see sidebox below).

Cover will also provide funds to defend and settle claims made for failing to keep customers’ personal data secure. It will also pay the costs associated with regulatory investigations and settle civil penalties levied by regulators where allowed.

However, there remain some significant issues for the insurance industry to surmount, mainly because of the lack of clarity and data on the true levels of potential exposures.

Consequently, firms impose limits on the level of exposure that they are willing to take and, as such, major firms’ brokers need to create multiple layers of insurance cover from several underwriters to provide capacity that major international firms require.

This approach means that cyber coverage varies from insurer to insurer, so although there can be a capacity created, it may well be with layers that contain different levels of coverage.

This could lead to a situation in which, for example, claims could be covered by three of five insururers on the programme, but not by the other two.

IHS Markitunderstands from industry sources that Maersk does have a degree of specialist cyber coverage in place. The Danish company has appointed experts who are currently sifting through the company’s insurance coverage to see which of its policies will be triggered to pay for the liabilities that have been created by the recent attack.

Although traditional hull, cargo, and property policies will include a certain level of cyber cover, there may well be a specific cyber exclusion that will fall within the firm’s cyber policies.

Types of cyber cover

Ransomware/cyber extortion: This will offer cover if a hacker tries to hold a business to ransom by covering the ransom payment and may well also include the cost of drafting in risk consultants to help manage the situation.

Breach costs: In the event of a data breach, this will cover the costs of forensic investigations, legal advice, notifying customers or regulators, and offering support such as credit monitoring to affected customers.

Cyber business interruption: It will provide compensation for loss of income, including where caused by damage to a company’s reputation, if a
hacker targets a company’s systems and prevents the business from earning revenue.

Hacker damage: This aims to reimburse the costs of repair, restoration, or replacement if a hacker causes damage to a firm’s websites, programmes, or electronic data.

Crisis containment: Some firms will look to provide expert support to mitigate reputational damage. In the event of a data breach, prompt, confident communication is critical to help minimise the damage to a company’s reputation. There is therefore access to crisis containment cover with a specialist public relations firm that can provide expert support, from developing communication strategies to running a 24/7 crisis press office.

According to Suki Basi, managing director at Russell Group, which provides claims and aggregation data to the marine insurance sector, the threat to the market is the lack of clarity in policy wording when it comes to cyber attacks.

“There is a significant issue for the marine market in terms of the lack of clarity in the definitions for cyber cover across marine policies,” he explained.

“They do not do enough to allow firms to easily identify exactly where claims for the loss will sit. Is it in a specific cyber clause in the cyber policy? Is it covered in the hull and machinery policy?

“This is not simply an issue for the shipowners. It requires a concerted response from the entire industry to enable firms to understand what risks are covered by which policies.”

Basi said that there are some cyber risks that are in danger of falling through the gaps in the various policy coverages.

“There are concerns of the threat of the jamming of GPS systems, which would leave vessels in danger of being sent off course,” he added.

“We all know that, for shipping firms, communication with vessels around the world is vital and, as such, if there is any disturbance in that ability, there is the potential for serious issues.

“The concern is whether such risks are covered and by which policy. If the GPS is jammed, do any resultant losses fall into the specific cyber policy or into the traditional hull policy? There is a need for greater clarity.”

Another broker told IHS Markit, “The lack of loss and claims data, coupled with the ever-changing risk exposures, means insurers are keen to limit exposures. Given the nature of the risks and the individual risk profiles, there is no real standard wording so in the event of the claims it is far from straight forward.”

Visit IHS Markit’s dedicated cyber security topic page here