Many businesses are operating under the false belief that their insurance policy adequately covers data security and privacy exposure. This is not necessarily the case, as traditional insurance policies often do not adequately cater for the exposure organisations face in this sphere, say Darren Willans and Sarah Passmoor, who are directors of Werksmans Attorneys.
Cybercrimes and business interruption (BI) are becoming increasingly prevalent, posing a potentially significant threat to companies, particularly those with online business models, they say.
“If your company stores significant customer data, you may be targeted for ransomware attacks and other forms of cybercrime. Cyber insurance should therefore be an essential aspect of a company’s risk strategy in response to this form of BI.”
In 2021, cyber incidents were ranked as one of the highest threats to businesses in South Africa, having increased by 150% since 2020. Because this area of insurance law is constantly evolving and can be vague, it is essential that your company ensures that the policy clauses are not only clear and unambiguous, but also that the policy is up to date so that it caters for the current cyber risks, which are evolving rapidly.
In this article, Werksmans discusses some of the aspects of insurance coverage to which businesses should pay close attention.
The all-risks clause
A potential issue that may arise in a BI claim is where a cybercrime is only covered under all-risks clauses. All-risks policies have historically included claims for BI, which respond to loss arising from physical damage to property. This may prove problematic if your business is subject to a cyberattack, as “physical damage resulting in financial loss” typically does not cover ransomware attacks or other cybercrimes.
This is because electronic data or information is often not interpreted as having a physical existence. As such (in the absence of special extensions under the policy), a cyberattack and cybercrimes affecting electronic data and, in turn, causing an interruption to one’s business are often not covered under an all-risks clause, as physical damage to property is not something that is easily established.
Time deductibles and indemnity periods
Another aspect of general liability clauses that may prove problematic in the face of a cyberattack is that all-risks clauses often include time deductibles and indemnity periods, stating that loss coverage begins only after a specified period. However, a cyberattack lasting for a fraction of the applicable period could be devastating for a business.
For example, in 2016 Delta Airlines experienced a network failure for six hours, which cost the airline about $150 million. Another example is the Facebook outage of 2021, also only lasting for about six hours, which resulted in a decrease in revenue of more than $60m.
The nature and quantum of the loss
Establishing a cause and identifying the nature and quantum of the loss incurred is a further aspect to be mindful of insofar as your insurance contract is concerned. Damage to property is generally easier to prove than establishing a virtual cause. This is all the more reason for your company to ensure that an estimated quantum and the potential nature and cause of a cyberattack are clearly delineated in the policy.
Coverage for ransomware
Although most stand-alone cyber policies cover ransomware as a peril, not all policies offer the necessary coverage for losses associated with it. Coverage for loss associated with ransomware should fall under “cyber-extortion coverage”. This coverage should ensure that extortion payments are accounted for, as well as coverage for an IT forensic investigator who would be required to assess what data has been accessed, as well as the level of sensitivity of that data.
Third-party coverage
Companies may also be held accountable for third-party liability in relation to privacy and security incidents and should therefore have coverage that protects the company (as the insured) for liability resulting from the loss of personal and corporate confidential information.
The coverage should extend to the failure to protect client records and data, intellectual property infringement through mismanaging customer data, impaired customer access to the insured’s computer systems, and privacy intrusion through cyber activity.
It is important to bear in mind that a company itself does not necessarily have to be the target of a cyberattack to be affected. Cybercrimes can permeate a company’s suppliers and outsourced technology providers, which may cause collateral damage to the company.
The insurance industry seems to be moving towards tackling cyber BI risks by consulting with IT security companies, not only to calculate risk but also to provide for specific delineated coverage in this area. Very few cases have to date been tested in court. From a risk mitigation perspective, companies are advised carefully to analyse the scope of their cover and to have careful regard to the wording of their policies.
This content was written by Darren Willans and Sarah Passmoor, who are directors of Werksmans Attorneys, and Chiara Ferri, who is a candidate attorney.
Disclaimer: The views expressed in this article are those of the writers and are not necessarily shared by Moonstone Information Refinery or its sister companies. The information in this article does not constitute legal advice.
it is important that a business must only insure via specialized Cyber Insurance companies and not just via your normal \Commercial Insurer who offers an additional product.