Cyber insurance is probably the single most rapidly evolving insurance product on the market, and understandably so. It’s still a fairly young product, and cyber criminals are constantly changing their tactics. As a result, insurers are constantly adapting their policy forms. With constant changes, it can be difficult to know what coverages, you (as a policyholder or broker) may be missing out on. Here are some of the newer enhancements we’re regularly seeing from insurers.
- Utility Fraud Coverage: Sometimes the damages related to cyber-attacks can be entirely unexpected, like a hefty electric bill. Cyber criminals are now employing two newer hacks that can significantly affect a company’s utility costs. The first such attack is crypto-jacking, in which hackers fraudulently use computer systems to mine crypto-assets. For those unaware of what “mining” means, for every bitcoin transaction a verification is required and a ledger is added to the blockchain. Those processing these transactions can earn cryptocurrency in return. To maximize that return, however, cyber criminals are now taking over the computers systems of others, to process large blocks of transactions. This results in computer systems running at near full capacity, which can generate a significant increase in electricity costs for the victims. Despite the fact that many may be unfamiliar with this type of attack, they are extremely popular and growing. Last year, IBM reported that many hackers had actually abandoned ransomware attacks in favor of crypto-jacking, with an increase of 450% from the prior year. The other utility-related fraud is telecom fraud, in which cyber criminals access VOIP systems to route long-distance calls, often on a large scale. Trend Micro has a nice illustration here of exactly how those frauds are carried out. In response, many insurers have begun providing “utility fraud endorsements,” which provide coverage for any resulting increase in utility costs stemming from these unauthorized acts.
- Bricking Coverage: Almost all cyber insurance policies contain broad bodily injury and property damage exclusions. These can be particularly problematic for companies operating in certain sectors. They can also be problematic for specific claims, such as those attacks that effectively cripple (also known as “bricking”) a company’s computer systems. Crypto-jacking attacks can not only result in significant utility costs but can overwhelm a company’s computer network, effectively destroying any affected computers. Imagine a mid-sized company with 150 affected computers, having to replace each system at a cost of $2,000. That’s a cyber-attack with a $300,000 price tag. Luckily, many carriers today now provide “bricking coverage endorsements,” which specifically cover the costs to repair or replace computer systems that may be destroyed from cyber attacks.
- System Failure Coverage: Generally speaking, if computer system failures are caused by cyber intrusions, coverage for any resulting lost income would be triggered under the “lost income” insuring agreement within a cyber policy. Many companies today have taken this coverage one step further by including specific “system failure endorsements” that provide coverage for lost income resulting from any unintentional/unplanned system failures. The broadest versions of these endorsements also often extend coverage to include lost income resulting from system failures that affect dependent third parties.
See also: Coronavirus Boosts Cyber Risk
- Coverage for Reputational Loss: Cyber intrusions can generate considerable media attention and inflict significant reputational harm. Almost all cyber policies include some form of crisis management coverage for the costs associated with hiring a PR firm to minimize reputational harm, but coverage for any resulting lost income is often absent. In an effort to mitigate the risk of lost income stemming from negative PR following a cyber event, policyholders should ensure their policies contain an appropriate endorsement for “reputational loss.” It’s also important that insureds review these endorsements carefully - coverage can often be severely sub-limited, and more restrictive endorsements may specify that the loss must be the direct result of a publication. Because such a direct relationship will likely be difficult to establish, insureds should favor endorsements that have no “direct” requirement to trigger coverage.
- Coverage for GDPR/CCPA Violations: The passage of recent privacy regulations such as GDPR and CCPA now subject companies and their directors to regulatory scrutiny (and hefty fines) for privacy-related violations. To complicate matters, many companies are unfamiliar with their compliance requirements and obligations. While the majority of insurers already include regulatory coverage within their cyber policies, there are often considerable gaps in those insuring agreements. To broaden policy terms and clarify the scope of coverage for violations of these regulations, some companies have begun to include specific GDPR and CCPA endorsements that provide coverage for costs associated with violations of these laws, stemming from “privacy wrongful acts” such as: misuse of protected information, improper collection of protected information, failure to correctly safeguard or manage protected information or failure to inform individuals regarding the collection of protection of information.
- Bodily Injury and Property Damage Carve-Backs: As briefly mentioned above, almost all insurers include broad bodily injury and property damage exclusions within their policy forms. The intent is to push those claims to respective general liability policies, where they belong. However, insureds are left without coverage in circumstances where the cyber intrusion itself results in bodily injury or property damage (a topic we visited in depth in our prior article). This coverage gap is often identified when working with an experienced cyber broker, who will attempt to negotiate improved wording at the time of purchase. However, it appears a growing number of insurers are slowly realizing the need for improved policy language and automatically including appropriate carve-backs, which will preserve coverage for such claims.