Blog Question: What cover does a fire or ISR policy afford for cyber
I received this question from a broker during the night and in view of the huge number of calls and emails I received on the action by sea post yesterday I answered this question in the early hours of the morning from home without the benefit of my policy or book library. The question posed was:
we have the following scenario the client has had a cyber attack and has been held to ransom at this point in time.
He was never given Cyber Insurance.
The only thing I am thinking is would he be able to claim under Additional increased cost of working if he doesn’t have a fire section under that policy, is there anyway he can claim to recuperate his loss,
I was hoping that he may be able to put in a claim under Additional Increase in Cost of Working but that would be on the optimistic side?
HH [surname and email address provided]
Unfortunately, to make any sort of claim under the Business Interruption section of an ISR or business pack policy there must first be damage as insured by the material damage section. There are a few exceptions such as the Murder Suicide extension but this is the exception to the rule.
Cyber policies were introduced as fire/material policies were not designed for nor are they rated for cyber attacks.
The Mark IV version of the Industrial Special Risks policy (“ISR”) was drafted before the widespread use of the Internet and while their are some exclusions that would certainly apply some insurers add they own version of an additional exclusion for cyber attacks, such as what we have here, a cyber ransom attack. Without the wording involved I cannot point to all the specific ones but I am sure you can spot it.
Thinking about the base wording for a minute, and forgive me as I am relying on memory as I do not have my ISR book or a policy with me here, so I could stand corrected but I think it is Perils Exclusion 7 (b) which reads something like:
The Insurer(s) will* not be liable under Sections 1 and/or 2 in respect of:
7. Physical loss, destruction or damage occasioned by or happening through:
(ii) access by any person(s) other than the Insured or the Insured’s employee(s) to the Insured’s computer system via data communication media that terminate in the Insured’s computer system.
*Note the actual wording reads “shall”. Also note that Section 2 which is referred to in the preamble to the exclusions specifically mentions Section 2 which is the Consequential Loss of Profits (Business Interruption) section.
Property Exclusion 2e which excludes loss by extortion, kidnapping, extortion etc may well apply. This specific exclusion applies to money losses and the ransom may well be regarded as a loss of money.
I also think Property Exclusion 16 in the Mark IV Modified version, about mechanical or electronic breakdown which again from memory has an all encompassing / catch all exclusion of: “or non-operation of whatsoever kind” or words to that effect would knock out any attempt to claim.
While I may be premature in giving the advice without the benefit of seeing the actual wording involved I fear any attempt to make a claim under an ISR policy whether it be under Additional Increase in Cost of Working or elsewhere will fail on a number of grounds.
Without wishing to stress the obvious, Cyber attacks are serious and on the increase. Therefore all clients need to be warned and encouraged to consider a quality cyber cover. A quality policy will have specialist IT support for the client in an event such as this and if that fails there will be coverage for the ransom plus Business Interruption coverage for any disruption caused.
Sorry I do not have better news or a magic wand to fix the problem.
There are 4 additional things I would mention to you:
- To learn more about Cyber Security and Insurance you are welcome to access a free eBook titled Mannings Guide to Cyber Insurance here. You can download a copy or purchase a hard copy version from here. Many brokers have co-branded the book and provided it to their clients as both a sales tool and protector of their professional indemnity program.
- RiskCoach provides a guide to the importance of cyber insurance along with 11 other classes of insurance. Providing the Hazard Index to each client again acts as a sales tool and protects the broker’s professional indemnity.
- 3. PolicyComparison.com provides a detailed comparison of the various Cyber policies available in the Australian, New Zealand and United Kingdom markets.
- 4. Now more than ever, I recommend that businesses develop a Business Continuity Management Plan. Many insurers require one before they will offer cyber insurance but the benefits go well beyond that. ContinuityCoach.com is an inexpensive way to do this.