Cyber insurance: the impact of evolving legal and regulatory risk

Cyber insurance is still (just about) the new kid on the block. It is commonly thought of as a tool to mitigate exposure to ever-evolving cyber risks. That is right up to a point; but the increasing exposure of business to losses potentially covered by cyber insurance is, in our view, in material part driven by changes in the legal and regulatory risk environment.

It is helpful to start by understanding what cyber insurance does: it transfers to the insurance market some categories of loss resulting from cyber and data risks which may not be covered under other insurance products (although to some extent there may be overlap). These losses may include, for example, cyber incident response costs, data breach claims and business interruption losses caused by cyber incidents.

Cyber and data risk may be considered as part of the peril or event from which insurable losses may result. These are well understood to be quickly evolving risk. According to the 2019 edition of the World Economic Forum’s Global Risks Report, cyber-attacks and data fraud are two of the top five risks that respondents identified as most likely to occur.

But the way in which a cyber and data risk translates into loss for a business, particularly for liabilities, fines and costs, is heavily impacted by the legal and regulatory environment. Recent developments include:

  • the UK Court of Appeal’s decision in the first data breach class action (WM Morrisons Supermarket Plc v Various Claimants [2018]) to uphold the finding of the High Court that an employer can be vicariously liable for an employee’s data breach even when the employer was not at fault. In response to an argument put forward by Morrisons that public policy considerations militate against imposing a disproportionate burden on an employer, the Court of Appeal’s response was that “the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees“;
  • the well-publicised General Data Protection Regulation (GDPR); and
  • the implementation in national law of the Network and Information Security Directive (Cyber Security Directive).

From an insurance perspective each of these developments carries significant potential exposures for businesses and, by corollary, insurers. The decision in Morrisons (which Morrisons is seeking permission to appeal to the Supreme Court) deals with liability and not with quantum. However, the data of almost 100,000 employees leaked and any awarded compensation, including distress based damages, will likely be considerable. A breach of the GDPR can lead to fines of up to the higher of EUR 20 million or 4% of global turnover; and similarly a breach of the Cyber Security Directive can lead to fines of up to £17 million.

There are also legal risks regarding the scope of what is insurable. Cyber insurance policies tend to provide cover for fines “to the extent insurable by law“. However, there is some uncertainty as to whether or to what extent some fines are insurable as a matter of English law. PRA/FCA fines are uninsurable; but whether GDPR or Cyber Security Directive fines are insurable turns broadly upon the application of the so-called illegality defence (i.e. the ex turpi causa doctrine) or, put another way, whether the basis of the fine may be considered quasi-criminal. By way of analogy, in the case of Safeway v Twigger the UK courts determined that a penalty for anti-competitive practices in breach of the Competition Act was not recoverable on these grounds. In the case of GDPR fines, it must be highly doubtful that fines for fraudulent conduct are insurable; but there is a debate to be had in relation to the insurability of fines for innocent or negligent behaviour, including whether it is correct to determine insurability by reference to conduct on a case by case basis. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD’s insurance and private pensions committee is considering the issue. Until these issues are resolved, we are left with the unsatisfactory position that policyholders cannot count on coverage for fines and, conversely, insurers may be exposed to them if they have agreed to underwrite that risk.

These legal and regulatory issues drive exposure to underlying loss, and the extent of coverage, in tandem with evolving cyber and data risk. In the meantime, the insurance market is responding with innovative insurance products aimed at mapping and mitigating risk. By way of example, some insurers are partnering with cyber security companies to offer cover in tandem with advice on cyber security and GDPR compliance policies, or to measure objectively and score the insured’s network’s resilience to evaluate the insurer’s risk. These types of products may become more widespread as a means for insurers to assess, control and manage their exposure to legal and regulatory risks in the cyber and data sphere.

Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Sarah Irons
Sarah Irons
Professional Support Consultant, London
+44 20 7466 2060
Rachelle Waxman
Rachelle Waxman
Associate, London
+44 20 7466 2400

EIOPA Conference: The Main Themes

Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.

EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.

Continue reading

Coverage for ‘Doomsday or Armageddon’ data breach class actions: insurance implications of the Court of Appeal’s decision to confirm Morrisons’ vicarious liability for employee’s deliberate actions

In the recent judgment in Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 233 the Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself. It is understood that Morrisons intends to appeal to the Supreme Court. Our full analysis of the Court of Appeal’s decision can be found here.

Companies now find themselves exposed to potential UK data breach class action claims, including for distress-based damages, based on vicarious liability, even if they have appropriate safeguards in place and even if they are the intended victim of the breach. Day by day businesses find themselves responsible for higher volumes of personal data; and the risk of data breach claims is exacerbated by the legislative changes made by the GDPR, increasing public awareness of data protection issues and the publicity that this case has attracted. In addition, the facts of Morrisons were such that the company had been found not to be in breach of data protection laws. Future class action claims may be even easier to launch in circumstances where a company has been found to breach the GDPR, for example, by not having appropriate security measures in place. It is understood that Morrisons intends to appeal to the Supreme Court.

Continue reading

CYBER INSURANCE REQUIREMENTS IN COMMERCIAL CONTRACTS: GETTING IT RIGHT

Cyber incidents have the capacity to cause many different types of loss.  Insurance coverage exists for at least some aspects of cyber risks in the UK market.  However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts.  Click here to read an article on these issues by Sarah McNally and Andrew Moir that was first published in the December 2017 issue of PLC magazine.

Sarah McNally
Sarah McNally
Partner, London
+44 20 7466 2872
Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773

Mitigating cyber security exposures: Risk transfer through cyber insurance

Now may be the time to review your cyber risk mitigation strategy and give serious consideration to whether the financial cost of cyber attacks could be transferred to insurers at a fair price.

Cyber security is amongst the leading risks for organisations around the globe. In the last few years most organisations have suffered cyber attacks of some sort and a series of notable breaches have received heavy media coverage and regulatory scrutiny. Breaches damage not only organisations but also their customers. 

Governments have started to wake-up to the potential national security and economic impact of cyber attacks, and legislative change is afoot in a number of jurisdictions. 

To date relatively few organisations (outside the US) have purchased standalone cyber insurance policies. That appears about to change. 

Continue reading