Blog: Cyber Liability Insurance

Ryanair. A timely reminder why Europeans need First Party Cyber Liability Insurance

Ken Munro 01 May 2015

policy

You already know the drill: A phishing mail arrives in Accounts Payable, malware gets installed, your business banking credentials are stolen, and €4.6m gets stolen from your account.
You call your underwriter and they say those magic words “you’re not covered, because it’s a cyber incident”.

As you cry all over your balance sheet you discover that this is a remarkably common occurrence in UK and EU businesses. Why? Why aren’t businesses covering themselves for this?

 

There are several reasons why I believe that cyber liability insurance hasn’t taken off in the same way in Europe as it has in the US:

Risks and claims are different

Proving harm and loss in Europe in the event of a data breach is often more difficult, though depends heavily on the country involved. As a result, the high profile US breaches that are the mainstay of the ‘cyber’ press are often describing loss cases that simply aren’t relevant to European businesses.

Mandatory disclosure legislation isn’t present in many EU counties

In the event of a 3rd party data breach in the US, most states have a mandatory reporting requirement. Hence, breaches are public and high profile. Businesses have to disclose and usually have to contact the affected individuals. So long as credit card data isn’t involved, it’s rare for an EU data breach to be made public. It’s no surprise that with fewer perceived incidents, business erroneously believe the risk of compromise is lower.

3rd party cyber liability insurance is less relevant in the EU, but 1st party is VERY relevant

Cyber policies are marketed poorly in the EU. Brokers raise the subject with their clients at policy renewal time. The subject of cover is discussed, usually resulting in a significant premium covering 3rd party loss cases. The risk manager doesn’t really understand the risk case, as it’s a highly technical subject. The broker can’t really answer their questions either. Result? The client doesn’t buy the policy.

EU businesses DO need 1st party cyber liability insurance though. The most common ‘cyber’ claim I’m involved in is theft from corporate bank accounts. A keylogger is installed in accounts payable through some simple phishing & malware. Bank creds are stolen, funds are moved out of the country. The existing corporate ‘theft’ policy doesn’t pay out because it’s a ‘cyber’ incident. That’s one of the many areas that a 1st party cyber policy will cover.

Premiums for the above type of first party cover are (generally) much lower as there is (generally) less at stake.