Cyber and professional indemnity insurance - where's the overlap?
"We are noticing a rapidly growing interest in our cyber insurance offering, both by brokers and potential policyholders." This is according Natalie van de Coolwijk, MD of CyGeist, a cyber-focused UMA underwriting on behalf of Guardrisk.
Van de Coolwijk notes this is in response to significant changes in the corporate threat landscape over the last few years, primarily as a result of the increasing value of organisations' digital and information assets, the corresponding surge in cyber crime and introduction of legislation forcing companies to adequately protect sensitive information.
Insurance has evolved accordingly in order to address this new breed of risks, as can be seen by the increasing number of carriers venturing into the cyber insurance market. As always, change is accompanied by its faithful companion, uncertainty, with many brokers and consumers trying to understand what new coverage elements cyber insurance policies introduce, and where their cover potentially overlaps with the more traditional insurance products, in particular, professional indemnity policies.
Both CyGeist and Stalker Hutchison Admiral (SHA), a leading underwriter of professional indemnity insurance, confirm that the biggest and most easily understandable difference between cyber and professional indemnity policies lies in the cover for consequential costs of a data breach provided by the former. "Professional indemnity policies do not provide any of the first-party cover offered by a cyber insurance policy," affirms Candice Sutherland, Business Development Consultant at SHA. This first-party cover includes loss of business income and data recovery resulting from a network security or privacy breach, as well as crisis management, which encompasses all costs incurred in minimising the impact of the breach. These costs could include fees of attorneys, forensic investigators, IT specialists, loss adjusters and other suitable specialists, costs of a PR campaign to minimise reputational damage and costs of notifying parties affected by the breach.
Van de Coolwijk cautions that the value of the first-party cover, particularly the crisis management element, is often greatly underestimated by companies. "This element of the coverage has actually emerged as the driving force behind the purchase of such policies in the US, and interesting figures from the latest NetDiligence Cyber Liability and Data Breach Insurance Claims study substantiate this. Of the $84 million in total payouts submitted by insurers for the purposes of the study, approximately half (50.4%) was spent on fees of specialists, crisis management and notification."
Not only is the first-party cover the main difference between the two types of policies, it is also a fundamental risk management tool by driving correct policyholder behaviour. Traditional liability policies respond when a demand for damages is made by third parties. In the specific case of cyber incidents, waiting for a demand would be leaving things woefully late as timeous action is critical. Cyber insurance policies are triggered when the breach is suspected, and it is at this point that relevant crisis management service providers are deployed. It is this proactive approach which, when one is dealing with data breaches, is imperative in minimising the loss and potential reputational damage.
As far as the actual liability element is concerned, there might be some specific circumstances resulting in overlaps between the two types of policies, but this will ultimately depend on how broadly the professional indemnity policy wording is framed. The broker and client would need to review the following more closely:
* Generally, professional indemnity cover relates to the provision of a professional service, but information and cyber risks are often not a fundamental part of the professional service being offered.
* Broadly speaking, professional indemnity cover is negligence-based, and since the Protection of Personal Information Act is going to impose strict liability, these risks could fall wide of the cover.
* Fines and penalties are a very common exclusion under professional indemnity policies, whereas cyber insurance policies generally afford coverage to the extent insurable by law.
Given that the Protection of Personal Information Act is not fully implemented yet, the South African environment with respect to privacy legislation is still very immature and untested. Both SHA and CyGeist recommend keeping track of rejection decisions by insurers going forward in order to better understand to what extent these risks are excluded from traditional liability coverages. There is also the possibility that some insurers won't feel comfortable covering such risks and end up implementing further exclusions so as not to insure them. Sutherland warns that in the US, many insurers have rejected cyber and privacy-related claims under the more traditional policies, and when contested, the courts have sided with insurers.