In the firstarticle of this series, reference was made to the CyRim report that suggesteda concerted global cyber-attack could cost between $85 and $193 billion, whilstalso suggesting that only 14% of this amount would be insured.
This lowproportion can partially be explained by confusion in the insurance market,over how to offer the correct cyber insurance products at the right price. An understanding of the insurance market’scurrent position on cyber exposure will help energy businesses considering riskmitigation measures.
Non-Affirmative Cyber Cover
The Mondelez case mentioned in the previous article illustrates one category of cyber insurance: so called non-affirmative (or ‘silent’) cyber cover.
This is whereinsurance cover is offered either inadvertently, inexplicitly or as a limitedextension to an existing policy. For example, a typical property insurance policymay offer cover for ‘all risks of physical loss…’ and one could assumethat, perhaps following a cyber-attack that resulted in physical loss to a keycomponent, this would be insured. It may equally be (as in the Mondelez case) thatcover may be excluded if the loss occurred as part of a systemic ‘hostile’attack. Overall non-affirmative cover isnot ideal and indicates some laxity by both insurer and insured; even if coveris added to an existing policy, the applicable conditions on the extension ofcover (i.e. the small print) will generally be those found on the original,master policy.
During 2018 theUK insurance regulator surveyed cyber underwriting practices and earlier thisyear wrote to all generalinsurance firms, outlining its findings and expressing concern about manyinsurers’ unmanaged exposure to policies offering non-affirmative cyber cover.In short, the systemic exposure to insurers from inadvertent cyber insurancecover is a concern and could mean critical infrastructure assets may haveinadequate or no insurance cover.
Silent cybercover is thankfully rare in the energy sector, as most physical damage policeshave an explicit cyber exclusion clause that meanscyber cover must be purchased separately. Whilst Cyber insurance is adeveloping sector, some cover is readily available, although often not for veryhigh limits (i.e. financial amounts). For example, cyber liability insurancecovers risks such as IT breaches, data theft/loss and ransomware, and iscompetitively provided; policies may offer several additional benefitsincluding loss of revenue, reputation damage, data recovery and cyber expertiseto help with possible claims. However,cover for physical damage as a result of cyber and for cyber losses to thesupply chain is more limited because of the obvious systemic risk to theinsurer; these exposures will be carefully underwritten and could be expensive.
It is apparentthat the cyber risk environment is evolving rapidly, for both the energy sectorand the insurance market that serves it; a transparent, competitive insurancemarket will undoubtedly develop as experience of cyber risk grows. However,despite very high cyber risk awareness in all sectors, confusion over insurancecover is still apparent. In the short term, pending the development of asubstantive cyber insurance market, cyber exposure can be managed and mitigatedthrough some simple steps that could include the following:
- Putting cyber awareness at the heart of risk management, with constant review to keep abreast of the fast-moving cyber threat environment.
- Auditing key processes and systems to help identify vulnerabilities or weaknesses, or where the greatest exposure lies.
- Considering risk mitigation measures to addressthese key exposures, including insurance if available.
- Checking all insurances and don’t rely on silentcyber cover; instead seek out affirmative, specific new cyber cover.
- If insurance is already in place, checking it isfit for purpose and will respond; challenging brokers and underwriters withloss scenarios to verify this.
- Checking the limits, excesses and waiting periodsof all cyber-specific insurances, again challenging the broker or underwriter.
- Considering which extensions, such as legalfunding, post-event PR, business interruption or (if available) physical damagewould be of benefit.
- Understanding how any claims will be handledbefore the event and ensure comfort with post-attack procedures; make surecyber events are part of the Business Continuity Plan.
- Not opting for the cheapest insurance cover;better quality insurance cover provided by more solvent insurers will costmore, but such policies will be more secure and responsive to exposure.
Mark Tetley has wide experiencegained from senior positions across the London insurance market as both an underwriter and a broker , in a variety of sectors. Heprovides advice and assistance on a wide range of insurance and risk issues,including comprehensive nuclear liability and property insurance assistance,complex infrastructure project programme design and review, claims and policyreviews, assistance with project insurance design and implementation indeveloping countries, and many other aspects of risk mitigation.
Prospect Group is an awardwinning Multi-Disciplinary Practice combining the legal services of ProspectLaw with the consultancy services of Prospect Advisory. Our lawyers andtechnical experts provide a single point of reference for clients involved inenergy, infrastructure and other development projects.
This article remains thecopyright property of Prospect Law Ltd and Prospect Advisory Ltd and neitherthe article nor any part of it may be published or copied without the prior writtenpermission of the directors of Prospect Law and Prospect Advisory.
This article is not intended toconstitute legal or other professional advice and it should not be relied on inany way.
For more information or assistance with a particular query, please in the first instance contact Adam Mikula on 020 7947 5354 or by email on [email protected].
Articles & Presentations