The cyber insurance market has grown significantly in recent years. This is a trend which has continued through 2020, with new buyers coming into the market and existing buyers looking at expanded programmes. Whilst the overall awareness and knowledge of cyber insurance has improved, there is a lack of understanding about the scope of the coverage and we often hear scepticism about whether claims will be paid. This uncertainty has undoubtedly been fuelled by several high-profile legal proceedings, where press coverage has focused mainly on an insurance claim being disputed, rather than the underlying reasons.
99% of claims made on ABI-member cyber insurance policies in 2018 were paid
According to the data, the reality around cyber insurance claims paints a different picture. A report issued by the Association of British Insurers (ABI) in 2019 revealed that 99% of claims made on ABI-member cyber insurance policies in 2018 were paid. At the time, this was one of the highest claims acceptance rates across all insurance products. Whilst this is great news for policyholders, it still leaves a small proportion of unhappy clients, whose claims have not been paid as expected. So, what are the reasons for this?
A report issued by Willis Towers Watson looked at the nature, trends, causes and cost breakdown of loss events impacting businesses, including why claims haven’t been covered. In analysing the claims data, a few key reasons emerged which have led to claims not being paid, the main ones being:
– Using claims/incident response vendors without any prior discussion with insurers in breach of policy conditions;
– First party coverage was not taken out – coverage was purchased solely for data protection/privacy liability exposures, but NOT business interruption;
– Claim notified under the wrong policy – Crime policies were the most common;
– Betterment – costs were incurred in improving IT networks and infrastructure beyond that which existed prior to the cyber incident,
Interestingly, some of the above issues are by no means unique to cyber insurance – they can be witnessed across other lines of insurance.
What can be done?
Looking at the reason’s claims are rejected, there are several key actions you can take:
1. Understand what you are buying and why!
– Do you have a clear understanding of the insuring clauses, conditions and exclusions?
– Assess what coverage you may have within other insurance lines and how these will interact with a specific cyber insurance policy.
– Have a clear view of what your key risk exposures are and how your cyber insurance policy responds to these.
– Do you have an understanding of what claims/ incident response service is provided as part of the policy?
2. Work with your broker/insurer in advance
In advance of an incident, work with your insurers to ensure your incident response plans align with the cyber insurance policy requirements. This will ensure that insurers have a clear understanding on how your incident response plans operate and what to expect. Doing this in advance will allow you to focus on dealing with the incident rather than worrying about insurers’ consent. Our claims analysis has shown that breach/incident response and crisis management were by far the most commonly triggered insuring clauses, which highlights insurers’ requirement for a proactive and cooperative approach to having breaches investigated and remediated at an early stage.
3. Notify insurers early
Early communication with insurers and awareness of the approved vendor lists will help ensure that these type of coverage issues can be prevented
Have any questions? please don’t hesitate to contact one of our team