The growth of specialist cyber insurance as an independent line of business in the insurance industry has been the result of wide-ranging data protection and notification laws enacted in US states in the past decade or so, and more recently in the EU, following the implementation in member states, including the UK, of the Networking and Infrastructure Security (NIS) Directive and the General Data Protection Regulation (GDPR).
This new EU legislative regime imposes duties and severe sanctions (up to 4% of worldwide turnover in the case of the GDPR) on corporations that fail to implement adequate personal data security measures to prevent IT system breaches affecting personal data. The EU-wide regime also imposes a disclosure obligation that personal data breaches must be notified both to state regulators and, when appropriate, to personal data owners.
The transparency which has arisen as a result of the duty to notify breaches has increased data owners’ claims against corporations that fail to adopt adequate data protection measures. The financial impact of such claims is compounded by potentially long-lasting adverse publicity following large scale data breaches. These two factors have also bolstered the demand for high value regulatory sanctions to be imposed against corporations that do not comply with data protection laws.
Demand for specialist cyber insurance has also increased as a consequence of the greater frequency and larger scale impact of all forms of cyber attacks such as virus, malware, ransomware and phishing emails.
As a result of all these factors, cyber risks insurance premium income is estimated by some international reinsurers to double by 2020 to over US$8 billion from about US$4 billion in 2017.
With the ongoing development of the specialist cyber insurance market, policies now routinely provide coverage for the costs and expenses of IT system repair, data recovery, data breach notification, credit monitoring, public relations, legal fees, third-party data breach claims and extortion.
Against this background, to improve the standards of cyber security in corporations, in June 2014 the UK Government with the support of several insurance industry organisations launched the Cyber Essentials Scheme which provides a certification procedure to encourage corporations to reach adequate levels of IT security.
Alongside and in anticipation of the impact of the new EU legislative regime, at national level, significant regulatory developments have taken place in the UK. In 2017, the UK’s Prudential Regulatory Authority (PRA) issued supervisory statement SS4/17 (SS4/17) in which it set out its expectation that all regulated insurance and reinsurance firms must have adequate capital provisions and reduce non-affirmative cyber risks exposure (ie where coverage is not clearly provided in traditional lines of insurance and the premium has not been adequately charged) by, amongst other measures:
SS4/17 was followed in January 2019 by a letter from the PRA addressed to ‘chief executives of specialist general insurance firms regulated by the PRA’ giving notice of its intention to carry out deep-dive reviews (ie stress-tests) of regulated insurance firms to assess whether these firms have been adequately reducing their exposure to non-affirmative cyber risks.
In response to the PRA’s expectation regarding unaccounted for non-affirmative cyber risks exposure, the International Underwriters Association (IUA) published this year the Cyber Loss Absolute Exclusion Clause (IUA 09-081) and the Cyber Loss Limited Exclusion Clause (IUA 09-082). Intended to be a more robust set of cyber exclusion clauses, it remains to be seen whether these exclusions will be widely adopted by the market, particularly, in traditional lines of insurance.