The uptake of cyber insurance policies has grown rapidly due to the constant threat of hacking and cyber-attacks on an organization’s database. Those buying and claiming the cyber policy should know what it covers. Assessing the common exclusions of Cyber Insurance is difficult as it is relatively new.
Common exclusions in cyber risk insurance
The exclusions in cyber insurance policies are as follows:
Patent, software, and copyright infringement
The intellectual property insurance policy covers patents, software and copyright. A cyber policy does not cover these.
In some cases, a cyber policy written in detail can cover defence cost copyright infringement claims. However, a non-management employee or a third party needs to be responsible for these actions.
Wars and invasions
Most cyber policies exclude damages resulting from war, invasions or insurrections.
Lack of security measures
The claim can be denied if the insurer finds that the insured had not taken steps to safeguard data.
All policies do not have this exclusion. But all organisations need to follow the required security measures.
Injuries and damages
A data breach does not mean that any person is physically injured. Hence, the policy does not cover such claims. However, some policies do cover the cost involved in dealing with emotional distress and anguish.
Loss of electronic device
This policy does not pay for an employee losing a company-issued portable electronic device. That can be covered in a property insurance.
The claim will be denied if the breach has occurred in the third-party vendor’s system.
Government entity or public authority
The policy also does not cover recommendations or orders from government or public authorities.
Specific network interruption
A claim may be excluded if it is regarding data lost because of technical or network interruptions.
Cyber insurance policies have many exclusions to limit the insurer’s risk exposure and avoid coverage for known or predictable losses. This is due to the constantly evolving nature of cyber threats and the lack of historical data, making it difficult to accurately assess risk and set premiums.
Case Study I
Saleonline, a shopping website, had been in the business for 5 years. It was getting a good amount of daily traffic. Revenue figures too showed year-on-year growth.
However, a rogue employee misused the personal information of thousands of customers, including their address and credit card details.
Fortunately, Saleonline had obtained a cyber risk insurance policy. It covered the company’s cost of notifying customers whose data had been stolen.
The policy also paid the costs of credit monitoring for the affected customers. This ensured that the website suffered minimal losses from the information theft.
It also covered the cost of representing and defending the online business against legal actions.
However, the insurer denied claims for loss in business due to a slump in sales on the website. The claim was denied on the grounds that the policy does not cover loss of future revenue.
Case Study II
A car component manufacturing company had bought a cyber insurance policy to safeguard itself against cybercrimes and malware. But the management did not pay attention to update the company’s software systems since the business was primarily into manufacturing. Therefore, they were functioning with an outdated system.
The company realised its mistake when an employee clicked on a malicious link in an email. The malware encrypted all the information stored on the company server.
The insurer’s IT forensic investigators found the company did not have malware protection. The insurer rejected the claim on the grounds that the loss was due to a lack of maintenance and this was contrary to the declaration in the proposal form.