ABSTRACT: Digitalisation is an unstoppable process that changes, day by day, the framework of interaction between citizens, companies and Public Administrations. Although the digitalisation simplifies recruitment processes and boosts the market, it is subject to risks: the so-called cyber-risk. Notes on cyber-insurances: a necessary market before the uncertainty of the technological risk.
In April 2007, Estonia suffered one of the first known massive cyber-attacks. The collapse of the financial system and the Public Administration of this small Baltic republic brought the cyber-security issue to the centre of the geopolitical stage.
Ten years later, in May 2017, WannaCry wreaked havoc in strategic enterprises and different public services, among them, 16 NHS Hospitals. In 2018, Spain recorded a 25% increase of cyber-attacks to companies with strategic interest.
Nowadays, in 2019, Spain ranks 11 (out of 28) on the Digital Economy and Society Index (DESI) made by the European Commission since 2016. The DESI assesses different aspects of digitization, such as (i) connectivity, (ii) human capital, (iii) use of internet services, (iv) integration of digital technology, and (v) digital public services.
Spain’s evolution on DESI’s index, which has been recorded since 2015, shows how the effort made by Public Administrations and companies has launched Spain’s rank from 15th to 11th in less than 3 years. Although Public Administrations are the responsible to boost the rank of Spain in this index, the companies and human capital (the use of new technologies by the population) have caused a slow-down in the progress in the index.
Anyway, it is true that the growing digitalisation of Spain (and of its companies) make the country more vulnerable to technological risk or cyber-risk.
Cyber-risk means every risk that arises from the use of digital communication and operation systems by the companies and/or the Administrations and which causes a series of economic disadvantages, damages or injuries.
In view of the risk which companies and Public Administrations face to the growing (and unstoppable) digitalisation, a new product is proposed at the insurance industry: the cyber-insurance.
The cyber-insurance aims to mitigate the effects of cyber-risk. Usually the property consequences of a “cyber-attack” are: loss of profits, cessation of the production and additional costs… In other words, a cyber-insurance is not a primary barrier of protection against cyber-risks (it doesn’t prevent them) but a measure to mitigate their effects.
In light of the increase of cyber-attacks, companies are increasingly aware of the need to protect themselves against cyber-risks, which resulted in a higher increase of 10% in the underwriting of this kind of insurance policies.
The fundamental problem of a cyber-risk policy lies in determining the risks which will be covered, the assets covered, defining the claim, temporary and, especially, territorial delimitation (especially important for an umbrella policy). In the scope of cyber-insurance, defining precisely the kind of damage and the bases of coverage is more important than in other kind of insurances.
Cyber-risk policies are differentiated, a priori, from those related to data protection. In this sense, in the Spanish market, there is a confusion with coverages and types of policies, which has led to consider as a cyber-risk the breach of data protection regulations. In this sense, the generic and open-ended term of “appropriate security” or “appropriate technical and organisational measures” contained in Regulation (EU) 2016/679, of 27 April 2016, on personal data and on the free movement of such data, contributes to mix different types of policies and to separate from civil liability or D&O policies the liability for breaching data protection regulations.
The key coverage of cyber-insurances are losses: the loss of profits due to cessation/change of production, the eventual ransomwares or even the fraudulent funds transfer. The key issue when insuring the loss of profits lies in determining until when the Insurer must cover the loss of such profits: until the normal turnover is recovered or until the restart of the production.
Moreover, within the scope of risks that may be covered by cyber-risk policies, it may be found: (i) damages to third parties arising from security failures (denial of service attacks, cessation of production/supply…), (ii) incident management costs, (iii) reputational risk restoration costs, and (iv) damages caused due to the broadcast or publication of confidential third parties contents.
Within the risks typically covered by cyber-risk policies, it is necessary to highlight the coverage of incident management costs that includes the determination of causes/source of the cyber-risk, assistance by a team of specialized legal counsel, the counselling by a communications office or the services of a crisis team, among others.
Some of the most sophisticated products in the cyber-insurance market provide for the assistance prior to the underwriting in order to determine the insurable assets, the level of cyber-security of the Policyholder/Insured Person or the vulnerability analysis of the Policyholder/Insured Person.
The Spanish insurance market looks up to London and the United States when shaping and designing cyber-insurance policies, adapting the clauses to the specific features of the Spanish market, which, in turn, are used in Latin America, where the European-based clauses face the American approach of cyber-risk (broader than the European). Therefore, we find ourselves before a highly heterogeneous market (risks, coverages, Insured parties…), which creates tailor-made products.
Bearing in mind the nature of the covered risk and the special features and the high heterogeneity of the market, there are two critical times when underwriting/managing a cyber-insurance: the previous analysis of the Policyholder/Insured Person’s cyber-security and the regular update of the stated risk that, due to the digitalisation nature, is continuously changing and readjusting.
Digitalisation is an unstoppable process that changes daily the world where citizens, Public Administrations and companies, among which we can find the insurance industry, interact. Cyber-insurances aim to mitigate the economic and financial risk that arises from technological development and from the economy digitalisation, because, in the words of Isaac Asimov, “What does a scientist offer instead? Uncertainty! Insecurity!” And, as we all know, uncertainty and insecurity are a necessary precondition for the origin of the insurances.
At Belzuz Abogados S.L.P., we suggest exercise caution (and being properly counselled) when underwriting a cyber-insurance in order to avoid the unpleasant surprise of unforeseen coverage exclusions or unintended overexposure to risk.
AUTHOR: Ian Pérez López. Lawyer. Insurance Law Department, BELZUZ ABOGADOS, S.L.P.