Cedric Stephens | Cyber risk insurance can help: Part 2

Last Tuesday’s Gleaner headline, ‘Ransomware attack on world’s largest meat producer disrupts global production’, strengthens the case for this article and cyber risk insurance.

Which insurance companies in Jamaica offer cyber risk insurance coverage? What is the nature of the protection that they provide? What are the things they exclude? What is the cost? How will claims be handled? Today’s piece will answer these questions.

It will also review the CyberPro Version 3.0 Insurance Policy that is now available from British Caribbean Insurance Company (BCIC) – not 2.8 as previously stated – in association with specialist underwriting syndicates of the 335-year-old global insurance institution in London, Lloyd’s. The coverage is available directly from BCIC or through its broker network.

The average property and liability insurance contracts were created during previous centuries for the world of bricks and mortar. They are inappropriate for the complex, intangible, fast-moving, technology-dependent digital world of the 21st century. As a result, even the most experienced lawyers who are not computer-savvy, familiar with evolving cyber threats, and the rapid developments in cybersecurity will have difficulty in navigating a 30-odd page cyber risk insurance contract.

This insurance broadly offers protection against the financial fallout from cyber incidents − including data breaches, network damage, business interruption, legal fees, and even ransom payments. A cyber insurance solution, as some providers call it, is a service, not just a product. Insurers partner with industry-leading professionals, including risk assessors, forensic experts, and other technical support specialists to provide coverage and manage cyber threats when they occur.

The CyberPro Version 3.0 insurance policy consists of 18 insuring modules or parts as compared to two for a comprehensive motor policy. Nearly 45 per cent of the 18 parts, eight, apply to third parties or entities who the policyholder may become legally obligated to pay in the event of a cyber incident. Seven modules, 39 per cent of the total, are linked to losses that the policyholder may suffer when an insured event occurs. The remaining three parts protect against cybercrime-related monetary losses that the policyholder may suffer. This structure of one of many sections of the contract is an indicator of the complex array of the threats that organisations of all kinds and sizes face daily and of which most persons are not aware.

Here is a sample of some of the things covered under the three previously cited groups of risks:

• Actual or alleged professional wrongful acts;

• Multimedia and intellectual property wrongful acts arising during multimedia activities;

• Alleged or actual security and privacy wrongful acts including the policyholder’s liability if confidential personal information is disclosed;

• Claims expenses incurred as a result of regulatory actions;

• Network extortion money, including payment of a ransomware demand;

• Loss of business income either directly or from a dependent network event;

• Electronic theft, computer fraud, and telecommunications and social engineering fraud.

Limits and liabilities

Liabilities imposed under The Data Protection Act, for example, will provide background information for the inclusion of some of these risks. Section VII of the contract, dealing with ‘definitions’, describes in clear, easy-to-understand language, the meanings of many of the preceding terms which a fifth- or sixth-form high-school student would understand.

The protection afforded by this insurance is limited to an aggregate amount or limit of indemnity that applies to all 18 modules. The standard limits that are being offered under the CyberPro contract range from US$250,000 for, say, an SME, to US$5 million for some of the smaller companies listed on the Junior Market of the Jamaica Stock Exchange. Higher limits are also available.

Section VIII of the contract lists the policy exclusions. These types of conditions are found in all insurance contracts. Sit down with your insurance adviser or broker and IT expert and read insuring modules and the exclusions together to get a sense of their relevance to your situation before making a buying decision. This should be an important part of the process before signing on the dotted line. If you follow this advice, the probability is that you will avoid nasty surprises in future.

Many variables are involved that determine the cost of cyber risks insurance. As a result, it is not possible to provide a premium estimate in the absence of a completed application form. The minimum premium will be US$500 per annum. Premium and claims are payable in US dollars.

The claims-handling approach for cyber-risk insurance is different from that of bricks-and-mortar insurances since the coverage is a product as well as a service. Policyholders will have financial protection plus access to a team of responders whose job will be to help in getting the business back up and running.

The cyber claims management team includes experts specialising in cyber risk, forensics, public relations, and remediation. In the Colonial Pipeline attack that was referred to in last week’s article, it is likely that a cyber claims management team was operating in the shadows and provided the resources to pay the US$5 million ransom the hackers in Russia reportedly received as a result of the hacking.

Sean Thorpe, head of the University of Technology Jamaica School of Computing and Information Technology, recognises what he called the “imminent dangers” to Jamaica’s cybersecurity infrastructure based on a letter he wrote to the editor of this newspaper on May 25. He concluded by recommending ongoing vulnerability assessments to minimise the risks, saying “if one thinks this exercise is expensive, it becomes far worse when one has become the victim of a cyber attack … one never recovers from the data breach, not to mention the reputational damage and revenue fallout”. Is this hyperbole?

Steve Morgan, in a November 2020 special report, Cyberwarfare in the C-Suite, wrote in the context of the United States that “more than half of all cyberattacks are committed against small to mid-sized businesses and 60 per cent of them go out of business within six months of falling victim to a data breach or hack.” Cyber risks insurance can reduce those odds.

- Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com