Will insurers Wanna Cry? On the legal repercussions of the global cyber attack
Need to know
- Most of the losses will probably come from impacted lines of business rather than the cyber covers themselves
- Terrorism exclusions are traditionally triggered by violence, which tends to be absent in cyber attacks
The Wanna Cry ransomware attack is going to bring into light cyber wordings and terrorism exclusions, explains Hermes Marangos, partner at Signature Litigation.
Cyber security is an unwelcome problem that few businesses have ever wanted to discuss. Until now. After severely affecting parts of the NHS and numerous large businesses internationally, the global Wanna Cry ransomware attack has changed the climate of discussion overnight.
According to a recent UK government survey, 81% of big corporations and 60% of small businesses suffer an annual cyber breach: big or small, businesses now have to address an issue that has an impact on various lines of insurance. The Institute of Directors has recently criticised the unpreparedness of most businesses in dealing with such incidents.
Because the Wanna Cry attack was a worldwide attack, questions arise relating to events and aggregation, depending on the line of business and the relevant wording. Reinsurers and retrocessionaires face the immediate issue of accumulations and they are considering protocols for dealing with exposure and claims as they filter through. At an underlying level, insurers will be checking how policies are triggered in different countries.
Cyber cover is not standard. Some covers may theoretically be easier to deal with: loss or damage to digital assets; business interruption, which is often the primary issue; and reputational damage. But ransom payments, which are treated differently by each legal regime, may lead to an absence or disconnect between covers. In reality, most of the losses will probably come from impacted lines of business rather than the cyber covers themselves.
Potential issue
Reigniting a previous debate, another potential issue relates to the operation of newer versions of terrorism exclusions with extensive cyber terrorism provisions. Some wordings may exclude losses, ‘however remote’ the connection may be between those losses and ‘cyber terrorism’. In traditional covers, the guiding principle applied by the market to trigger a terrorist exclusion has been that the relevant clause requires a ‘terrorist act’ to have been committed, with violence as a key component. This is distinct from the ‘act of a terrorist’ which may, for example, involve individuals with terrorist links breaking into a bank to raise money to finance their operations.
Accordingly, because cyber terrorism does not contain the violence component, it becomes more likely that a cyber attack falls within widely drafted exclusions. In the context of over-restrictive covers and over-extensive exclusions, political extremist links may also be relevant - as can any provable remote connection with activities by the international intelligence communities. An added dimension is the interconnection between cyber terrorism exclusions, also encompassing losses not involving violence, and the narrow scope of some cyber cover, which envisages that some losses should come under other more specific or specialist covers.
A further concern arises if it is demonstrated that the insureds have inadequate protection in place, or have failed to maintain sufficient protection by regularly updating their systems and security. When it comes to contractual obligations, tribunals tend not to forgive deficient compliance: absence of firewalls or proper password and software protection. These may be seen as the modern equivalent of leaving a house with unlocked doors or open windows. It also brings directors, officers and consultants into the firing line. Again, there are different legal implications in each scenario. An additional problem relates to the Data Protection Act and the upcoming General Data Protection Regulation.
These diverse issues will require careful examination of the legal language used in every policy, which either directly or indirectly deals with losses arising from cyber incidents. Also to maintain legal privilege when all the relevant work is undertaken. The proper application of wordings dealing with cyber attacks, where there is a remote connection with terrorism, will need particularly careful attention. More than anything, the ransomware attack is a sharp reminder to the market that serious legal repercussions can follow if proper protections are not put in place or kept up to date.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@postonline.co.uk or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe
You are currently unable to print this content. Please contact info@postonline.co.uk to find out more.
You are currently unable to copy this content. Please contact info@postonline.co.uk to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@postonline.co.uk
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@postonline.co.uk
More on Claims
60 Seconds With... Value Space’s Reijo Pold
Reijo Pold, founder of Value Space, a technology company that uses satellites to conduct assessments for commercial properties and infrastructure, reveals he has been working since he was aged seven and doesn't even totally clock off when he goes on holiday.
Perils warns of continued storms as it gives third Babet damage estimate
Perils has disclosed its third industry loss estimate for the floods and storms caused by storm systems Babet and Aline that hit the British Isles and north western Europe in October 2023.
Construction adjuster builds out with London team
Specialist Lines, a niche construction and engineering loss adjusting firm headquartered in Bury, has launched a new London Market and International division with the recruitment of a team from Global Risk Solutions International.
Cila president insists loss adjusters are far from dead
Far from being on a pathway to extinction, Chartered Institute of Loss Adjusters’ president Steven Wallace has claimed his part of the insurance industry has “never been more relevant”.
How an AI-assisted motor claims handler cared for me
Editor’s View: Emma Ann Hughes shares how a recent call to her motor insurer highlighted why humans will always be needed to care for policyholders in their hour of need.
How to support insurance customers in vulnerable circumstances
As the Financial Conduct Authority intends to check claims-handling response times, and whether insurers are doing enough to help customers in vulnerable circumstances, Winn Group chief information officer Clint Milnes explains what providers need to do to meet the watchdog’s expectations.
How insurers should navigate supply chain disruption
With supply chain disruption continuing, Bill Bradshaw, operations senior vice president for London operations at FM Global, says companies need to prioritise resilience and proactive prevention measures beyond insurance reliance.
MoJ ‘needs to look’ at single personal injury claims portal
A single portal for motor personal injury claims is necessary for streamlining the claims process, Verisk’s head of personal injury claims, Simon Bradshaw, has told Insurance Post.