Will insurers Wanna Cry? On the legal repercussions of the global cyber attack

Cyber security is an unwelcome problem that few businesses have ever wanted to discuss. Until now. After severely affecting parts of the NHS and numerous large businesses internationally, the global Wanna Cry ransomware attack has changed the climate of discussion overnight.

According to a recent UK government survey, 81% of big corporations and 60% of small businesses suffer an annual cyber breach: big or small, businesses now have to address an issue that has an impact on various lines of insurance. The Institute of Directors has recently criticised the unpreparedness of most businesses in dealing with such incidents. 

Because the Wanna Cry attack was a worldwide attack, questions arise relating to events and aggregation, depending on the line of business and the relevant wording. Reinsurers and retrocessionaires face the immediate issue of accumulations and they are considering protocols for dealing with exposure and claims as they filter through. At an underlying level, insurers will be checking how policies are triggered in different countries. 

Cyber cover is not standard. Some covers may theoretically be easier to deal with: loss or damage to digital assets; business interruption, which is often the primary issue; and reputational damage. But ransom payments, which are treated differently by each legal regime, may lead to an absence or disconnect between covers. In reality, most of the losses will probably come from impacted lines of business rather than the cyber covers themselves.

Potential issue

Reigniting a previous debate, another potential issue relates to the operation of newer versions of terrorism exclusions with extensive cyber terrorism provisions. Some wordings may exclude losses, ‘however remote’ the connection may be between those losses and ‘cyber terrorism’. In traditional covers, the guiding principle applied by the market to trigger a terrorist exclusion has been that the relevant clause requires a ‘terrorist act’ to have been committed, with violence as a key component. This is distinct from the ‘act of a terrorist’ which may, for example, involve individuals with terrorist links breaking into a bank to raise money to finance their operations.

Accordingly, because cyber terrorism does not contain the violence component, it becomes more likely that a cyber attack falls within widely drafted exclusions. In the context of over-restrictive covers and over-extensive exclusions, political extremist links may also be relevant - as can any provable remote connection with activities by the international intelligence communities. An added dimension is the interconnection between cyber terrorism exclusions, also encompassing losses not involving violence, and the narrow scope of some cyber cover, which envisages that some losses should come under other more specific or specialist covers. 

A further concern arises if it is demonstrated that the insureds have inadequate protection in place, or have failed to maintain sufficient protection by regularly updating their systems and security. When it comes to contractual obligations, tribunals tend not to forgive deficient compliance: absence of firewalls or proper password and software protection. These may be seen as the modern equivalent of leaving a house with unlocked doors or open windows. It also brings directors, officers and consultants into the firing line. Again, there are different legal implications in each scenario. An additional problem relates to the Data Protection Act and the upcoming General Data Protection Regulation.

These diverse issues will require careful examination of the legal language used in every policy, which either directly or indirectly deals with losses arising from cyber incidents. Also to maintain legal privilege when all the relevant work is undertaken. The proper application of wordings dealing with cyber attacks, where there is a remote connection with terrorism, will need particularly careful attention. More than anything, the ransomware attack is a sharp reminder to the market that serious legal repercussions can follow if proper protections are not put in place or kept up to date.