Cyber attacks are on the rise and as brokers and risk managers urge insurers to make policies clearer Cyber Decider CEO Neil Hare Brown explains where definitions need simplifying.
Despite feedback from brokers, calls from the Association of Insurance and Risk Managers, and a recommendation by the European Insurance & Occupational Pensions Authority in its Understanding Cyber Insurance report, cyber policy wordings lack standardisation and are difficult to understand.
It would simplify the wordings if the definitions were simplified and exclusions were used to take out cover rather than definitions. By agreeing some common terminology for the terms widely used by clients, brokers and insurers, greater cover clarity could be achieved.
For example, almost all policies refer to the ‘computer system’, but policy definitions differ considerably, for instance some exclude industrial control computers and at least one excludes laptops.
Many insurers use the ‘computer system’ definition to add in cover for third-party systems. It would be simpler if the definition was standardised, such as “computer systems” means all electronic computers including operating systems, software, hardware and all communication and open system networks or websites and mobile devices including but not limited to laptops, data storage devices, smartphones, iPhones, tablets, personal digital assistants, electronic ofﬁce equipment, and equipment controlling manufacturing processes, or forming part of machinery.
This would mean that the exclusions deal with parts of the computer network that insurers do not want to cover, rather than hiding exclusions in definitions. If insurers do want to provide cover for the computers systems of cloud providers or IT service providers then they can add something into the policy section to make that clear.
Another definition that could be made clearer is ‘data’ where there can be confusion over whether this means all data or just electronic data. A suggested definition of data is: ‘any electronically stored digital or digitalised information or media’.
This would make it clear that where the term data is used it is only applicable for digital data, and where insurers want to provide broader cover they add terms for non-electronic data as a separate definition.
The term ‘security breach’ also has various meanings and might be easier to understand as: ‘security breach means unauthorised access to or use of your computer system by any person not authorised to do so, including employees; or use of your computer system by an authorised person, including employees for an unauthorised purpose’.
In this case, too many existing definitions fail to make it clear whether hacking or stealing of data by employees, (as occurred in the Morrisons data breach case) is covered by the policy. It is important that policies exclude deliberate acts by the insured’s directors, partners and employees.
Another definition to simplify is the ‘privacy breach’ definition , which currently range from definitions limiting cover to electronic attacks comprising personally identifiable data only to breach of any private information.
The standard term should be: ‘privacy breach is the actual or suspected breach of any legal, regulatory or contractual requirement to protect the security or confidentiality of any information held by the insured’.
If insurers then want to limit this, a contractual liability or proprietary information exclusion can be used. Additionally, insurers may want to limit notification cover to breaches of data protection legislation only.
Next is the definition of, or rather the lack of a clear definition of, ‘social engineering’. The lack of a clear definition means it is unclear whether phishing emails are treated as social engineering or not. Starting off with a broad definition, insurers can then amend as appropriate making clear what types of social engineering are covered and which are not.
The definition should read: ‘social engineering’is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purpose, not including…’.
There are now some forums for insurers to discuss wording issues. Even if underwriters cannot actually collaborate on a standard wording, it is essential that they are aware of the extent to which the current confusing, complicated and often contradictory wordings are stifling market growth.
- Loss-making GRP spent £112.6m on acquisitions over its last financial year
- Mike Bruce promoted to GRP group managing director
- Hiscox's James Brady on why cyber knowledge remains a barrier
- I work in insurance: Stephanie Horton, River Canal Rescue
- Top 100 Insurtech: Quarter four update
- Insurtech diary: Getting stuck into insurance
- Charles Taylor bolsters liability team by hiring senior sextet from Vericlaim