The intersection of cyber and crime has garnered a lot of attention over the past year, and for good reason. In our first article, we discussed how to differentiate a cyber loss from a crime loss. In our second piece, we examined social engineering coverage available under crime and cyber policies and how to ensure optimal recovery in the event of a loss. In the third and final piece of our three-part series, we explore how insurers are providing ‘clarity’ to their customers on which policy will be triggered for certain cyber exposures.
Over the past century, crime coverage has progressed with case law, through technological advancements and with the evolution of how crimes are perpetrated.
Although, cyber insurance only first became available in the early 21st century, coverage has expanded substantially over a relatively short period of time, driven by the competitive insurance marketplace.
As the terms and conditions available in the cyber insurance market have expanded to address more frequent and severe cyber incidents, insurance companies have unfurled enterprise wide initiatives to better manage cyber exposure across their portfolios. As a result of these initiatives, some insurers have directives in place to delete or exclude certain crime coverages that may stack with cyber.
With the costs associated with cyber incidents rising, insurers started expressing concern about catastrophic events that could trigger multiple policies and therefore multiple policy limits. The most prevalent exposure is extortion. Extortion coverage has been available to financial institutions under crime policies well before cyber insurance entered the picture. The coverage can be summarized as the ransom paid by the insured as a result of a threat to do bodily harm to a covered person or damage to the premises or tangible personal property of the insured.
Extortion coverage under a cyber policy provides coverage for loss arising out of a security or privacy threat, which can include a threat to use or disclose confidential or personal information, a threat to disrupt a computer system or destroy or alter data, or a threat to prevent access to a computer system or data by using encryption and withholding the decryption key. Loss generally includes monies paid by the organization to end the security or privacy threat, as well as the costs to conduct an investigation to determine the cause and scope of the threat.
Similar to the U.S., extortion coverage has been available to financial institutions under crime policies for many years. Initially the coverage was for ransom demands arising out of threats to do bodily harm to individuals or to damage the premises or tangible property of the insured.
However, over the last decade, extortion coverage under a U.K. crime policy has expanded to include more cyber-related perils. Many of the ransoms now sought are for electronic fund transfers to avoid the deletion, modification or encryption of data, the sale or disclosure of confidential information or security codes, the prevention or limitation of access to the insured’s computer system or the introduction of a virus into the insured’s computer system. As cyber-related extortion incidents evolved and became more sophisticated, coverage expanded to include ransomware scenarios where, for example, data encryption had already occurred and businesses were forced to pay a ransom to obtain a decryption key. This evolution also led to more organizations considering stand-alone cyber insurance as a solution to protect their business and the data of their customers. It became apparent that the overlap of coverage between the crime and cyber policy would need to be addressed.
Some insurers are now actively addressing the perceived overlaps in coverage. Generally speaking, cyber policies provide more robust coverage and charge a more appropriate premium for the exposure, and for those reasons, many crime underwriters have initiatives underway to remove extortion and related reimbursement costs from crime policies. If you have any questions relating to changes being initiated by your crime or cyber underwriters and resulting gaps in coverage, please contact your Willis Towers Watson broker.