The lack of standard terminology in cyber insurance policies causes confusion for brokers and customers, and is a ultimately stifling market growth, warns cyber insurance comparison engine Cyber|Decider ().
While demand for cyber insurance is growing, there is much confusion about the policies available and the terms of cover because insurers fail to use standard wordings. For instance, what one calls ‘network expenditure’, another terms ‘data restoration costs’; in some policies the definition of ‘computer’ also includes ‘industrial control systems’, in others it does not (further examples below).
Across all other insurance lines, whether commercial or personal, underwriters use standard terms to be clear and concise about the terms of cover available. But insurers offering cyber cover have been reluctant to use standard wordings because of misinformed concerns that sharing an agreed standard policy is anti-competitive and illegal.
Cyber|Decider CEO Neil Hare-Brown says: “Clients are missing out on getting the right cover because cyber insurance is an area that causes brokers confusion and insurers have done little to rectify that. When you combine confusing policy wording with the tech-jargon around cybersecurity, you are creating an off-putting combination for many brokers.
“Lawyers have scared insurers into believing that it is anti-competitive for them to discuss creating standard terminology for cyber insurance, although it is the norm for all other policy areas. However, there is nothing stopping Cyber|Decider using our position to propose sensible standard terms and for insurers to adopt them, and that is what we are doing.
“The off-putting and confusing language used in such policies is a barrier both brokers and clients, and it is essential that underwriters are aware of the extent to which the current complicated and often contradictory wordings are stifling market growth.”
He adds: “The upshot of the current situation is that many brokers will only offer customers a blanket policy, whether that is right or wrong for the customer’s specific needs. It means fewer policies are sold and clients are badly served.
“It is time to break this barrier. Cyber|Decider is calling on the insurance market to use forums, including the Cyber Insurance Association, to discuss solutions to this growing problem and open the market up to new customers.”
Cyber|Decider has a strong overview of the cyber insurance sector from its position as the only comparison engine for such policies. It proposes the following standard definitions for underwriters;
Cyber insurance, redefined:
- ‘Computer system’
Proposed definition: ‘all electronic computers including operating systems, software, hardware and all communication and open system networks or websites and mobile devices including but not limited to laptops, data storage devices, smartphones, iPhones, tablets, personal digital assistants, electronic ofﬁce equipment, and equipment controlling manufacturing processes, or forming part of machinery.”
The benefit of this definition is the exclusions deal with parts of the computer network that insurers do not want to cover, rather than hiding exclusions in definitions which several policies do at present.
Proposed definition: ‘Any electronically stored digital or digitalised information or media’.
The benefit of this definition is that it makes it clear that the term ‘Data’ is only applicable for digital data, and where insurers want to provide broader cover they add terms for non-electronic data as a separate definition.
- ‘Security Breach’
Proposed definition: ‘Security Breach means unauthorised access to or use of your computer system by any person not authorised to do so, including employees; or use of your computer system by an authorised person, including employees for an unauthorised purpose’.
In this case, too many existing definitions fail to make it clear whether hacking or stealing of data by employees is covered by the policy. This is important as usually policies exclude deliberate acts by the insured’s senior employees (directors, and partners).
- ‘Privacy Breach’
Proposed definition: ‘Privacy Breach is the actual or suspected breach of any legal, regulatory or contractual requirement to protect the security or confidentiality of any information held by the insured’.
The advantage with this definition is that if insurers then want to limit this, a contractual liability or proprietary information exclusion can be used for clarity. Additionally, insurers may want to limit notification cover to breaches of Data Protection legislation only.
- ‘Social Engineering’.
Proposed definition: Social engineering’ is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purpose, not including…’.
The lack of a clear definition in many means it is unclear whether phishing emails are treated as social engineering or not. If we start off with a broad definition, insurers can then amend as appropriate making clear what types of social engineering are covered and which are not.