Will insurers Wanna Cry? On the legal repercussions of the global cyber attack

ransomware

  • Most of the losses will probably come from impacted lines of business rather than the cyber covers themselves
  • Terrorism exclusions are traditionally triggered by violence, which tends to be absent in cyber attacks

The Wanna Cry ransomware attack is going to bring into light cyber wordings and terrorism exclusions, explains Hermes Marangos, partner at Signature Litigation.

Cyber security is an unwelcome problem that few businesses have ever wanted to discuss. Until now. After severely affecting parts of the NHS and numerous large businesses internationally, the global Wanna Cry ransomware attack has changed the climate of discussion overnight.

According to a recent UK government survey, 81% of big corporations and 60% of small businesses suffer an annual cyber breach: big or small, businesses now have to address an issue that has an impact on various lines of insurance. The Institute of Directors has recently criticised the unpreparedness of most businesses in dealing with such incidents. 

Because the Wanna Cry attack was a worldwide attack, questions arise relating to events and aggregation, depending on the line of business and the relevant wording. Reinsurers and retrocessionaires face the immediate issue of accumulations and they are considering protocols for dealing with exposure and claims as they filter through. At an underlying level, insurers will be checking how policies are triggered in different countries. 

Cyber cover is not standard. Some covers may theoretically be easier to deal with: loss or damage to digital assets; business interruption, which is often the primary issue; and reputational damage. But ransom payments, which are treated differently by each legal regime, may lead to an absence or disconnect between covers. In reality, most of the losses will probably come from impacted lines of business rather than the cyber covers themselves.

Potential issue

Reigniting a previous debate, another potential issue relates to the operation of newer versions of terrorism exclusions with extensive cyber terrorism provisions. Some wordings may exclude losses, ‘however remote’ the connection may be between those losses and ‘cyber terrorism’. In traditional covers, the guiding principle applied by the market to trigger a terrorist exclusion has been that the relevant clause requires a ‘terrorist act’ to have been committed, with violence as a key component. This is distinct from the ‘act of a terrorist’ which may, for example, involve individuals with terrorist links breaking into a bank to raise money to finance their operations.

Accordingly, because cyber terrorism does not contain the violence component, it becomes more likely that a cyber attack falls within widely drafted exclusions. In the context of over-restrictive covers and over-extensive exclusions, political extremist links may also be relevant - as can any provable remote connection with activities by the international intelligence communities. An added dimension is the interconnection between cyber terrorism exclusions, also encompassing losses not involving violence, and the narrow scope of some cyber cover, which envisages that some losses should come under other more specific or specialist covers. 

A further concern arises if it is demonstrated that the insureds have inadequate protection in place, or have failed to maintain sufficient protection by regularly updating their systems and security. When it comes to contractual obligations, tribunals tend not to forgive deficient compliance: absence of firewalls or proper password and software protection. These may be seen as the modern equivalent of leaving a house with unlocked doors or open windows. It also brings directors, officers and consultants into the firing line. Again, there are different legal implications in each scenario. An additional problem relates to the Data Protection Act and the upcoming General Data Protection Regulation.

These diverse issues will require careful examination of the legal language used in every policy, which either directly or indirectly deals with losses arising from cyber incidents. Also to maintain legal privilege when all the relevant work is undertaken. The proper application of wordings dealing with cyber attacks, where there is a remote connection with terrorism, will need particularly careful attention. More than anything, the ransomware attack is a sharp reminder to the market that serious legal repercussions can follow if proper protections are not put in place or kept up to date.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@postonline.co.uk or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe

You are currently unable to copy this content. Please contact info@postonline.co.uk to find out more.

Storm Bert shows insurers must demand building rules change

Editor’s View: If you want to know why people recoil, rather than embrace you, when you say you work in insurance, Emma Ann Hughes recommends you type into Google: ‘What does the insurance industry need to do about the growing number of named storms?’

Inspecting and impressing in the gadget insurance market

Ahead of Black Friday (29 November) the latest Insurance Post Podcast explains how gadget insurers are increasingly looking at the way devices are used rather than the likelihood of the component parts ceasing to work when it comes to underwriting and claims.

Most read articles loading...

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here