Majority of cyber policies are 'flawed'

The warning comes amid a reported surge in business looking to protect themselves with specialist cyber cover.

In a review of around 30 off-the-shelf UK cyber insurance policies, Mactavish identified seven common flaws:

• Cover could be limited to deliberate attacks and unauthorised activity, leaving business unprotected in the event of incidents caused by accidental errors or omissions.
• The data breach costs covered could be limited to those which the business is strictly legally required to incur as opposed to much greater costs which would be incurred in practice.
• In the event of systems interruption, cover can be limited to only the brief period of actual network interruption, ignoring knock-on effects after the repair of the technological fault.
• Cover for systems delivered by outsourced service providers varies significantly and is often limited or excluded.
• There were often exclusions for software in development or systems being rolled out. In some cases events involving recently updated systems may be excluded as well.
• If issues are caused by contractors but the business is legally responsible, policies might not respond
• Notification requirements are often complex and onerous.

Bruce Hepburn, Mactavish CEO, said: “There are a number of new cyber insurance policies being launched, but despite a sharp increase in cyber incidents this market is very immature and in many respects untested.

“Perhaps some of these policies have been rushed to market by insurers eager to capitalise on the growing cyber risks facing organisations, and their desire to spend significant amounts of money to protect themselves against this.

“Very few claims have been made on these new cyber insurance policies, but my bet is that many will be disputed, or settlements will be much lower than clients expected. However, this can be avoided if organisations first understand the cyber risks they face, and then secure a bespoke policy to meet their needs.”