CYBER INSURANCE:

HOW TO READ A CYBER INSURANCE POLICY

HANS ALLNUTT
24 January 2023
Experts in all aspects of Cyber & Data Risk

o Multi-award winning cyber team.

o 24/7 hotline.
o 200-300 breaches managed each year.
o From SME to Multi-national, Retail, professions, sports,
hospitality, financial services, manufacturing,
technology, telecoms.
o Extortion, data breaches, ransomware, wire transfer
frauds, financial recoveries / Norwich pharmacal orders,
PCI breaches.
o 2021 leading defence firm for data breach claims in the
Media & Communications List (High Court)

"DAC Beachcroft LLP's team is 'at the cutting edge of the law' and geared to handle both contentious
and non-contentious work, including ICO investigations, data subject access requests, class litigation,
international data transfers and compliance matters”
Legal 500

DAC BEACHCROFT © DAC Beachcroft 2

CONTENTS

Cyber as a “new risk”

Evolution and structure of cyber insurance
How to read a cyber insurance policy
Current and future challenges

DAC BEACHCROFT © DAC Beachcroft 3

CYBER AS A “NEW RISK”
Computer power since 1970

DAC BEACHCROFT © DAC Beachcroft 5

Explosion of connectivity

DAC BEACHCROFT © DAC Beachcroft 6

What does this mean for business risk?

Caused by the impairment or interruption

Operational of the operation of technology assets and
electronic networks.

Caused by a compromise of the

Informational confidentiality, integrity and availability of
data and information.

Arising out of the interconnectivity between

Physical the physical and virtual.

7
DAC BEACHCROFT © DAC Beachcroft

17 January 2023
Passengers have reported
"gridlock" with "three hour
queues" at Manchester Airport.
The airport has apologised for
the disruption which it says has
been caused by an ongoing IT
system outage 'affecting some
processes'.
DAC BEACHCROFT © DAC Beachcroft
Operational
19 January 2023
Royal Mail has restarted the
export of parcels from a
backlog, and will accept new
letters for overseas, as it tries
to recover from a cyber-attack.
Parcels that have already been
processed will start to be
moved in "limited volumes" the
firm said.
But no new parcels should be
submitted for now, it said.
11 January 2023
Denmark's central bank and
seven private banks, including
Jyske Bank and Sydbank, have
been hit by distributed denial
of service (DDoS) attacks that
disrupted their operations this
week.
8

Confidentiality
6 January 2023
Highly confidential
documents from 14 schools
have been leaked online by
hackers, the BBC can
reveal.
The documents, seen by the
BBC, include children's SEN
information, child passport
scans, staff pay scales and
contract details, taken in
2021 & 2022.
DAC BEACHCROFT © DAC Beachcroft
Informational
Integrity
Fake News Adds to
Cyber Risks for Business
10 April 2018
Fake news threatens U.K.
businesses with
reputational damage as well
as falling sales and share
prices, adding to the
growing risk from cyber
attacks facing companies
from local Indian
restaurants to
multinationals.
That’s the warning from the
National Cyber Security
Centre and the National
Crime Agency.
Availability
More than 600 patients
affected by computer
crash at Manchester
hospitals
13 September 2018
The hardware glitch at
Royal Oldham Hospital,
Fairfield General, North
Manchester General and
Rochdale Infirmary meant
staff struggled on Thursday
to access patient records
and test results.
9
 Physical
FDA issues recall of
465,000 St. Jude
pacemakers to patch
security holes
30 August 2017
Heart patients will have to
visit their doctors to have
their pacemakers patched
for the "voluntary" recall -
but there are risks.
DAC BEACHCROFT © DAC Beachcroft
Russian military
‘almost certainly’
responsible for
destructive 2017 cyber
attack
15 Feb 2018
The UK Government has
made the judgement that
the Russian government
was responsible for the
attack, which particularly
affected Ukraine’s
financial, energy and
government institutions
but its indiscriminate
design caused it to spread
further, affecting other
European and Russian
business.
10
EVOLUTION OF CYBER RISK INSURANCE
& POLICY STRUCTURE
Evolution of Cyber Insurance Context
2001 - www.beachcroft.com registered: more businesses goes online with media and cyber risks
2002 - First US State Breach Notification Law 2002: US legal obligations to investigate and notify
2004 - Google public listing, Facebook first developed: technology sector explodes
2006 - Payment Card Industry – Data Security Standard (PCI-DSS): new risk for any org with retail
2006 - Amazon Web Services started offering web (later cloud) services: outsourcing own networks
2007 - Zeus banking trojan first discovered 2007: financial crime through cyber emerges
2008 - Bitcoin (anonymous cryptocurrency) invented: cyber crime does pay!
2012 - EU GDPR announced: US cyber/breach insurance brought to Europe
2016 - GDPR 2016 (in effect 2018): legal obligations to notify, big fines, compensation for “distress”
2017 - Wannacry ransomware attack: systemic exposure / “ransomware” mainstream
2019 - TA2102 maze double extortion ransomware attack: cyber crime victims face legal consequences
2021 - EUR746m GDPR Fine for Amazon (largest to date): not even for a security breach!

DAC BEACHCROFT © DAC Beachcroft 12

Core coverage and
Policy Structure Cyber
Insurance

Sector based Legacy

Technology
First Party Third Party Media
E&O Business interruption liability
Claims against insured
(loss of profit or in respect of cyber
revenue) event or data event
LOSS

Ransom / Extortion Regulatory

fines/penalties
Breach costs
(IT, legal, PR) Defence costs
Crime Financial Loss PCI-DSS

Widening Cyber Events Data Events Other Events Widening

TRIGGERS

External Operator
networks Unauthorised access Data Security breaches Extortion error and
and data or use of Network & system
Computer systems Damage/loss of data Theft of money failure
Data / Privacy law breaches Financial transfer
Denial of Service (CEO Fraud)
Regulatory interventions

DAC BEACHCROFT © DAC Beachcroft 13

HOW TO READ A CYBER INSURANCE POLICY
Cyber Insurance

Indemnity
Event Period

Gross Profit
Waiting
Period Time

DAC BEACHCROFT © DAC Beachcroft 15

https://static.rsagroup.com/rsa/commercial-insurance-products/cyber/cyber-risk-policy-wording.pdf
CURRENT & FUTURE CHALLENGES
Current and Future Challenges

o Non-affirmative / “Silent” Cyber

o Cyber war and exclusions (NMA 464)

o Systemic exposure

o Insurability of fines and penalties

o Insurability of ransom payments

DAC BEACHCROFT © DAC Beachcroft 17

 QUESTIONS?

Hans Allnutt
Partner
DAC Beachcroft LLP

The Walbrook Building, 25 Walbrook,

London EC4N 8AF
T: +44 (0)20 7894 6925
hallnutt@dacbeachcroft.com

DAC BEACHCROFT © DAC Beachcroft 18

dacbeachcroft.com

Follow us: @dacbeachcroft

Connect with us: DAC Beachcroft LLP

DAC Beachcroft publications are created on a general basis for information only and do not
constitute legal or other professional advice. No liability is accepted to users or third parties for
the use of the contents or any errors or inaccuracies therein. Professional advice should always be
obtained before applying the information to particular circumstances. For further details please go
to www.dacbeachcroft.com/en/gb/about/legal-notice. Please also read our DAC Beachcroft Group
privacy policy at www.dacbeachcroft.com/en/gb/about/privacy-policy. By reading this publication
you accept that you have read, understood and agree to the terms of this disclaimer. The copyright
in this communication is retained by DAC Beachcroft. © DAC Beachcroft.