Pre-Covid-19, many businesses believed that their commercial policies covered them for business interruptions caused by a multitude of factors, including cyber attacks, Exfiltration and/or destruction of mission-critical data. Risk carriers were willing to accept premiums to cover losses arising from an inability of a business to function. However, with 370,000 firms losing earnings as a result of the Covid-19 lockdown, insurers such as Hiscox, QBE and RSA all failed to pay out to policyholders, making a case that the policy wordings made it clear that the impact of an epidemic upon earnings was not covered.
As a result of their actions, in the UK a test case was brought before the High Court by the UK Financial Conduct Authority (FCA) with the Court ruling that policyholders were covered, based upon on a representative sample of 17 policy wordings used by 16 insurers, after an eight-day hearing.
Similarly, in the U.S. House members asked insurers to retroactively recognize financial losses relating to COVID-19 under commercial business interruption coverage for policyholders. However, as per the UK risk carriers, the U.S. insurers stated that “Standard commercial insurance policies offer coverage and protection against a wide range of risks and threats and are vetted and approved by state regulators. Business interruption policies do not, and were not designed to, provide coverage against communicable diseases such as COVID-19”.
So why is Covid-19 impacting upon the cyber insurance market? With successful cases being brought, forcing risk carriers to pay out substantial funds, they have been forced in some cases to recapitalise their businesses in order to meet the minimum capital adequacy ratios for regulatory compliance. Hiscox in London, for example, paid out $475m for cancelled events and business interruption policies to 33% of the total number of UK business interruption policies they had underwritten.
On the 3rd March 2021, the CEO of Hiscox, Bronek Masojada, admitted that the brand had suffered reputational damage from the episode and apologising: “We clearly regret the uncertainty and anguish that the dispute has caused to our customers, so it is important that we learn from this experience. The most important lesson is the need for clarity in wordings, to ensure intent is properly reflected in the policy detail. In addition, the customisation of policies has to be restricted to ensure that there is not a long tail of wordings serving very small numbers of customers.” (our emphasis)
What this entire scenario has created is an increased limitation on coverage for business interruption, whether by a pandemic, or man-made as in the case of cyber attacks. It is worth noting that in the case of cyber insurance, the vast majority of cover is provided in the U.S. and the bulk of this coverage is underwritten in Lloyds of London.
With silent cyber still a fundamental block to mass coverage of sufficient volume and level of cover, there is little incentive for a risk carrier (primary insurer, reinsurer, or other) to provide such protection when core P&C insurance products generate over 90% of profits for the industry. The Covid-19 enforced payouts have given further impetus to restrict via policy wordings or by eliminating cyber coverage for the sector.
With the above in mind, it becomes far more important that businesses have sound business continuity plans in place. Using Quantar’s CyCalc® products, businesses can map between their proprietary businesses processes, systems and various categories. This provides the means to prioritise security allocations and capital budgeting, allowing you to focus on those processes with the highest need.
Through having the financial risks at hand, CyCalc® has “what-if” functions, enabling you to model various scenarios to understand the impact upon financial risk exposures and undertake cost-benefit analysis of various mitigation options.
Quantar has been at the forefront of cyber risk management, including businesses continuity planning for over 20 years.
Contact us to find out how we can assist your business become more resilient.