Over the past few months, there has been increased interest in cyber-insurance. This is not surprising considering the increase in the number of data breaches. But what should Cyber insurance cover and who should buy a policy?
To answer these questions we look at the two most common causes of breaches and compare these causes against the likely policies that a company may have. First up is the PICNIC problem.
PICNIC Problem – (Problem In Chair Not In Computer)
Most breaches are a result of staff acting in a deliberate but non-malicious manner. Not necessarily someone hacking the corporate network. From laptops being left on trains to inadvertently emailing thousands of people sensitive information, there are several reports that put human error as the top reason behind data breaches (80%-90%). Consider a breach of this nature against the following policies
General Liability Insurance - This would usually only cover you in the event that there was physical damage or bodily injury, which is unlikely in this case.
Crime Insurance – The top cause of breaches are by definition deliberate but non-malicious. No malice, no cover.
Business Interruption Insurance – These policies usually only cover situations where there is physical damage. Again if there is no physical damage then there is no cover.
Professional Indemnity Insurance - PII only comes into effect in the course of professional services. If for example, an employee left a laptop on the train going home from work it is unlikely that this policy would provide any cover.
The data controller is responsible for controlling how a 3rd party processes personal information on its behalf. As always, there should be a data processor contract in place with any data processor that processes information. In the event of a breach by a 3rd party, how would the standard policies hold up.
General Liability Insurance – As above, as there a low likelihood of physical damage or bodily injury in this event, it is unlikely that you would be covered.
Crime Insurance – This would be dependent on the details of your crime insurance policy and, of course, if the 3rd party was maliciously processing personal data provided by the data controller. You would have to prove malice.
Business Interruption Insurance – Again if there is no physical damage then there is no cover.
Professional Indemnity Insurance – Put simply, professional Indemnity Insurance covers professional services, not breaches.
If you decide to take out a cyber-Insurance policy make sure that it covers the two biggest risks, namely staff and third parties as it won’t be covered by traditional policies. While the best course of action is to try and reduce the risk of breaches, due to the increase in breaches it might be worth considering if a cyber-insurance policy is right for you.