Mactavish, the insurance governance expert, warns that most ‘off-the-shelf’ cyber insurance policies have serious ﬂaws and, in the event of a claim, are likely to be disputed and pay out much less than expected.
Its analysis of 30 UK cyber policies highlights seven common ﬂaws:
1 Cover can be limited to events triggered by attacks or unauthorised activity, excluding cover for issues caused by accidental errors or omissions;
2 Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice);
3 Systems interruption cover can be limited to the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted;
4 Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded;
5 Exclusions for software in development or systems being rolled out are common and can be unclear or, in the worst cases, exclude events relating to any recently updated systems;
6 Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond; and
7 Notification requirements are often complex and onerous.
Mactavish advises organisations of all sizes on their insurance requirements and recently launched a Cyber Risk Consulting Practice to help clients understand their exposure to cyber risks and source appropriate insurance cover. Its free report can be accessed at: