Where does BBB Computer Crime cover end and standalone Cyber cover start for Financial Institutions?
Kunal Benodekar, Dubai Office
The cost of cyber crime to businesses has increased exponentially in recent years and that growth shows no sign of abating. This has been fuelled largely by huge technological advances, stringent new regulations over the handling of data and, more recently, the growth of remote working brought on by the global pandemic.
The cyber insurance market is still in its infancy. Less than 1% of cyber losses globally are insured. We at ASL believe that will change and fast. As companies begin to better understand their cyber risks, we will see an uptick in standalone cyber policies being sold. Leading experts predict that gross cyber insurance premiums will grow by over 20% per year to reach USD 20 billion by 2025.
But what does this changing landscape mean for financial institutions in particular?
Many financial institutions hold some form of Bankers Blanket Bond (BBB) policy, which often indemnifies only first-party losses of the entity’s own funds and includes cover for such perils as employee dishonesty and traditional fraud / theft. Alongside this, Banks often elect to also purchase cover for Computer Crime – and typically on the basis of the Lloyd’s LSW 983 wording. Insured perils include the fraudulent manipulation of computer systems, programs and electronic communications.
Standalone cyber policies, on the other hand, typically provide cover for both first-party and third-party costs and liabilities relating to cyber incidents, such as viruses, hacks and ransomware attacks.
First-party coverage includes the payment away of the entity’s own funds by way of ransomware extortion. It also encompasses all costs incurred to bring the entity back to the position it was in before the incident, including payments to remediate systems, notify stakeholders of the incident, and mitigate reputational damage. Business interruption losses would also fall for consideration under first-party cover.
Third-party liabilities include any exposure associated with legal claims being brought against the entity following the incident, including defence costs and payment of damages. They also include the payment of regulatory fines.
As the cyber insurance market begins to mature, will financial institutions continue to see value in holding both traditional Computer Crime policies and newer, standalone cyber offerings?
To provide some context, the Lloyd’s LSW 983 wording, which forms the basis for many financial institutions’ Computer Crime policies, was written over 20 years ago. It includes insuring clauses for voice-initiated transfers and telefacsimile communications. Whilst some insurers have modified their policies over time to address more modern cyber risks, this has been piecemeal, and some insureds continue to hold cover that might not address all of the perils that could arise from a cyber-attack.
An example of this is ransomware attacks, which is currently the fastest growing type of cyber crime globally and poses a significant risk to Banks. Whilst we are beginning to see Cyber Extortion endorsements being included in Computer Crime slips, this is far from commonplace and insureds who do not hold standalone cyber policies are largely exposed to this growing risk.
As a result, a recent phenomenon we have observed is insureds attempting to “shoehorn” ransomware losses into traditional Computer Crime insuring clauses. We are also seeing something similar happening with third party liabilities and costs arising from data breaches being presented under Bankers’ Professional Indemnity polices.
With Computer Crime policies providing limited coverage following a cyber-attack, does that leave cyber underwriters in a better position to offer a “one-stop shop” for cyber cover to financial institutions?
What do you think the future holds for financial institutions and insurers in the ever evolving cyber market?
If you would like to hear more about our capabilities in respect of investigating and assessing cyber notifications, business interruption losses and remediation costs please contact Kunal Benodekar or Robert Lloyd.