UK companies risk being uninsured for data losses and IT problems
UK insurers are stripping out swaths of technology-related cover — for everything from fires in data centres to IT meltdowns — from the policies that shield corporate headquarters and buildings, leaving many companies potentially exposed.
Regulators have told insurers to clarify their policies so that customers know which technology incidents will no longer fall under their traditional policies and instead require separate cyber insurance policies.
“They are choosing to exclude anything connected with technology, which could leave our clients without coverage,” said Sarah Stephens, the cyber, media and technology practice leader at insurance broker Marsh JLT Specialty. “Clients are very concerned.”
The pressure from bodies including the UK’s Prudential Regulation Authority and Lloyd’s of London came after growing confusion about whether the costs and repercussions of a cyber attack, which can include damage to infrastructure, should be covered by property insurance.
Mondelez, the confectionery company, has sued its insurance company Zurich for refusing to pay out on a $100m claim for damage to laptops and servers caused by the NotPetya cyber attack in 2017.
Regulators fear that similar cyber attacks could leave insurers facing unexpected and enormous costs. But experts said the redrafted policies were leaving companies without appropriate cover.
“They are aiming to take out pure cyber losses but a lot of the drafting could potentially take out a lot more,” said Rob Smart, technical director at Mactavish, a consultancy. “You’ve got some fairly draconian wording.”
He said that the costs of technology problems such as loss of data from floods or fires may now be excluded even if they are unrelated to cyber attacks. “I think a lot of companies would be horrified by that,” he added. “You remove ambiguity but at the cost of having a gap [in coverage].”
In one template contract, he said losses caused by “the failure, error or malfunction of any computer, computer system, computer software program, code, or process” were excluded.
Patrick Davison at the Lloyd’s Market Association, an industry group that has created model clauses for insurers to use in their contracts, said the wording was not overly strict. “I’d use the word clear,” he said.
“The property [insurance] market was clearly of the view that they did not want to cover the value of electronic data. That may be something for a new market that can value intangible assets.”
Meanwhile, the market supplying standalone cyber insurance remains small, although it is growing quickly.
“Right now if you are a Fortune 500 company you can’t buy as much cover in the cyber market as you can in the property market. You can buy cover but you can’t buy enough of it,” said Mr Davison.
Ms Stephens added: “Clients that want $1bn of cover are only getting $500m-$800m [of cover].”
Underwriters are also unsure how to assess the new field. “One of the challenges for the cyber market is that they are being asked to look at areas they haven’t looked at before, like stock throughput,” said Tom Draper, head of cyber at insurance broker Gallagher. Stock throughput policies, which cover a company’s inventory, have traditionally been of the marine cargo insurance market rather than cyber insurance.