Major flaws in specialist commercial cyber insurance cover – study reveals

Mactavish, a company that advises organisations of all sizes on their insurance requirements, has recently launched a new Cyber Risk Consulting Practice. The study reviewed dozens of ‘off-the-shelf’ cyber insurance policies and identified seven significant common flaws:

1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions;

2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice);

3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted;

4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded;

5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems;

6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond;

7. Notification requirements are often complex and onerous.

Mactavish has been closely involved with the project to reform commercial insurance law in the UK, an eight-year programme which culminated in the Insurance Act 2015, according to the official press release.