CYBER INSURANCE:
COVERAGE, BENEFITS, COST, PROVIDERS, COMPANIES, CLAIMS

Cyber Liability Insurance Policy, also referred to as Cyber Risk Insurance or Cyber Insurance Policy. Cyber Insurance policy is an insurance policy which protects an insured business from financial losses incurred and third-party liability following a cyberattack or a data breach of a company’s network systems.

In Hong Kong, organisations must consider obligations under the Personal Data (Privacy) Ordinance (PDPO) and guidance from the Office of the Privacy Commissioner for Personal Data (PCPD), as well as expectations from regulators such as the HKMA for financial institutions. Given rising cyber threats and potentially significant impacts in HKD terms, companies should review policy scope, limits and exclusions with their broker to ensure adequate incident response, compliance support and regulatory cover.

WHAT IS CYBER THREAT OR CYBER RISK?

A Cyber Risk or Cyber Threat is the potential of loss, harm or disruption resulting from breaches of or attacks on information systems. It is something which results from widespread use of internet enabled devices like Mobile Phones, Tablets, Desktop, Laptop anything which has access to the Internet.

With the increasing trend of digital transformation of the society and increased use of internet enabled digital devices, it has become easy for hackers (who are engaged in unethical practices) to exploit the vulnerabilities of such digital devices and use this opportunity to rob people of money and data.

THE IMPORTANCE OF CYBER SECURITY INSURANCE FOR BUSINESSES

Today a large part of business is conducted online. No business in today’s times can work completely without online networks.

However, conducting business online has its own share of risks. The incidents of cyber-attacks resulting in data breaches is increasing by the day. Such data breaches can cause immense reputational and financial damage for businesses.

Additionally, apart from data breaches, there have been incidents of Cyberattacks like NotPetya and WannaCry which injected malicious malware in thousands of computers across the world and paralysing businesses. In fact, many executives have commented that Cyber Risk is one of the biggest risk that their business is facing.

With increasing use of Internet enabled devices, the incidents and costs of Cyber Attacks are only bound to increase in the future.

As a result, a Cyber Security Insurance Policy is extremely important for businesses to protect themselves from risks of Cyberattacks.

WHAT DOES A CYBER INSURANCE POLICY COVER?

A Cyber Insurance Policy usually includes the following coverages:

Security Breach and Privacy Breach: A Cyber Security Insurance Policy provides coverage for breach of commercially confidential information, personal information, employee information or information outsourced by the Insured Party to contractors, subcontractors, vendors or any other third parties. The Cyber Insurance Policy in India will pay all costs that the Insured Party becomes legally obliged to pay including liability for for claimants’ costs and expenses and Defence Costs resulting from any Claim made against the Insured Party following a Security Breach and Privacy Breach Incident.
System Damage: A Cyber Risk Insurance Policy will pay for Rectification Costs incurred in retrieving, repairing, restoring or replacing any of the Insured’s Computer Records (or any other Computer Records for which the Insured is responsible) that have been destroyed, damaged, lost, altered, distorted, erased or mislaid (and which after diligent search cannot be found) as a direct result of any Cyber Event first discovered by an Insured and notified to the Insurance Company in writing as soon as possible during the Policy Period.
Hacking or Computer Virus Transmission: A Cyber Liability Insurance Policy in India will pay for all costs that the Insured Party becomes legally obliged to pay including liability for for claimants’ costs and expenses and Defence Costs resulting from any Claim made against the Insured Party and notified to the Insurance Company in writing as soon as reasonably possible during the Policy Period as a direct result of any Third Party’s financial losses arising directly from a Hacking Attack or Virus that has emanated from or passed through the Policyholder’s Computer Systems; or a Hacking Attack or Virus that restricts or prevents access to the Policyholder’s Computer Systems’ by Third Parties authorised by the Insured to gain such access
the loss or theft of the Policyholder’s data or data for which the Policyholder is responsible or alleged to be responsible for, arising directly from a Hacking Attack or Virus
Multimedia Liability: A Cyber Insurance Policy will pay for all costs that the Insured Party becomes legally obliged to pay including liability for for claimants’ costs and expenses and Defence Costs resulting from any Claim made against the Insured Party and notified to the Insurance Company in writing as soon as reasonably possible during the Policy Period as a direct result of libel, slander or defamation; invasion of or interference with the right to privacy, including those of Employees, or commercial appropriation of names or likeness; plagiarism, piracy or misappropriation of ideas; infringement of copyright, domain name, commercial title or slogan, the dilution or infringement of trademark, service mark, service name or trade name arising directly from the Policyholder’s Internet and Email Content; or the Policyholder’s Promotional Material; or third Party digital content downloaded, shared or distributed from the Policyholder’s Computer Systems
Cyber Extortion Cover: A Cyber Insurance Policy in India will pay Cyber Extortion Costs following a Security Threat against an Insured Party.
Business Interruption: A Cyber Policy Insurance pays for Business Interruption loss Incurred during the Indemnity Period as a direct result of an Cyber Event during the Policy Period.

Cyber Insurance Policy Coverage is exhaustive and is thus very important for a business owner.

WHAT KIND OF LOSSES DOES A COMPANY SUFFER ON ACCOUNT OF CYBERATTACKS AND SECURITY BREACHES?

A Cyberattacks and Security Breach will result in destabilisation of business operations. The Business Interruption has an adverse impact on financial profits of the company.

Disclosure of Confidential Data in a Data Breach Incident has an adverse impact on Company’s reputation and might also make existing and prospective customers hesitant to do business with the impacted company as the customers are not confident about the security of their confidential data.

A Data Breach Incident might also result in regulatory scrutiny from the regulators which might also result in fines and penalties as well.

So, the impact of Cyberattack and Data Breach is not restricted only to the company’s computer systems but it can impact a company in many ways. The impact may result in severe financial losses for the company.

WHAT IS THE AVERAGE COST OF A CYBER INCIDENT?

According to the Chubb’s Global Claims data (December 2017) the losses that arise as a result of a Cyberattack on a company’s network are as follows:

Forensic Costs: is the largest cost component of a Cyber Incident. If there is a Data Breach, it is necessary to appoint a forensic expert to examine a company’s network and systems to determine the exact cause of the Data Breach.
Forensic Experts will pinpoint the vulnerability which was exploited for the Data Breach. The Costs of Forensic Costs have increased with the passage of time.
Notification Costs: If there is a Data Breach incident which has compromised the data of a company’s customers, it becomes the company’s responsibility to notify its customers that their data has been compromised.

Consider the example of a recent incident where the Email Ids and Passwords of Yahoo’s users was compromised on the dark web. Post the Incident, Yahoo notified its customers requesting the customers to change their account passwords since it was compromised. Yahoo acknowledged as well as notified the Data Breach. The Data Breach Notification can be notified through a Website or through Television.

Such Notifications costs are substantial costs that need to be incurred following a Cyber Incident. These Notification Costs have increased substantially with the passage of Time.

Credit Monitoring Costs: If a company stores its customer’s Credit Card or any other payment-related Information, it becomes necessary for the company, which has suffered from Data Breach, to monitor the impacted customer’s credit card information for the next 1 year to ensure that any unauthorised transactions haven’t taken place on the customer’s credit card. Credit Monitoring Costs are also going up with the passage of time.
Crisis Management Costs: A Cyberattack on a company’s network results in an adverse impact on the company’s reputation. In order to protect and rectify the company’s image, the company might need to take help of Public Relation companies. This might result in substantial Public Relation Expenses for the affected company.

WHAT ARE THE FIRST PARTY LIABILITY COVERAGES UNDER A CYBER LIABILITY POLICY?

First Party Liability Coverages under a Cyber Insurance Policy are as follows:

E-Theft Loss E-Theft covers loss due to unauthorised or fraudulent data input in the system which has been hacked or compromised resulting in a fraudulent fund transfer and thus a loss to the Insured Party. The Cyber Liability Insurance Policy will pay for such fraudulent transaction or fraudulent transfer.
E-Communication Loss: If there is any fraudulent mail sent by the Insured to its customers resulting in a fraudulent fund transfer/payment by the customer, where such payment shouldn’t have been done by the customer since it is based on a fraudulent email with a malafide intention to rob the customer, it is known as an E-Communication Loss. A Cyber Insurance Policy will cover any kind of loss resulting in E-Communication Loss
E-Threat Loss: E Threat Loss is a major concern today. Here, the hacker hacks into the system and encrypts important data which can be unlocked or decrypted only on payment of ransom. This is known as E-Threat and today a major number of cyberattacks today are in the form of E-Threats only. E Threat Loss thus relates to losses or Expenses borne by the Insured to pay the Ransom.
E-Vandalism: E-Vandalism loss means that if the Insured’s servers, computers, storage drives hardware or network systems are vandalised out of malafide intention, the Cyber Insurance Policy will cover the costs of restoring or reconstituting the data under E-Vandalism Loss Section of Cyber Insurance Policy.
E-Business Interruption: E-Business Interruption is one of the most important coverages of a Cyber Liability Insurance Policy. Business Interruption means that if your system is down and not running because of a Cyberattack, the resultant loss of Net Profit and fixed expenses that are incurred to run daily activities will be paid under the E-Business Interruption Cover of a Cyber Insurance Policy.

WHAT ARE THE EXPENSES COVERED UNDER A CYBER LIABILITY POLICY?

The following expenses are covered under a Cyber Insurance Policy:

Privacy Notification Expenses: Privacy Notification Expenses Cover under a Cyber Liability Policy covers the cost and expenses that have to be incurred by the Insured in notifying the impacted customers or users of a Data Breach or Cyberattack Incident. Such Privacy Notifications Expenses are substantial costs that need to be incurred following a Cyber Incident. These Notification Costs have increased substantially with the passage of Time.
Credit Monitoring Costs: If a company stores its customer’s Credit Card or any other payment-related Information, it becomes necessary for the company, following a Data Breach of its systems, to monitor the impacted customer’s credit card information for the next 1 year to ensure that any unauthorised transactions haven’t taken place on the customer’s credit card. A Cyber Insurance Policy will cover such Credit Monitoring Costs.
Crisis Management Costs: A Cyberattack on a company’s network results in an adverse impact on the company’s reputation. In order to protect and rectify the company’s image, the company might need to take help of Public Relation Companies to protect and rectify its image. This results in substantial Public Relation Expenses for the affected company which will be covered under a Cyber Insurance Policy.
Forensic Costs: When a company suffers from a Data Breach incident, it will need to hire Forensic Experts to examine a company’s network and systems to determine the cause of the Data Breach. Forensic Experts will pinpoint the vulnerability which was exploited for the Data Breach. The Costs of Forensic Costs have increased with the passage of time.
Reward Expenses:A Cyber Insurance Policy will reimburse the Insured for rewarding an informant for pointing out the vulnerabilities and loopholes of the system. This enables the Insured to take corrective action to plug the loopholes and protect its network and systems from Cyberattacks. Such Informants are normally Ethical Hackers or Bounty Hunters. A Cyber Insurance Policy will also cover such Reward Expenses.

WHAT ARE THE THIRD PARTY LIABILITY COVERAGES COVERED UNDER A CYBER LIABILITY INSURANCE POLICY?

A Cyber Insurance Policy offers the following Third Party Liability Coverages:

Disclosure Liability: If you are running a system which has faced a Cyberattack resulting in dissemination of critical information on a public domain, the affected 3rd Party can hold the Insured Party legally liable for the data breach. A Cyber Liability Insurance Policy will cover such costs related to the Data Breach under the Disclosure Liability Section of the Policy.
Conduit Liability: Consider a case where a service provider company is offering technology-based products like applications, softwares, cloud-related softwares to its customers.

If there is a cyberattack on the Insured’s software or a vulnerability in the software is exploited which results in damage to third party systems, the legal liability and the costs related to the damage to the 3rd party systems will be covered under the Conduit Liability Section of a Cyber Insurance Policy.

Impaired Access Liability: If there is a Denial of Service (DOS) or a Distributed Denial of Service (DDOS) attack on the Insured Party’s System which impairs the client’s ability to access the Insured’s system thus impacting profits, the costs and damages related to such attacks will be covered under the Impaired Access Liability Section of a Cyber Liability Insurance Policy,
Content Liability: The Content Liability Section of the Cyber Insurance Policy will cover losses related to Intellectual Property Infringement like Company Trademarks or Patent. Foe eg: The Insured Party had kept the Customer’s Trademark or Patent on the company’s network which was subject of a Cyberattack resulting in publishing of sensitive Trademark/Copyright/Patent Information on a Public Platform. The Customer can hold the Insured Party legally liable for the Data Breach and can ask for compensation. Such Content Liability Claims will be covered under the Content Liability Section of the Cyber Insurance Policy
Reputational Liability: Consider a case where the Insured Company’s network or system has been subject of a Cyberattack resulting in dissemination of such information which has negatively impacted the client’s reputation. Such Claims relating to Data Breach Incidents where the reputation of the Insured’s Client has been negatively impacted will be covered under the Reputational Liability Section of the Cyber Insurance Policy
Defence Costs: A Cyber Insurance Policy also pays for the legal defence costs associated with defending cases arising out of Cases filed by 3rd Party Customers claiming damages on account of a Cyberattack on the Insured’s System.

CYBER SECURITY INSURANCE POLICY (WHY DOES IT MATTER?)

Increasing use of digital platforms (BYOD, Social Media, Mobility, IoT) for both business and personal uses is increasing by the day, thereby increasing the chances of facing losses due to Cyberattacks and Data Breaches.
Earlier, the most common form of Cyberattack was hacking. Now the methods of Cyberattacks are changing by the day. Few years back, there was a Cyberattack called Ransomware. Here the computer system was taken into custody, and the hacker demanded a ransom to unlock and release the data stored in the system. Thus, the methods of Cyberattacks are changing and becoming more complicated and menacing as well.

Thus, a Cyber Liability Insurance Policy is a must have for businesses in today’s times.

WHAT ARE THE EXCLUSIONS UNDER A CYBER LIABILITY INSURANCE?

Exclusions under a Cyber Liability Insurance Policy :

Liability on account of Willful Misconduct of the Insured is not covered
Aggravated or Multiplied Damages
Bodily Injury/Property Damage is not covered by a Cyber Liability Insurance Policy
Liability arising out of incidents occurring prior to start of the Policy is not covered
Contractual Liability assumed in a contract is not covered under Cyber Liability Insurance Policy

CYBER INSURANCE POLICY COST (WHAT IS REASONABLE?)

Cyber insurance policy costs in Hong Kong depend on several factors:

Business size and revenue
Coverage territory and jurisdiction
Required coverages and policy limits
Prior claims and incident history
Industry sector and risk level

In Hong Kong, a cyber insurance policy with a per-incident and aggregate limit of HKD 5 million to HKD 10 million typically costs between HKD 15,000 to HKD 50,000 annually, depending on the specific details and risk profile. You can read our detailed blog on the cost of cyber insurance in Hong Kong to learn more.

Get a quote for your upcoming project

CONTACT

Your Needs, Our Services

We offer free consultations. If you want to learn more, please contact us at info@ebactuary.com or 📞+852 3563 8440. You can also fill out our Contact Form, and we guarantee to get back to you within 24 hours.

Liability Insurance