Much of the debate about cyber insurance has been over whether cover for fines under the General Data Protection Regulation (GDPR) is excluded on public policy grounds.  This is a side issue.  A far greater concern is the impact on the business and its clients, as evidenced by last year’s Financial Conduct Authority £16.4 m fine on Tesco Personal Finance plc (Tesco Bank) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.

Two ongoing claims against insurers cause concern about whether insurers will pay out on cyber policies in the event of a claim.  We defer detailed comment as the cases are still pending, save that one in issue, in at least one of these cases, appears to be whether a cyber attack attributed to hostile nation state activity falls within an exclusion for ‘act of war’.

We appreciate that insurance insurers should only have to pay out for the cover they have agreed, and been paid, to provide, and this is particularly so where an insured may be trying to shoehorn a cyber claim into a policy which was not intended to provide cyber cover.

However, if there is to be widespread take up of cyber insurance, and it is in the public interest that there should be, so as to enlarge the pool from which claims can be paid, we need to see reports of cyber insurers paying out on claims and the businesses they have saved.  At present, those reports are few and far between.

‹ Back to Publications