[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

‘Major flaws’ in cyber insurance policies identified

The UK’s cyber insurance market is “very immature” and “untested”, according to new research, with most of the policies available containing significant common flaws.

Policy cover is often limited and lacks clarity ©iStock
Policy cover is often limited and lacks clarity ©iStock

That is the warning from insurance governance experts Mactavish, which after reviewing 30 ‘off-the-shelf’ cyber insurance policies, found seven major limitations.

For example, policies often only cover losses arising from external attacks or unauthorised activity, and exclude issues caused by accidental errors or omissions.

Cover can also be limited to the brief period that businesses are interrupted during a cyber attack, ignoring the significant knock-on revenue impact after IT systems are restored.

This is despite a recent surge in businesses buying specialist cyber insurance, according to Mactavish, which said that very few claims have been made on the new policies.

“But my bet is that many will be disputed, or settlements will be much lower than clients expected,” CEO Bruce Hepburn, said.

“Perhaps these policies have been rushed to market by insurers eager to capitalise on the growing cyber risks facing organisations, and their desire to spend significant money to protect themselves.”

The research also found policies sometimes only cover the costs that businesses are legally required to incur after a data breach, opposed to the greater costs experienced in practice.

Protection for systems delivered by outsourced service providers is often limited or excluded, while notification requirements for businesses can be “complex and onerous”.

It was also found that policies can be unclear as to whether they cover recently updated systems, and might exclude data breaches caused by contractors.

“Despite a sharp increase in cyber incidents, this market is very immature, and in many respects untested,” Hepburn continued. “Very few claims have been made.

“However, this [problem] can be avoided if organisations first understand the cyber risks they face, and then secure a bespoke policy to meet their needs.” 

Sign up to our free newsletter here and receive a weekly roundup of news concerning the actuarial profession