Feature
Cyber losses - which insurance policy applies? Andrew Horne and Nick Frith, Minter Ellison Rudd Watts
O
n Christmas Day last year, the Reserve Bank of New Zealand suffered a cyber attack. The attack involved a malicious actor gaining access to a third party file sharing application named Accellion FTA, which the Reserve Bank used to store and share clients’ sensitive information. That person downloaded information from the application, some of which was personal and sensitive, such as personal email addresses, dates of birth and credit information. The Reserve Bank responded to the breach by patching and securing the application, identifying the organisations and individuals affected and offering them advice and support from a third party specialist. The Reserve Bank also appointed KPMG to conduct a review of its systems and processes. The attack itself was fairly typical of ‘data breach’ incidents in which a malicious third party gains
access to confidential data held on a firm’s systems. A victim of such an attack may suffer loss and damage in a number of ways. The Reserve Bank, for instance, will have incurred the costs of dealing with the attack and the investigation that followed. It may have incurred liabilities to persons who suffered loss as a result of their information being stolen. A commercial firm in its position might also suffer a loss of profits as the data loss hampers its ability to conduct business and its reputation is damaged. It might also become subject to regulatory action and incur defence costs and fines or penalties. Insurance policies
Insurance policies deal with the different types of loss that may arise from a cyber event, whether malicious or otherwise, in complex and diverse ways. Different policies may respond to different types of loss arising from the same event. Some types of loss may fall through
the cracks and not be covered by any policy, and others may be expressly excluded. In some circumstances, there may be double insurance as more than one policy provides cover, in which case terms providing for double insurance may limit cover. What does Cyber insurance cover?
Policies described as providing Cyber insurance may not provide cover as broad as their name might suggest, as they do not ordinarily provide cover for all forms of loss resulting from a cyber event. Typically, Cyber policies will provide cover for internal and external costs that a firm or organisation is obliged to incur to deal with a cyber event. These will often include:
• the cost of expert help to manage, cure and investigate the event and its consequences to understand what happened, what data is www.covernote.co.nz
3
