Cyber Risk insurance

Considering the rapidly growing number of ransomware attacks, high costs of data confidentiality breaches – particularly in the context of the new guidelines implemented by the GDPR – even companies with very strong security mechanisms and advanced privacy protection procedures may fall prey to cybercrime and suffer the severe financial consequences of such attacks.

Insurance against loss of data due to cyberattacks can transfer some of the risk related to this rapidly growing cyberthreat to the insurer. After signing the contract, you will be covered against consequences of such acts, e.g.: loss of access to data, alteration or destruction of data, financial consequences of malware or risks related to online media activity.

Coverage is also offered to third parties in relation to damage caused by the insured party, because the aggrieved person may assert claims for damages against you, e.g. due to a breach of the aggrieved person’s privacy by you (your employees or subcontractors for which you were liable).

Acts that initiate coverage under the insurance contract include, for instance, operation of malware, hacker attack, negligence and human error.

Coverage under the Cyber insurance contract includes, in particular:

Third-party liability:

• Breach of privacy of paper or electronic data
• Network security breach
• Infringement of intellectual property rights through negligence in the creation or publication of media content
• Proceedings relating to defamation or breaches of privacy online
• Restriction of customers’ access to the insured party’s computer system (e.g. inability to access a website due to an attack on a computer system).

Insurer’s own costs paid in order to mitigate the consequences of the incident:

• Cost of notification about the data breach
• Loss of business profits due to the incident
• Costs of restoring and recovering data, including the increased costs of labour and equipment
• Computer-related extortion and related costs
• Costs of crisis management during the incident by a professional entity

Proceedings carried out by regulatory authorities in relation to breaches of personal data protection laws with respect to costs of defence, including administrative fines imposed by such authorities.

Areas of coverage particularly important following the implementation of the GDPR:

1. Costs of notifying the persons whose data have been revealed and costs of notifying the regulator.
2. Costs of defence and damages due for disclosure of personal data in violation of personal data protection laws.
3. Costs of legal services in case of regulatory procedures related to the disclosure of personal data.
4. Administrative fines imposed by the regulator in relation to the disclosure of personal data.
5. Costs of defence and damages in the event of unauthorised disclosure or use of confidential information received from business partners.
6. Costs of extortion/ransom in case of a threat to disclose confidential information of business partners or personal data (including costs related to ransomware).

Example of damage: damage to reputation in e-mail correspondence

An employee sent an e-mail to his colleagues with unfavourable opinions about one of the service providers. The e-mail was forwarded and was eventually received by the service provider. The service provider filed a defamation claim against the company, proving that the company had damaged its reputation. The costs of defence and settlements related to service providers amounted to EUR 167,800.

Costs of response to the incident (crisis communication, public relations) – EUR 34,700

Total damage: EUR 202,500