Written by Alvin Ee | Partner, Rajah & Tann Singapore LLP.
Cyber insurance has been developing as cyberspace gets increasingly intertwined with the physical world.
Failures in cyber security may now render a modern ship unseaworthy, and the practice of releasing cargo against pin codes instead of bills of lading could lead to exposure to cyber fraud and loss of cargo.
Today, cyber liability risks are among the top risks that businesses around the world are concerned with.
In Singapore, cybersecurity threats to businesses have risen at an increasing frequency and scale. Based on a study released by Lloyd’s, a single cyber-attack on major ports across Asia-Pacific could cost $110bn, which is roughly equivalent to half of all losses from natural catastrophes globally in 2018.
The insurability of ransomware payments
The Singapore Government’s inter-agency Counter-Ransomware Task Force ( “CRTF”) issued a report in November 2022 which contained recommendations to drive Singapore’s efforts to foster a resilient and secure cyber environment to counter the growing ransomware threat.
The CRTF recommends encouraging cyber insurance as a risk management practice to support victims in their recovery from ransomware attacks.
The Monetary Authority of Singapore, in its Technology Risk Management Guidelines, also recommends that financial institutions take insurance cover for various insurable technology risks to reduce financial impacts arising from expenses such as recovery and restitution costs.
However, there are doubts over whether insurance coverage for cyber extortion and ransomware should be provided.
Insurance coverage for such payments may encourage businesses to pay the ransom, thereby emboldening and incentivising the perpetrators to carry out more attacks.
Some ransom demands even closely match the limits available under the victims’ insurance coverage for ransom payments.
Indeed, the UK Counter-Terrorism and Security Act 2015, makes clear that insurers are not to reimburse ransom payments made to terrorists.
It remains to be seen whether similar legislation will be enacted as a common standard globally.
Nevertheless, cyber insurance is not just to provide coverage for ransom payments.
It typically covers other potential costs and liabilities and is still a useful risk management tool.
Common triggers for cyber insurance coverage include network security failures or breach events as defined in the cyber policies. An insured’s first port of call would be coverage for first-party losses. Typical first-party coverage includes the following:
- Data and software restoration costs.
- Costs of forensic investigations to determine the extent and cause of the breach.
- Legal costs for regulatory notification and investigation. For example, Part 6A of the Singapore Personal Data Protection Act 2012 (“PDPA”) sets out the duties of organisations to notify and conduct assessments of data breaches.
- Crisis management and privacy breach management costs incurred to protect the insured’s reputation.
- Costs of credit or identity monitoring incurred to prevent further identity theft or financial losses suffered by persons whose data have been compromised.
- Expenses to maintain a call centre for affected persons to obtain advice and file complaints.
- Regulatory fines and penalties, provided they are insurable at law. A person guilty of an offence under the PDPA may be liable on conviction to fines, among other penalties. However, fines and penalties are often imposed to deter undesirable actions and omissions. Insurance coverage for such financial deterrence may be prohibited for public policy reasons. It remains uncertain whether fines and penalties are insurable under the laws of various jurisdictions.
Cyber policies may also provide cover for business interruption losses on various bases, such as loss of income, loss of gross revenue, and increased costs incurred to minimise loss of income. Business interruption coverage helps businesses to recover from cyber incidents.
Third-party liability coverage
An organisation that has fallen victim to a cyber breach may itself be subject to third-party liability. Such liability could arise from the organisation’s failure to fulfil its obligations under data protection legislation.
Section 48O(1) of the PDPA provides that a person who suffers loss or damage directly as a result of a contravention by an organisation or person of any provision of the PDPA has a right of action for relief in civil proceedings in court.
The claimant may also have causes of action against the insured under the tort of negligence or contract.
Third-party liability coverage under cyber policies could be extended to cover judgment sums, awards, settlements, party-to-party costs, and defence costs.
Apart from the transfer of risks from the insured to the insurer, cyber insurance incentivises insurers to ensure insureds maintain a certain level of cyber resilience. By insuring a large number of similar risks, insurers will have more information on the relevant cyber risks for assessing the probability of insured events occurring, the quantum of potential losses, and the preventive steps that can be taken.
With underwriting and claims experience, insurers could help increase the insureds’ resilience by requiring them to maintain cyber security policies and procedures, keep their operating systems up to date, and perform regular security backups. The insurers could also tie premiums to the insured’s level of care.
Insurers can monitor the insureds’ systems and processes by requiring them to answer underwriting questionnaires. In November 2017, the European Union Agency for Network and Information Security published a report titled “Commonality of risk assessment language in cyber insurance” which sets out a list of security standards and key cyber security control areas that reflect good cybersecurity practices.
AIRMIC also issued a guide titled “Cyber risk – Understanding your risk and purchasing insurance” which suggests questions to ask to understand the key cyber threats faced by potential insureds. These questionnaires not only help insurers to gather information for underwriting but also highlight to insureds, especially those without in-house cyber security support, the key cyber security focus areas to work on.
Having in place appropriate measures to prevent and respond to cyber incidents have helped organisations avoid financial penalties and mitigate reputational damage following incidents of data breaches. Following a personal data breach in 2022 involving Sembcorp Marine Ltd that occurred through the exploitation of the Log4J zero-day vulnerability, the personal data of 25,925 individuals was exfiltrated.
However, the Personal Data Protection Commission of Singapore did not take any enforcement action against Sembcorp Marine Ltd. The Commission was satisfied that Sembcorp Marine Ltd made reasonable security arrangements to protect personal data in its possession and control and also took prompt actions to identify instances of Log4J vulnerabilities across all the software application it was using.
Demand for cyber insurance has grown exponentially and will continue to grow. However, cyber insurance is still relatively new compared to the traditional lines of insurance, such as marine and fire insurance.
From a commercial perspective, underwriters will need to manage potentially indeterminable losses arising from catastrophic cyber incidents. Stephen Catlin, the founder and then-CEO of Catlin, warned in February 2015 that cyber risks presented the “biggest, most systemic risk” he had encountered in his insurance career of more than 40 years due to the correlation between cyber incidents.
Furthermore, with new risks, a common issue is that insurers lack sufficient information to correctly calculate “actuarially fair premiums”. Due to the lack of information, insurers may charge premiums considered too costly for potential insureds that need cyber coverage. This may limit the widespread adoption of cyber insurance.
Legal issues have also arisen and will continue to arise as cyber incidents become more prevalent. One issue that has arisen is in the provision of “non-affirmative” silent cyber insurance coverage, where insurers inadvertently provide cover for cyber-related losses under non-cyber policies meant to cover physical damage.
For example, the alteration of an insured’s software or a breach of its security system by a computer virus may arguably be deemed to be actual physical damage (and therefore covered under traditional non-cyber property insurance) even though it is not among the traditional forms of physical damage insurers contemplate. Such uncertainties in coverage give rise to legal disputes.
However, these may just be growing pains while the cyber insurance market matures. Cyber catastrophe bonds, which are a type of insurance-linked security, have been issued to increase underwriting capacity. Industry organisations such as the International Underwriting Association and the Lloyd’s Market Association have also published policy clauses to address silent risk exposures. As the cyber insurance market adapts and grows, it will become better able to serve the cyber community and facilitate the development of the global data and digital economy.