One of the interesting features of watching new products grow and develop is trying to predict which of the competing technologies will stand the test of time. Those who are old enough to remember videotapes will recall that Betamax, which was developed by Sony, had better video resolution, better sound and a more stable image than JVC’s VHS. However, JVC had developed a cheaper product, which it licensed to other manufacturers, thereby creating market share, enabling it to become the dominant format.
Perhaps, unsurprisingly, some of these competitive features can be seen in the cyber insurance market. There are a myriad of different insurers offering different products that provide different coverage. It seems reasonable to assume that the market will reach some sort of consensus in the future, but it is still too early to say what this will look like – Betamax or VHS?
Competition in cyber is helped by what appears to be agreement amongst the wider insurance market to exclude losses in classes where a cyber ‘event’ is the proximate cause of loss, such as property. This means that, in effect, cyber risks can only be addressed by cyber policies. This approach by the insurance market makes sense as it allows the cyber market to grow and learn – today’s enfant terrible becoming tomorrow’s establishment man, if you will.
However, as a consequence of this separation between different markets, the property insurance market, for example, has recently been wrestling with how it can continue to effectively exclude cyber. In recent years, property insurers have relied on the rather snappily titled London insurance market ‘CL380’ exclusion clause. However, this clause only excludes cyber losses directly and indirectly caused by computing equipment “as a means of inflicting harm”.
The 2014 cyber attack on a German steel mill was the result of an external hacker gaining control of the facility such that the furnace could not be shut down in a controlled manner. This resulted in significant property damage and business interruption losses. However, it is unclear if the hacker gained access with the intention of causing loss or that the damage was an unintended consequence.
To loosely quote Bill Shankly, the late, great Liverpool manager, if a footballer is not interfering with play, then what is he doing on the pitch?! The same applies to hackers: if an external entity has gained unauthorised access to a network, should it be presupposed that it is with the intent to cause harm? Otherwise, what is the point of having gained access?
The property market has sought to address this issue with the recent publication by the International Association of Engineering Insurers (IMIA) of a draft cyber exclusion that seeks to exclude all losses where cyber is the proximate cause. However, it is recognised within the market that the extent to which an incident is the result of a cyber event can sometimes be difficult to establish.
This rather begs the question, what’s the point? If the extent to which cyber is the cause of an incident can never be established with certainty, it is unclear how valid a clause of this nature actually is.
Is there a solution? Perhaps. Given that both property and cyber policies provide business interruption cover, it would appear that there could be a valid argument for business interruption cover to be a standalone policy that responds to its own list of physical and non–physical damage triggers.
It’s interesting to recall that the CD was the dominant format for music sales in my teenage years and on into my 20’s and 30’s. However, within a few years of its launch, Apple’s iTunes changed the way in which we buy and listen to music. Perhaps there will be a similar “disruptor” that will challenge how we think about business interruption insurance?
Whatever happens, it is going to be fascinating to see how the insurance market responds to these challenges. I, for one, am not going to make any predictions on who or what will win. Besides, I am still getting to grips with music downloads and Spotify.