One of the interesting features of watching new products grow and develop is trying to predict which of the competing technologies will stand the test of time. Those who are old enough to remember videotapes will recall that Betamax, which was developed by Sony, had better video resolution, better sound and a more stable image than JVC’s VHS. However, JVC had developed a cheaper product, which it licensed to other manufacturers, thereby creating market share, enabling it to become the dominant format.
Perhaps, unsurprisingly, some of these competitive features can be seen in the cyber insurance market. There are a myriad of different insurers offering different products that provide different coverage. It seems reasonable to assume that the market will reach some sort of consensus in the future, but it is still too early to say what this will look like – Betamax or VHS?
Competition in cyber is helped by what appears to be agreement amongst the wider insurance market to exclude losses in classes where a cyber ‘event’ is the proximate cause of loss, such as property. This means that, in effect, cyber risks can only be addressed by cyber policies. This approach by the insurance market makes sense as it allows the cyber market to grow and learn – today’s enfant terrible becoming tomorrow’s establishment man, if you will.
However, as a consequence of this separation between different markets, the property insurance market, for example, has recently been wrestling with how it can continue to effectively exclude cyber. In recent years, property insurers have relied on the rather snappily titled London insurance market ‘CL380’ exclusion clause. However, this clause only excludes cyber losses directly and indirectly caused by computing equipment “as a means of inflicting harm”.
The 2014 cyber attack on a German steel mill was the result of an external hacker gaining control of the facility such that the furnace could not be shut down in a controlled manner. This resulted in significant property damage and business interruption losses. However, it is unclear if the hacker gained access with the intention of causing loss or that the damage was an unintended consequence.
To loosely quote Bill Shankly, the late, great Liverpool manager, if a footballer is not interfering with play, then what is he doing on the pitch?! The same applies to hackers: if an external entity has gained unauthorised access to a network, should it be presupposed that it is with the intent to cause harm? Otherwise, what is the point of having gained access?
The property market has sought to address this issue with the recent publication by the International Association of Engineering Insurers (IMIA) of a draft cyber exclusion that seeks to exclude
Related sections
