Cybersecurity Insurance Risks

Looking at the general insurance landscape, cybersecurity insurance has become vital due to COVID-19. More than ever, companies that work remotely with insufficient cybersecurity defenses face a significant risk of cyberattacks. Cyberattacks classified as a major global risk according to the Global Risks Report 2021 caused data breach costs amounting to 4.24 million USD in 2020[1].

In 2021, companies such as Bose, LinkedIn, Facebook, Clubhouse, and Volkswagen faced security breaches resulting in stolen customer information including usernames, social security numbers, phone numbers, etc.

In 2020, Turkey was also a target of cybercriminal activities causing a number of the country’s industry leaders to face administrative fines and loss of reputation. A blockbusting hacking incident occurred at Yemeksepeti, Turkey’s biggest online food company, in which it is said that over 21,500,000 of its users’ phone numbers, usernames, and passwords were stolen. The Turkish Personal Data Protection Authority and Information Technologies and Communication Office is currently preparing to fine the company a total of TRY 3 million for breaching data protection obligations and lack of cybersecurity measures.

This is where cybersecurity insurance steps in and introduces a wide range of protections against threats such as phishing, baiting, pretexting, water holing, etc.

Cybersecurity insurance entitles an insured company to compensate its losses from cyberattacks within the scope of the insurance policy.

In general, cybersecurity insurance policies cover costs arising from stolen information, data hacking and service breakdown, data protection damage, ransom money, damage caused by business interruption, computer and technical device damages, cyber extortion, and defamation.

Cyber terrorism, damages arising from breach of competition law, intellectual property rights, media and advertising, and activities subject to criminal liabilities are usually not covered by cybersecurity insurance policies.

What Is Silent Cyber? What Should the Scope of an Insurance Policy Be?

Both insurers and policyholders should be aware of the risks of silent cyber. Basically, silent cyber describes cyber-related losses that arise from policies that do not specifically cover cyber risks.

In terms of insurers, insurance policies that are not tailored to cover current cyber risks could result in the payment of claims for cyber losses. To minimize this risk, insurers should explicitly cover cyber risks or introduce exclusions.

As for policyholders, policies and exemptions that are not suitable for covering cyber risks specific to a business sector, etc. could leave companies unprotected.

Therefore, traditional insurance policies that usually cover damages arising from data hacking, service breakdown, business interruption, cyber extortion, and defamation may be insufficient.

The Risk of Liability Insurance Covering Penalties and Administrative Fines

In practice, damages incurred by third parties and the payments made to public institutions due to a cyberattack are insured by professional liability insurance.

However, considering Article 1404 of the Turkish Commercial Code No. 6102 (“TCC”) and the purpose of administrative fines, it is risky to cover administrative fines and any other penalties imposed by public institutions such as the Personal Data Protection Authority and the Banking Regulation and Supervision Agency through cybersecurity insurance.

According to Article 1404 of the TCC, insurance covering a loss resulting from an act of the policyholder or insured in breach of the mandatory rules, moral values, public order, or rights of personality will be null and void.

Also, the main aspect of imposing administrative fines and any other penalties is as a deterrent; the aim is to force companies to act in accordance with the laws and regulations.

Therefore, it can be argued that insurance policies covering such fines and penalties should be considered as a breach of their purpose, and a breach of public order. In this scope, liability insurance that covers fines and penalties may be evaluated as a breach of public order and courts may decide that an insurance contract should be deemed invalid as of its execution.

The Risk of Causing an Increase in the Insurance Coverage

According to Article 1444 of the TCC, following the execution of a contract, a policyholder cannot act or make any transaction causing the amount of indemnity to increase without the insurer’s prior consent. In such cases, an insurer may request an additional premium or terminate a contract within one month of the date that they became aware of their policyholder’s actions.

If a policyholder negligently causes such an act or transaction affecting the amount of insurance coverage, an insurer may request a reduction in insurance coverage depending on the degree of the fault. If the policyholder has acted with intent, the insurer will be discharged of its payment obligations.

In this scope, cybersecurity insurance policyholders should take technical, systemic, and administrative measures in accordance with the market standards against any cyberattack. In addition, a company’s software and hardware should be adequate to protect them from such attacks.

If an insurance company determines that a risk occurred because of a company's negligence, it may request a reduction in insurance coverage depending on the degree of the fault.

Detailed Analysis of a Policyholder’s Systems Before the Execution of an Insurance Contract

It is crucial for an insurer to examine the computer systems, software and hardware systems, applications, cloud systems, etc. of a policyholder before signing a cybersecurity insurance contract. This will also determine the premiums a policyholder must pay.

In this scope, IT companies operating in Turkey are increasingly focused on providing such analysis services to insurers. In terms of cyber insurance, cooperating with IT companies that examine companies’ systems in detail puts insurers in a more secure position.

Conclusion

As per recent technological developments and the increase in remote working due to COVID-19, obtaining strong cybersecurity has become a necessity. Globally, businesses hold a huge amount of personal information data, making exposure to cyberattacks along with fines by the authorities and lawsuits from customers and their personnel potential risks. Mostly, for insurers, silent insurance risks, coverage of insurance, administrative fines, and analyzing policyholders’ equipment are the key points to double-check. Still, there are no legal regulations regarding cybersecurity insurance, therefore, both insurers and policyholders need to be aware of the risks discussed in this article and ensure they have made thorough assessments and/or taken additional policies in order to reduce those risks.