Assicurazioni - Rivista di diritto, economia e finanza delle assicurazioni privateISSN 0004-511X
G. Giappichelli Editore

indietro

stampa articolo indice fascicolo leggi articolo leggi fascicolo


Core aspects of cyber risks insurance: an analysis in dialogue with some Portuguese and Italian insurance policies (di José Alves de Brito, Assistant Professor at Faculty of Law, University of Lisbon (FDUL) – Researcher at the Lisbon Centre for Research in Private Law (CIDP) – Maria Leonor Ruivo, Guest Lecturer at Faculty of Law, University of Lisbon (FDUL) – Researcher at the Lisbon Centre for Research in Private Law (CIDP))


Secondo i dati forniti da ‘Statistica’, il mercato europeo delle assicurazioni contro i rischi informatici dovrebbe crescere in modo esponenziale tra il 2020 e il 2030, raddoppiando di dimensioni tra il 2020 e il 2025. È assodato che le assicurazioni contro i rischi informatici sono un fenomeno inevitabile nel mercato assicurativo, nonostante la necessità di un’analisi più approfondita della pratica assicurativa in questo settore. Questo articolo mira a presentare una panoramica dei tipi di copertura forniti dagli assicuratori nei loro contratti e di alcune delle questioni legali che pongono, nonché dei servizi atipici in essi inclusi.

Parole chiave: Assicurazioni cyber risks – danni diretti e responsabilità civile – assicurazione di assistenza.

Aspetti fondamentali dell’assicurazione contro i rischi informatici: un confronto tra polizze portoghesi e italiane

According to data provided by ‘Statistica’, the European cyber risks insurance market is expected to grow exponentially between 2020 and 2030, doubling in size between 2020 and 2025. It is well established that cyber risks insurance is an inescapable phenomenon in the insurance market, despite the need for a more in-depth analysis of insurance practice in this sector. This article aims to present an overview of the types of coverage provided by insurers in their contracts and some of the legal issues they pose, as well as the atypical services included in them.

Keywords: cyber risks insurance – first and thirdparty loss – assistance insurance.

SOMMARIO:

1. General remarks - 2. Cyber risk - 3. Insurance for businesses. The usual forms of cover in insurance for businesses: first party loss – “own damage” – and third party loss – civil liability - 4. Prevention and assistance in cyber risks insurance contracts - 5. Types of services rendered - 6. The limits on prevention services imposed by the Insurance Contract Law and by the Portuguese legal rules on insurance business - NOTE


1. General remarks

WannaCry and NotPetya or, going further back in time, events such as the Love Bug virus, have made headlines due to the economic consequences brought to individuals and organisations. WannaCry consisted of a cyberattack [1]-[2] designed to extort a ransom from its victims, who were faced with demands between 300 and 600 United States dollars, payable in bitcoin. It is estimated that the WannaCry worm affected more than 300 million computers through data encryption, using a vulnerability in old Windows systems, which the patches [3] developed by Microsoft failed, for a variety of reasons, to remedy [4]. The NotPetya attack took place in 2017 and, like its predecessor Petya, was an example of ransomware [5]. However, the variant released in 2017 had the purpose of destroying data, and modifications were impossible to undo [6]. Although much earlier than NotPetya, the Love Bug (VBS/LoveLetter.worm) also had substantial destructive capabilities, and its victims included the House of Commons, in the United Kingdom, and the Pentagon, the White House, the Congress and the CIA, in the US. According to an e-mail from Microsoft Outlook, the bug contained the following indications: subject, “ILOVEYOU”, the message “kindly check the attached LOVELETTER coming from me” and the attachment “LOVE-LETTER-FOR-YOU.TXT.VBS”. However, once the attachment was opened, the Love Bug sent a copy of the email to all the names in the recipient’s address list, blocking mail systems, overwriting files and in the meantime destroying information. The Love Bug also sought to download an executable file that forwarded the recipient’s passwords to a given email address [7]. Whilst it would be unfeasible to relate all the cyberattacks that occurred during the first 20 years of the twenty-first century, attention should be drawn to the events, with or without State support (giving rise, in the former case, to what is called “cyberwar”) [8], that affected a certain German steel plant (2014), Ukraine’s power network (2015), the SWIFT bank transfers system (2016), Schneider Electric SE (2018), Boeing (2018) and Airbus (2019) [9]. Bearing in mind that all organisations can be subject to cyberattacks (including, therefore, hospitals), we may point out, in Portugal, the April 2020 attack on the power supply company EDP, which allowed its perpetrators to access around 10 terabytes of the [continua ..]


2. Cyber risk

In the Portuguese market, insurance contracts specifically aimed to compensate losses resulting from cyberattacks name the covered risks under the heading “cyber or cybernetic risks” [11], and so it is possible to identify a decisive Anglo-Saxon influence [12]-[13]. For example, it is possible to make use of the definition provided by the International Association of Insurance Supervisors (IAIS), which defines cyber risks as “any risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. It also encompasses physical damage that can be caused by cybersecurity incidents, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity, and confidentiality of electronic information − be it related to individuals, companies, or governments” [14]. A central point here, however, is acknowledging that the concept of cyber risks is broader than that of cyber attacks insofar as cyber risks may be manifested in damages resulting from malicious cyberattacks, such as infection of a technological system with a malicious code, but also non-malicious acts such as data losses, accidents and omissions [15] relating to tangible or intangible assets. In short, as an introduction, cyber risk may be presented as the risk of any financial loss, disruptive impact or negative reputational risk resulting from a failure in information technology systems resulting from persons, processes or technology [16]. Presupposing malicious activity, certain Italian policies start out from the definition of cyber event as a (malicious) act that affects IT systems, although requiring it to fall within one or more of the following cases: unlawful access (unauthorised access) to an IT system and the data it contains; interception by technical means of non-public transmissions of computer data to, from or within an IT system; interference with data: damage, deletion, deterioration, alteration or suppression of IT data or implementation of interference systems, i.e. interference in the operation of an IT system through entry, transmission, damage, deletion, deterioration, alteration or suppression of IT data [17]-[18]. Finally, it should be stated that a somewhat different proposal comes from the standard conditions for cyber risks insurance (Allgemeine Versicherungsbedingungen für die [continua ..]


3. Insurance for businesses. The usual forms of cover in insurance for businesses: first party loss – “own damage” – and third party loss – civil liability

The abundant provisions of English clauses enable us to identify a set of covers common to Portuguese and Italian insurance policies. Without prejudice to the special features of each country, we find that the insurable risks are the same regarding various topics. For example, (a) first-party insurance: (i) data recovery costs – compensation for the expenses incurred in recovery of the insured’s data and IT systems (although the existence of back-ups may be required [24]-[25]); (ii) business interruption losses – Although slight variations may apply according to the applicable policy, compensation is payable after a certain period of time has elapsed (the “time excess”). The compensation refers to profits [26] not obtained because of total interruption or reduction of the insured’s business activity caused by certain events relating to the IT system. The insurer may be obliged to pay a per diem amount [27] or base the amount to be paid in information of various kinds [28]; business expenses may also sometimes be included [29], as well as expenses in view of reducing the impact of the loss. In contrast with more traditional types of business interruption insurance (see the classic examples of fire or mechanical breakdown leading to business interruption), in some of the examined clauses the cover is limited to cases where the insured’s electronic data or information processing systems cease to be available or cease to perform their usual function [30]. However, similarly to what may be observed in traditional business interruption insurance, reference is still made to an “indemnity period” [31] and compensatio lucri cum damno [32]-[33] remains relevant. (iii) notification expenses – another common feature is notification expenses cover, frequently with a special mention to notifications required under personal data protection legislation and regulations (in particular, those provided for by the GDPR). The insurance policies appear to suggest that compensation will only be payable for expenses relating to mandatory notifications, and not for merely optional [34] ones, but, in any case, any expenses for notification require the insurer’s prior consent, and there is often an express requirement that these expenses be reasonable. One important issue, not always clarified, has to do with the recipient of the notifications: it is unclear whether [continua ..]


4. Prevention and assistance in cyber risks insurance contracts

In addition to the delimitation of the typical forms of cover present in cyber risks insurance, attention should be drawn to another aspect which, although appearing side-by-side with those traditional forms, is not to be confused with them: the introduction of preventive services in insurance policies. Although insurers’ concern with prevention is by no means a unique feature of insurance business addressing cyber risks, the scale of this activity has been increasing within cyber risks insurance, in a way that requires analysis. With the advent of new technologies and its multiple uses in the insurance industry, there has been a general shift in the traditional insurance contract paradigm, most notably transforming the scope of insurers’ activities. In fact, we may observe a tendency for gradual expansion of their field of action, moving away from the traditional model of the insurer as exclusively, or primarily, geared to risk protection, towards a new idea of an organisation that combines risk protection (or risk transfer) with risk prevention [61]-[62], leading insurers to take on risk management functions [63]-[64]. This phenomenon, to which growth of the Internet of Things (IoT) has contributed, can be seen with particular clarity in cyber risks insurance [65], insofar as the average insured person is not able to identify and comply with the minimum-security standards that should be observed in order to prevent occurrences.           The first point that needs to be analysed in connection with the insurance industry’s pursuit of this new role in prevention has to do with the legal framework for its services; in particular, we need to determine whether these services can still be classified as insurance business and, if so, what rules apply to them. Under Article 173 of the Portuguese Insurance Contract Law, inspired by Article 2 (2) of the Solvency II Directive, and by Article 175.1 c. ass. [66], in “assistance insurance the insurer undertakes, on the terms stipulated, to provide or render aid to the insured in the event of it finding itself in difficulties as a consequence of an aleatory event”. In turn, Article 174 of the Portuguese Insurance Contract Law proceeds immediately to the delimitation of the benefits rendered under assistance insurance, establishing that assistance insurance does not include: maintenance or preservation services, post-sales [continua ..]


5. Types of services rendered

Prevention and assistance services in cyber risks insurance take a wide variety of shapes and forms, and it is therefore possible to identify the different arrangements that such services offer. In view of the functions attributed to the insured, we may distinguish between: a) the traditional insurance model, where the insured is responsible for taking the steps considered appropriate for preventing the loss, as is the case in the Portuguese Hiscox CyberClear policy[75], the German AVB Cyber[76], and, in Italy, the Vittoria Cyber Risk Protection [77] and Reale Mutua Cyber Risk Reale 2.0 policies [78], in the US, the AXA XL Cyber Risks Connect policy [79] and, in Spain, the Liberty Cyber Risk policy [80]; b) the model of the insurer as performing or offering risk management services[81], providing the means to identify, assess and eliminate situations of risk[82], examples of which, in Portugal, are the Fidelidade Seguro de Responsabilidade Civil – Cyber Safety [83], Allianz Cyber Risks [84] and Tranquilidade Seguro de Cyber Risks policies [85], as well as, in Switzerland, the AXA Household Insurance policy [86]. It is also possible to draw a distinction between different prevention and assistance services offered by insurers based on their relationship with the risks covered by the insurance contract: a) prevention service stricto sensu which provide the insured with a service which, although related to cyber risks – insofar as it seeks to eliminate or reduce those risks –, does not make it possible to detect an aleatory event; b) assistance services stricto sensu (where the insured is faced with a difficulty as a consequence of an aleatory event and subsequently requests the insurer’s aid); and c) intermediate services (or detection services) which, although starting out from a preventive perspective (i.e. at a time when the insured has no knowledge of any difficulty resulting from an aleatory event for the purposes of Article 173 of the Insurance Contract Law), set out to identify difficulties (or even possible losses which may be in progress but which have not yet been detected by the insured) and to provide assistance (stricto sensu) in resolving those difficulties or to cover the losses suffered[87]. Regarding intermediate services (or detection services), it is our view that they should also be treated as prevention services (not falling under assistance insurance), insofar as [continua ..]


6. The limits on prevention services imposed by the Insurance Contract Law and by the Portuguese legal rules on insurance business

By providing for prevention and/or assistance services, insurance companies offer an array of services which, in turn, interact with the risk covered in a great variety of ways. The question now becomes the admissibility [92] of an insurance company providing prevention services stricto sensu and detection services (both not included within the concept of “assistance” because they do not presuppose an aleatory event, and therefore do not correspond to the typical object of an insurance contract) [93]. The question is raised because, as stated in Article 47.1 of the Portuguese legal rules on the taking-up and pursuit of the business of Insurance and Reinsurance (RJASR – Regime Jurídico de Acesso e Exercício da Atividade Seguradora e Resseguradora), insurance companies “have the sole object of carrying on insurance business, as well as operations directly arising there from, with the exclusion of any other commercial business”. The reference to operations directly arising from insurance business should be understood with the meaning set out in Article 8 of Decree-Law 94-B/98, of 17 April (the previous RJASR), i.e. “activities connected to or complementing insurance or reinsurance business” [94], enabling us to distinguish between (i) the object of insurance business in the strict sense, in other words, limited to the business of “operating (that is to say, entering into and managing) insurance contracts” [95], to be carried on professionally; and (ii) the broad object of insurance business (here related to the idea of risk or financial activity). Can we therefore regard the provision of risk prevention services (prevention services stricto sensu and intermediate services) as falling within the object of insurance business? It has been argued, in abstract terms, that the pursuit of prevention activities does not clash with the exclusivity of insurance business, and that such activities are still included in insurance business (and not, actually, in a connected or complementary activity), at least when the prevention activities in question amount “to centralisation and processing of information on security issues, from which it is deduced what steps and processes might precisely eliminate or reduce incidents” [96]. In any case, the prevention activities currently carried on by certain insurers have gone significantly beyond prevention through [continua ..]


NOTE