The Mactavish report – our evaluation and response

Chris Lennon, Co-Chair of our Cyber National Practice Group and Head of Sales and Distribution – Commercial, responds to the recent Mactavish report.

Many of you will have seen the recent report published by Mactavish highlighting what they perceive to be major flaws in the sale of “off the shelf” commercial cyber insurance. The findings are revealed in their report published 18th Jan 19 based on 30 major UK cyber policies.

In response to this, several industry figures have responded with many reporting to be perplexed. Cyber providers also rebutted the Mactavish claims – James Burns, cyber product leader at specialist CFC Underwriting described them as “misleading” as reported in Insurance Age.

Stackhouse Poland established a National Practice Group in 2017 to evaluate and coordinate our group approach to Cyber. A key component of the National Practice Group was to evaluate the market, identify preferred insurers and keep abreast of insurance policy wording innovation on an ongoing basis. The insurance proposition championed by the National Practice Group includes a number of non-standard extensions and endorsements, many of which address the concerns of the Mactavish report. We have summarised the major talking points and perceived common flaws identified by the Mactavish report and our response is below:

Mactavish warned that very few claims have been made on these new cyber policies and believes many will be disputed with settlements being much lower than client’s expectations. Bruce Hepburn, chief executive at Mactavish said that “despite the sharp increase in cyber incidents this market is immature and, in many respects, untested.”

Whilst it is true that the market for cyber is young and many aspects of cover are untested, the relatively small claims pool is a product of the generally low take up rates in the UK where less than 10% of businesses are currently purchasing cyber and most of these policies have been taken out in the last few years. Moreover the loss ratios of our insurers highlight that, where claims are being notified, indemnity and breach response support is being provided. CFC publish a monthly claims summary and case studies on their losses – click here for the latest case study.

The seven flaws as viewed by Mactavish are as follows:

1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions

Both Hiscox and CFC identify human error as their number one cause of loss and this feeds through to their claims loss ratios and case examples. Hiscox have also introduced the Cyber Clear Academy (GCHQ approved AI based training suite) as a mean of improving cyber awareness and the cyber hygiene in an organisation. Hiscox will reward policyholders who have 80% staff completion with reduced excesses.

CFC have nil excess applicable to breach response services to encourage notification and investigation, acknowledging that proactive costs are far lower than reactive costs and therefore want policyholders to notify all potential losses.

CFC and CNA Hardy also do not limit data breach and crime losses to an electronic cause, as such they both include losses sustained as a result of accidental loss of devices and social engineering losses/impersonation fraud.

2. Data breach costs can be limited, i.e. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs, which would be incurred in practice).

All Stackhouse Poland preferred partners offer a detailed breach response solution which includes leveraged vendors to support policyholders to manage and mitigate any potential reputation damage, and this is supported by a full business interruption schedule.

3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted.

The financial impact of a cyber incident can be long lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The CFC cyber policy has a 12-month indemnity period in place, but most cyber policies offer 3-6 month indemnity periods as standard. The Stackhouse Poland approach is to discuss needs and exposures with clients and make recommendations accordingly, using claims examples to illustrate. It is also worth noting that with our preferred insurer partners, buyers do have the option to extend their indemnity period if the findings of our discussions highlight a need to do so.

4. Cover for systems delivered by outsourced service providers (this is many businesses’ most significant exposure) varies significantly and is often limited or excluded.

As supported by many of the white papers, blogs and guides published by Stackhouse Poland we are acutely aware of this exposure. Indeed, we have sought to highlight the risk associated with supply chains to clients including highlighting major losses such as the Dixons Carphone 2018 breach and Marriot Hotel breach. Whilst every risk will be evaluated on its merits and it is true that some policies will be sub-limited, these will always be identified to clients and wherever possible we will agree with insurers indemnity to the full policy limit,. Regardless breach response services will be offered as standard.

5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems.

This is a somewhat outdated exclusion and is rarely applied. In fact, our preferred insurers do not exclude losses from first generation or experimental/trial software or updated software/operating systems. CFC has never excluded a claim because a system was “recently updated”.

6. Where contractors cause issues such as a data breach, but the business is legally responsible, policies will sometimes not respond.

This is a rarely seen exclusion and all of the Stackhouse Poland preferred insurers do not include such an exclusion. The CFC, CNA Hardy, Chubb and Hiscox policies all provide indemnity following any data/privacy breach as a result of any system compromise or accidental breach caused by a contractor or outsourced provider. The CFC Cyber policy goes further and also covers the insured’s data wherever it is hosted and whoever it is breached by. As referenced earlier, there is a growing frequency of claims arising from breaches of contractors and our experience is that insurers are paying them.

7. Notification requirements are often complex and onerous.

This is a bizarre observation as all our preferred insurers have simple dedicated pathways for notification of claims, either to their own dedicated claim teams or to an engaged provider such as a first tier law firm who operates a First Notification of Loss solution enabling the insurer, or their agent, to triage the incident and agree an immediate response, generally within 12 hours. CFC, for instance, ask for the insured to notify the insurer as soon as reasonably practicable, with no onerous time restriction or condition and notification can be by phone, e-mail or through their award winning app. CFC also operate a 15 minute response time where the insured is experiencing a live incident.

As a conclusion, whilst there may be some merit in the observations as highlighted in the Mactavish report, we can only surmise that these observations are indicative of older policies, cyber products released by non-specialist insurers, or “bolt-on” cyber covers to supplement a general commercial wording. It should also be highlighted that accompanying the publication of their report, Mactavish also launched a new Cyber Risk Consulting Practice to help clients understand their exposure to cyber risks and with sourcing appropriate insurance cover.

As with all areas of insurance and risk transfer, it is best advice to speak with and engage a broker with genuine specialist capabilities and understanding. At Stackhouse Poland, we take our responsibility seriously to understand the cyber landscape and advise our clients. We work tirelessly to ensure that the insurers and policy wordings we recommend are comprehensive, competitive and, where we feel there are additional cover needs, we agree additional protection through the application of non-standard endorsements. Our credentials in the cyber market are supported by our various awards and accolades.

Download this article as a PDF.

Talk to us

For further information, please speak with a member of the Stackhouse Poland team, fill in our Contact Us form or email us at commercial@stackhouse.co.uk