Commercial contracts and cyber insurance requirements

We don’t need to tell you that cybersecurity is in the news. In fact, you’ve probably seen our popular Cybersecurity Series, discussing everything from passwords to training, encryption to how to identify and manage a breach. If we take the view that breaches - some costing millions - are likely to become a matter of day-to-day business - as technology develops - then it stands to reason that this is a risk organisations will look to insurers to help mitigate.

It is possible, already, to take out insurance cover against some of the aspects of cybersecurity risk, in the UK. Indeed, it’s increasingly common for commercial contracts to require one or more party to obtain insurance against this type of risk. Whilst this doesn’t automatically mean an insurer would ‘pay out’, should the worst happen, it can be a good start if questions arise over whether one party can afford to meet third-party claims, to rebuild damaged property or to  meet a damages claim made by the other party’s business.

If the contract states that there is a requirement to procure insurance, failing to do this could result in a claim for breach of contract, and possibly contract termination, even if there hasn’t yet been a loss or cyber breach. More importantly, should you face a cybersecurity incident, having insurance in place could help to protect the contract or project by setting out clear guidelines for how things need to be handled, without the added ‘reactive’ complication.


What types of cover should you include in your contracts?

There are a number of widely-understood types of insurance that can be considered. In each of these the contractual provisions should set out the key acceptable terms and exclusions. These include:

  • Public Liability Cover - It’s usual for this to include third-party cover for legal liability for damage to persons, property, or both. It’s also usual that this will limit contractual liability and pure financial loss, and that it will be restricted to the duration of the policy period and contract.

  • Professional Indemnity Cover- This works in much the same way, covering legal liability to third parties arising from professional services. Once again it will usually cover claims made only during the policy period. For this reason it’s usual contracts to stipulate that policy cover must be kept in place for either six or 12 years following the end of the contract, depending on whether liability arises from a simple contract or a deed.

  • First-party Property Cover - Once again, covering the contract and policy period, this indemnifies parties against physical loss or damage within the policy period.


However, Cyber Risk Insurance isn’t as simple as that

Because of their nature, cyber breaches present a wide range of very fluid insurance risks. Cover for cyber risks might, therefore, be found in a wide range of different insurance policies.

You might wish to consider risk from both first party losses (for example loss of physical data or funds, damage to property, injury to personnel and loss of business), third-party losses (for example liability to third parties if their data are made public or if the loss of data causes financial losses, liability to owners of neighbouring property if physical damage is caused or liability through breach of contract), legal costs and fines arising from regulatory breaches  and costs arising from claims by shareholders.

Establishing the correct form of insurance provision to include in a contract will depend on understanding of the most likely risks. To do this you will need to consider the likely mode of attack; how well you are each prepared; the extent and the sensitivity of the data held; varying elements of reputational risk; and the plant and machinery used and their location and mode of control.


So, what do you need to include in your contracts?

  1. Don’t be afraid of the detail - to manage a wide and varying range of risk you may need to set out, in some detail, the types of risks the parties expect and what any insurance needs to cover.

  2. Everything’s changing - Don’t forget, the market is changing at a fast pace and, it stands to reason, so too are the insurance products available. For a short-term contract this might not be a problem but for longer term agreements the insertion of  review points, might be worthwhile.

  3. Talk to each other - The other option is to set out simply state that the terms of the insurance should be acceptable to Party A/B and that it’s for them to accept or reject these terms. This may present some challenges in terms of securing full disclosure of policies and information, as well as guaranteeing careful drafting.

  4. Talk to the experts - Having the right insurance in place is only one small step towards protecting your organisation from an ever-growing threat. As with so many things the best first step has to be speaking to a specialist, legal expert, such as Clayden Law, who can help to advise on the areas of risk you face, as well as the best, contractual steps you can take to mitigate that risk.