Insurance Law: Cover for Cyber Extortion Damage and Mitigation Costs
Explore the legal landscape regarding insurance coverage for damage caused by cyber extortion and mitigation costs as discussed by Professor Dr. Robert Koch at the 10th AIDA Europe Conference. Discover the relevance of cover for cyber extortion, implications of ransomware payments, and the legal framework in Europe for covering mitigation costs. Gain insights into regulations in EU member states and considerations for insurers in mitigating cyber risks.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Professor Dr Robert Koch LLM (McGill) Director of the Institute of Insurance Law Faculty of Law Cover for damage caused by cyber extortion as loss mitigation costs 10th AIDA EUROPE CONFERENCE 30-31 May 2024 Financial Lines & Cyber Working Party Meeting Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 1
Overview I. Cover for damage caused by Cyber extortion as loss mitigation costs: when does it become relevant? II. Cover for mitigation costs legal landscape in Europe III. Consequences with regard to the recovery of ransom payments as mitigation costs IV. Conclusion Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 2
I. Cover for damage caused by Cyber extortion as loss mitigation costs: when does it become relevant? (1) Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 3
I. Cover for damage caused by Cyber extortion as loss mitigation costs: when does it become relevant? (2) Ransomware payments are not insured or excluded from cover under a cyber insurance policy Sum insured for cyber extortion under a cyber insurance policy < sum insured for business interruption and/or restoring data and/or potential third-party claims (from customers whose personal data has been compromised) and the costs of containing and investigating the attack Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 4
II. Cover for mitigation costs legal landscape in Europe (1) No specific regulation on insurance cover for ransom payments to prevent/terminate business interruptions as a result of cyber attacks general rules apply to the coverage of mitigation costs In most EU member states, insurer is required by statute to cover the costs of mitigation if mitigation measures were reasonable, regardless of whether measures were actually able to contain the loss. No coverage of mitigation costs in France, unless the insurance contract provides otherwise. Coverage possible under the general doctrines of gestion d`affaires enrichissement sans cause provided the insurer benefited from the mitigation efforts. In the UK, in the absence of express wording, cover cannot be implied into an insurance policy for costs to mitigate a loss. Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 5
II. Cover for mitigation costs legal landscape in Europe (2) Test for determining the reasonableness of the measures differs slightly between the various jurisdictions that require the costs of mitigation to be covered Some statutes suggests that a purely objective standard is applied: See e.g. Article 7:957 Dutch CC 1. As soon as the policyholder or the insured person is aware or ought to be aware of the materialisation of the risk , each of them, , is obliged to take, within a reasonable time, all measures that could lead to the prevention or reduction of damage. 2. The insurer reimburses the expenses connected to the measures referred to in paragraph 1 and compensates the damage which might have been caused to objects used in this process. see also s. 61 Finnish ICA, art. 7 para. 3 Greek ICA, art. 826 para. 4 Polish CC, art. 127 para. 1 Portuguese ICA, art. 17 Spanish ICA, and art. 38c Swiss ICA objectively necessary expenses must be reimbursed Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 6
II. Cover for mitigation costs legal landscape in Europe (3) Other countries adopt a more subjective approach and ask whether the insured was justified in taking the measure in question See e.g. s. 83 para. 1 German ICA 1The insurer shall reimburse expenses incurred by the policyholder [to avert or mitigate the loss], even if they have been unsuccessful, to the extent that the policyholder was entitled to consider them necessary under the circumstances See also s. 63 para. 1 Austrian ICA objectively necessary expenses must be reimbursed Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 7
II. Cover for mitigation costs legal landscape in Europe (4) In some countries the decisive test is whether the insured acted with due diligence under the bonus pater familias standard (would a good and cautious family man have acted in the same way?) See art. 106 Belgian IA 2014, art. 64 Luxembourg ICA, and art. 1914 Italian CC objectively necessary expenses must be reimbursed Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 8
II. Cover for mitigation costs legal landscape in Europe (5) German case law and scholarly writings No case law on ransom payments to prevent or terminate business interruptions as a result of cyber attacks Payment of a ransom for a stolen car insured as mitigation costs in comprehensive car insurance (Court of Appeal Saarbr cken, NJW-RR 1998, 463; District Court Freiburg, zfs 2001, 174). Ransom paid to pirates to recover the ship and cargo is insured as mitigation costs in marine insurance (no case law, only scholarly writings). Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 9
II. Cover for mitigation costs legal landscape in Europe (6) Where the insurer is statutorily obliged to cover mitigation costs in some countries the sum insured under the contract is not a ceiling on the payment owed by the insurer expenses for the mitigation efforts are covered even if this sum, together with the compensation for the loss, exceeds the sum insured See art. 106 Belgian IA 2014, s. 61 Finnish ICA, art. 7 para. 3 Greek ICA, art. 1914 para. 2 Italian CC, art. 64 Luxembourg ICA, art. 7:959 para. 1 Dutch CC, art. 38c Swiss ICA in Austria, Germany, Poland, and Portugal, this only applies to mitigation costs arising from compliance with instructions given by the insurer See s. 63 para. 1 Austrian ICA, s. 83 para. 3 German ICA, art. 826 para. 4 Polish CC, art. 127 para. 3 Portuguese ICA Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 10
III. Consequences with regard to the recovery of ransom payments as mitigation costs (1) How Long Does It Take to Recover from a Ransomware Attack: https://www.provendata.com/blog/how-long-does-it-take-to-recover-from-ransomware/: According to a Statista survey, the average recovery time after a ransomware attack is 22 days Example: coverage for business interruption: 10 Mill. Euro insured daily compensation rate: 200.000 Euro ransom demand: 1 Mill. Euro Ransom payment is objectively necessary under the circumstances (22 days x 200.000 Euro/day=4,4 Mio. Euro) if insured pays the ransom s/he is entitled to reimbursement by the insurer Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 11
III. Consequences with regard to the recovery of ransom payments as mitigation costs (2) Do the statutory provisions on the reimbursement of mitigations costs apply if ransom payments are expressly excluded? yes, if they are mandatory (as is the case in Germany and Austria) Can the insurer instruct the insured not to pay the ransom? yes Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 12
III. Consequences with regard to the recovery of ransom payments as mitigation costs (3) Is the insured obliged to follow this instruction? What are the consequences if the insured does not follow the instruction? Example: Insured daily compensation rate: 200.000 Euro/provided for 25 days (max. 5 Mill. Euro), ransomware attacker demands 2 Mill. Euro, insurer instructs not to pay 10 days after the attack, it becomes clear that insured needs more than 25 days to resume business operations (i.e., the damage caused by the business interruption exceeds the sum insured), insured pays ransom German case law: No obligation to follow the insurer s instructions if the instructions impose an unreasonable financial burden on the insured Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 13
IV. Conclusion Where mitigation costs are covered by statute regardless of an agreed sublimit for cyber extortion cyber insurer always owes ransom payment up to the sum insured for business interruption as expenses for mitigating the loss if the ransom sum is less than the actual/anticipated business interruption loss and/or the costs of restoring the data and/or potential third-party claims and the costs of containing and investigating the attack Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 14
Thank you for your attention! robert.koch@uni-hamburg.de Prof. Dr. Robert Koch LL.M. (McGill), Universit t Hamburg Seite 15
