Special Interest Group:

Claimant

In association with:

The CILA Claimant SIG represents those members who work on behalf of policyholders. Helping individuals and businesses navigate the insurance claims process gives these members a firsthand appreciation of the practical challenges and impact of making a claim. The CILA Claimant SIG Committee is a group of experienced claims professionals who work for policyholders in various ways. They support CILA members by highlighting any legal, regulatory or industry developments that may have an impact on Claimant SIG members. Through regional events they also encourage networking and the sharing of ideas amongst the Claimant SIG community.

To receive SIG updates please login to sign up

 

SIG Committee

Chairman

Richard Hanson-James - RHJ Consult Ltd and Steve Taylor - Aon

Members

  • Council representative: Angus Tucker - Lorega Solutions Ltd
  • Committee: Richard Greenslade - Courtney Smith & Co Ltd
  • Candy Holland - Echelon Claims Consultants
  • Heather Parkinson - Parkinson Consulting
  • Judy Polak - Willis
  • Kay Toms - Baker Toms
  • Peter Wallis - Marsh
  • David Whittle - Whittle & Co Ltd

Latest Updates

We are indebted for the content of this newsletter to our SIG sponsor, Edwin Coe LLP, who acted for Western Trading in the case of Western Trading v Great Lakes, on which the Court of Appeal handed down its judgment at the end of October. Much of what follows has been taken from Edwin Coe’s seminars on the case in November and January.

Insurers had initially raised two defences to the claim. The first was an absence of insurable interest: at all times the freehold owner of the building was a Mr Singh, who was also the owner of the tenant, Western Trading. There was a complex network of relationships within Mr Singh’s businesses, but in all respects Mr Singh was the equitable owner of all interests. The first instance judge ruled that as such arrangements were not unusual, and as the Claimant company had to account to Mr Singh for the property, this defence would fail. Insurers did not appeal that decision.

The second defence was that the Claimant had suffered no loss because reinstatement had not taken place, and there had been no diminution in market value (DMV). The policy specified that the basis of the amount payable should be the reinstatement of the damage with the policyholder able to choose to reinstate on another site and in any manner suitable to the policyholder’s requirements. Insurers argued that there was no financial loss as, amongst other arguments, the value of the site had been enhanced by the fire.

The Court of Appeal upheld the first instance judgment in two important respects: where the terms of the policy and the intentions of the policyholder are clear, as in this case, the amount payable is the cost of reinstatement and diminution – or increase - in value is not a factor; any time limitations in the policy do not start to run until insurers have admitted liability.

This is inevitably a simplification of a case with much more complexity, but which serves to merit re-examination of those claims where the measure of loss, particularly reinstatement, is in issue. The exact circumstances are important and Edwin Coe offer help to all CILA members.

On Tuesday 22nd November the CILA Claimant SIG held an afternoon seminar on the subject of reinstatement. The event was kindly hosted by Edwin Coe who are lead sponsors of the CILA Claimant SIG.

The speaker was Roger Franklin who is a partner at Edwin Coe. Roger structured his talk around the recent Court of Appeal case, Western Trading Ltd versus Great Lakes Reinsurance UK Plc. He provided the background to the case and explored the key points that were presented by both the defence and the claimant. Of particular interest to adjusters were the discussions around the intention to reinstate, contractual obligations to reinstate and the economic viability of reinstatement.

The talk also included reference to key cases such as Reynolds v Phoenix Assurance Co Ltd (1978), Leppard v Excess Insurance (1979), Mclean Enterprises Ltd v Ecclesiastical Insurance (1986) and Lonsdale & Thompson v Black Arrow Group (1993). This event was one of the most popular CILA seminars of 2016 and the feedback from those who attended has been great:

“A very well delivered seminar by a knowledgeable speaker on an important case” “Very relevant subject, totally up to date and superbly presented.”

Members will be pleased to know that Roger has agreed to repeat his talk in Leeds on Thursday 23rd February 2017. For further details, and to book, please go to: http://www.cila.co.uk/cila/events/cpd/507-cila-claimant-sig-seminar-reinstatement-a-claimant-sig-perspective-2

Download Presentation

Download Handout

 

On Wednesday 25th May, the Claimant SIG delivered a seminar followed by a panel discussion on the Insurance Act 2015, at the Hyatt Regency in Birmingham. It was a great opportunity for members to share and discuss their experiences of claims handling, noting different perspectives and common challenges. The event was attended by 33 claims professionals and we would like to extend our special thanks to Kay Toms for chairing the panel discussion and assisting with the co-ordination of this event.

Roger Franklin (partner of Edwin Coe LLP, lead sponsors of the Claimant SIG) delivered a presentation comprising of some of the likely issues that will arise when negotiating claims following the introduction of the Insurance Act 2015, exploring key points for policyholders, both at inception and settlement.

This was then followed by a lively panel discussion chaired by Kay Toms (principal at Baker-Toms Chartered Loss Adjusters) highlighting implications of the Act from different view-points; namely that of the loss adjuster, broker, lawyer and insurer. The panel comprised of Angelo Cugini (Area Sales Director of Richard V Wallis & Co.), Roger Franklin (Partner of Edwin Coe LLP) and Nick Smith (Senior Manager - Product Strategy) at Aviva Insurance Limited; and provided members with the opportunity to ask questions of the speakers, to debate the issues raised and to provide feedback on their experiences.

Our thanks to the Claimant SIG Committee and their sponsors, Edwin Coe LLP.

The rapid growth of mobile internet devices and the use by organisations across all industry sectors of information technology infrastructures to handle electronic data gives rise to an ever-increasing risk of data breaches caused by malicious attacks, human error or accident.

Indeed the potential for physical damage (damage to property, equipment, supply chains, etc.), bodily injury and business interruption stemming from cyber attacks or incidents seems ever more likely.

This is the second of two blogs on the subject considering, in the first instance, the nature and consequences of cyber risks and secondly, the current insurance situation.

 

A very recent example of a cyber attack with the potential for physical damage and/or bodily injury was the successful breach last month of Fiat Chrysler’s in-car systems, uConnect, which allowed hackers to take control of a Jeep on the highway, prompting the recall of 1.4 million vehicles in the United States. Remote hijack vulnerability can result in a hacker remotely operating the brakes or even shutting off the engine, the consequences of which are potentially extreme.

Cyber threats change rapidly making it almost impossible for individual organisations to keep their defences ahead of the game. Part One of this blog, published in June 2015, noted that approximately 52% of CEOs of large organisations believe that they have cyber cover whereas the reality is likely to be closer to 10%.

However, despite these statistics, and the considerable risk posed by cyber breaches, the UK insurance market has yet to catch up with the current risk and coverage can be limited and is often inconsistent.

Conventional Insurance Policies
Coverage of cyber risks can be problematic under conventional policies which have not traditionally been designed to protect policyholders against cyber risks and indeed in light of the increasing threat from cyber breaches, some conventional insurance policies have introduced cyber exclusions.

The recent Government Report on Cyber Security identified a number of cyber exclusions and gaps in traditional insurance policies including:

Insurance Product Main Type of Loss Covered (Primary Objective of the Cover) Potential Gap of Cover for Cyber Perils
Property Physical asset damage (First-Party) Exclusions removing cyber attacks and explicit coverage triggers for physical-asset damage.Damage to software and data not covered (as deemed intangible form of property).
Business Interruption Lost revenues and additional costs incurred (First-Party) Traditional policies are not triggered by cyber attacks that do not cause physical damage.
General Liability Third-party liabilities for physical property damage, bodily injury, and advertising injury (i.e. liability claims arising from published content, including violation of privacy) Exclusions relating to unauthorised disclosure of personal information.
Errors and Omissions / Professional Indemnity Third-party liabilities arising from the performance of professional services Cover may be restricted to liability claims from customers only, hence why claims for disclosure of employees’ data are often not covered. Several exclusions might apply (for example, computer virus transmission).

Source: UK Cyber Security Report HM Government

Traditional property and business interruption policies offer First Party insurance providing payment when property suffers damage or loss. First Party cyber risk exposures can include:

Loss and damage to digital assets/networks
Business interruption from network downtime
Cyber extortion
Reputational damage
Theft of money, digital assets or intellectual property and restoration costs.
Third Party liability policies cover the assets of others including:

Security and privacy breaches – associated investigations, defence costs and civil damages
Multimedia liability to cover investigations, defence costs and civil damages arising from breach of privacy, defamation or negligence in publication of electronic or print media
Loss of third party data
Regulatory fines and penalties.
Whilst a company’s property and general liability policies may well indemnify some or all of the First and Third Party losses following a cyber event it should be borne in mind that such policies are not naturally designed to give true cyber cover and the scope and nature of any such coverage may well depend upon the construction of policy wording. Indeed the question of whether damage to data constitutes property damage remains uncertain although some U.S courts have held that data does constitute tangible property.

An added issue is often the fact that traditional policies will not usually provide the level of cover required to deal with losses arising from a large scale cyber peril and in the event of a loss, organisations will simply find themselves either underinsured or without cover altogether leaving them exposed.

Cyber Legislation
The introduction of legislation in a number of US States, making notification of a cyber breach mandatory, has contributed to the growth of cyber liability cover.

Whilst such legislation does not yet exist in the UK, the proposed EU Cyber Security Directive which, if implemented, will force larger companies to notify their insurers and/or regulators every time a significant data breach/incident occurs, whether or not there has been unauthorised access to or loss of data. It is proposed that any breaches of data laws will attract fines and such regulatory changes are expected to increase demand for stand alone cyber insurance policies with insurers paying even more attention to an organisation’s risk profile when offering cover.

Specialist Cyber Cover and Insurance Considerations
Whilst there are now a number of stand alone cyber insurance policies on the UK market, the development and uptake of such products has been slow and even now, although stand-alone policies offer more robust coverage, risk managers should be alive to the fact that there is no standard policy cover and some policies continue to expose policy holders to certain types of cyber breaches.

The recent Government Report on Cyber Security reported that pricing for cyber cover is three times higher than for general liability cover and six times higher than for property. It is thought that the current pricing structure may be driven by uncertainty over the risk and the fact that this is an emerging market.

What is clear however, is that prices will be pushed down as the market for such products develops and underwriters begin to benefit from a growing pool of relevant data.

That said, and with the right advice from a specialist insurance broker, it is possible to identify policies which cover most risks including:

Business interruption from network downtime resulting in loss of income, increased cost of operation and/or costs incurred in mitigating the loss
Physical asset damage (at the moment there are a limited number of insurers providing stand alone cover for this type of cyber risk)
Reputational damage – crisis management, PR costs
Loss or damage to data – costs of expert reconstitution if data or software is deleted or corrupted
Cyber extortion
Investigation costs of third party privacy breaches
Regulatory fines and penalties.
Uninsurable risks include death and bodily injury, which may be covered to a degree by general liability and employer’s liability products, and losses associated with intellectual property theft and espionage which are deemed to be extremely difficult to prove and quantify.

Cyber Risk Insurance Terms and Quantification – Getting it Right!
As with any insurance product it is important that a broker assesses an organisation’s demands and needs with a view to placing adequate insurance. With this in mind I outline several issues pertinent to cyber insurance which risk managers and brokers should be alert to:

As noted in Part One of this blog any regulatory requirements and the implementation of the Government Cyber Essentials Scheme are likely to be taken into account by insurers when assessing an organisation’s risk profile and businesses should start to establish credible risk assessments and management of cyber risks to ensure they are eligible to apply for the appropriate insurance products.
When assessing the level of cyber cover required, and to avoid under-insurance, risk managers need to consider the entire financial impact that any cyber peril will have upon business operations taking into account associated forensic investigations, restoration of data and systems, corrective IT measures, notification costs, legal fees, downtime for operations and reputational damage.
Particular attention should be paid to “waiting periods”. A waiting period is an amount of time which must elapse before insurers will begin to pay any business interruption losses incurred. In conventional policies waiting periods can range from 24 to 48 hours and yet some businesses may experience significant losses within minutes of a data breach occurring because of the immediate nature of data transactions.
The rapid evolution of cyber risks means that risk managers and insurance brokers should also ensure that policy definitions do not limit cyber cover to named cyber risks thus excluding different forms of future breaches.
It should also be noted that if acts of terrorism are excluded from cyber policies this could potentially give rise to coverage issues when determining whether acts such as “hacking” attacks constitute terrorism.
Advising insurance brokers should be alive to the increasing need for organisations to consider cyber risk insurance and should encourage organisations to carry out a full cyber risk assessment which will assist in quantifying the potential losses from a cyber attack or incident and identifying what kind of insurance product or coverage is optimal.
Whilst it is possible, with the right assistance, to cover cyber risks adequately the fact that the cyber industry is rapidly developing and highly complex means that it is still likely that disputes over policy wording and the arrangement of appropriate cover when claims arise will be prevalent over the coming years.

For further information on this issue please contact:

Nicola Maher
Partner
t: +44 (0)20 7691 4069
f: +44 (0)20 7691 4090
e: 

Modern businesses rely heavily on computer software and the internet when dealing with digital data and they are becoming increasingly aware of the cyber risk exposure faced by their organisations.

Over the last few years there has been increasing focus on cyber risks and associated insurance cover.

A UK Government survey carried out in 2014 estimated that 81% of large corporations and 60% of small businesses suffered a cyber-breach in 2014. Whilst over 60% of incidents reported to insurers are the result of accidents, cyber-crime is now the world’s fastest growing category of organised crime and the majority of high value losses stem from actions designed to cause harm.

This is the first of two blogs on the subject considering, in the first instance, the nature and consequences of cyber risks and secondly, the current insurance situation.

1. Definition of Cyber Risk

The Institute of Risk Management defines cyber risk as,

“any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Almost every organisation faces exposure to loss resulting from damage or destruction of its computers and computer networks. This can lead to business interruption, income loss, damage management and repair costs and reputational damage.

Non malicious events such as major physical incidents, for example, fires, explosions, floods and natural disasters, can have a devastating effect on a business. A good example of this is the recent Holborn underground fire which caused considerable damage to services effecting network access for hundreds of businesses and, in some cases, consequent supply chain disruptions.

Malicious events such as cyber-attacks are designed to cause maximum disruption exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, data and software destruction or deletion, theft of funds, reputational damage and liability to third parties (such as customers and supply chain partners).

2. Potential Losses from Cyber Attacks

Potential losses deriving from cyber-attacks or non-malicious IT failures fall into the following categories:

Loss Category  Description
Intellectual Property (IP theft) Loss of value of an IP asset, expressed in terms of loss of revenue as a result of reduced market share.
Business Interruption Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber-attacks or other non-malicious IT failures.
Data and software loss The cost to reconstitute data or software that has been deleted or corrupted.
Cyber extortion The cost of expert handling for an extortion incident, combined with the amount of the ransom payment.
Cyber-crime/cyber fraud The direct financial loss suffered by an organisation arising from the use of computers to commit fraud or theft of money, securities, or other property.
Breach of privacy event The cost to investigate and respond to a breach event, including IT forensics and notifying affected data subjects. Third party liability claims arising from the same incident. Fines from regulators and industry associations.
Network failure liabilities Third party liabilities arising from certain security events occurring within the organisation’s IT network or passing through it in order to attack a third party.
Impact on Reputation Loss of revenues arising from an increase in customer attrition or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event.
Physical asset damage First party loss due to the destruction of physical property resulting from cyber-attacks.
Death and bodily injury Third party liability for death and bodily injuries resulting from cyber-attacks.
Incident investigations and response costs Direct costs incurred to investigate and ‘close’ the incident and minimise post incident losses.

Source: Marsh

3. Risk Profile

For larger organisations intellectual property theft is considered to be the risk which would have the most severe impact and issues of quantification can be challenging because IP assets and the loss suffered by an organisation are difficult to value. However, key risks also include the unauthorised disclosure of personal data, system outage events and consequent reputational damage. In fact it is estimated that reputational damage accounts for 5% – 20% of the cost of a cyber-security breach for large businesses.

Whilst physical losses are a less publicised element of cyber breaches they are a growing concern and can include damage to plant and machinery and system malfunctions. In Germany in 2014 a spear phishing[1] scam allowed hackers to access a steel mill’s system preventing a blast furnace from shutting down in the appropriate manner causing massive damage to the mill.

4. Risk Mitigation

In June 2014 the UK Government announced the launch of the Cyber Essentials Scheme. It has been designed to fulfil two functions:

  • To provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats; and
  • To offer a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

The Cyber Essentials scheme concentrates on five key controls. These are:

  1. Boundary, firewalls and internet gateways – devices designed to prevent unauthorised access to or from private networks;
  2. To secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation;
  3. Access control – ensuring that only those who should have access to systems have access and at the appropriate level;
  4. Malware protection – ensuring that virus and malware protection is installed and is up to date; and
  5. Patch management – ensuring latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

In addition to implementing those basic cyber security controls an organisation may undergo certification and it is expected that insurers, investors and auditors will start to take certification into account when assessing an organisation’s risk profile.

5. Cyber Insurance

This brings me to the issue of cyber insurance. Earlier this year the Association of British Insurers suggested that cyber insurance should become as common a purchase for UK businesses as property insurance within the next decade.

The ABI note that there are five key reasons why cyber policies are a business essential and these are:

  • Cyber-crime is one of the fastest growing forms of crime in the world;
  • Cyber threats are at the cutting edge of technology, changing so rapidly that it is almost impossible for individual companies to keep their defences ahead of the game;
  • Businesses are increasingly dependent on IT for their everyday activities;
  • Cyber-attacks and failures can result in businesses closing or having to dramatically change what they do;
  • The British insurance market is already able to offer businesses cyber insurance products; the market in London being responsible for more than 10% of global cyber insurance business.

However there is a great deal of confusion as to the level and type of insurance available or in place, how to quantify it and what sort of risks can be insured.

Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

Part two of this blog will discuss cyber risk insurance, the type and variety of cover currently available and potential coverage issues.

For further information on this issue please contact:

Nicola Maher
Partner
t: +44 (0)20 7691 4069
f: +44 (0)20 7691 4090
e: 

[1] Spear phishing is a scam involving an email that appears to be from an individual or a business that you know when in fact it is from criminal hackers seeking unauthorised access to confidential data.

 

Searching for CILA technical material or text books?

We are currently reviewing all of the technical material that we previously published on our old website. This is part of a project to create a new online technical library for CILA members which will be launched later in 2016.

If you are a member and want to access a specific piece of technical material (which you know was previously published on our old website), you can request this by emailing . Please provide as much information as possible to assist us in locating the item.

CILA text books can still be purchased from our publishers, Witherby. Simply visit their website at http://www.witherbyinsurance.com/categories/loss-adjusting.html

The text book, Property Insurance Law and Claims, can be purchased at a discounted price of £60 if you are a CILA member. Enter the promotional code, CILA60MEMBER. Those who are entered to sit a CILA exam may purchase this book at a further discounted price of £30. Please email with your full name and details of the CILA exam/s you have entered.