Mactavish has challenged the Association of British Insurers and insurance providers to guarantee that flaws it says it has identified in cyber policies will never be used to block claims payments.

Chief executive officer at Mactavish, Bruce Hepburn has said some insurers and brokers were quick to denounce the consultancy’s findings in “dozens of ‘off-the-shelf’ cyber insurance policies”.

“We are challenging them to state publicly that they will never use the flaws we identified as the basis to turn down claims,” he added.

“These flaws are a consequence of the immaturity of the specialist cyber insurance market. But this is a rapidly expanding market and it is essential that the industry addresses these issues if the available policies are to meet the needs of companies seeking cover.”

Responding to Hepburn's criticism of the market, partner and head of cyber broking at JLT Specialty, Jack Lyons said tarring all the solutions in the marketplace with the same brush or labelling all cyber cover as flawed is both "inaccurate and highly misleading".

"It is true that cyber insurance products tend to be rather complex, which reflects the reality that cyber risks are themselves complex and ever-changing.

"The many intricacies surrounding cyber insurance policies require clients to appoint specialist brokers who understand the realities of cyber risk and are therefore able to disclose to clients the limitations of their policies, and to request subsequent amendments," he said.

Lyons added that JLT's cyber team includes legal advocates and uses their expertise and experience to ensure each policy is fit-for-purpose and up to date. "We continue to lead the market in ensuring best-of-breed risk management solutions are in place for clients," he said.

The eight flaws were outlined in the Mactavish Cyber Risk & Insurance Report, published in November. They include:

1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions

2. Data breach costs can be limited – eg. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice)

3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted

4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded

5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems

6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond

7. Notification requirements are often complex and onerous

8. Businesses are forced to choose IT, legal or PR specialists appointed by their insurer.

Share Story: