Date: Thursday, November 12th, 2020 by Michaela Hickson.
Digital transformation creates significant opportunities for innovation, efficiency, and productivity for businesses. However, developing technologies come along with digital security and privacy breach risks. Data theft and cyber-attack risks are major threats for corporations and organizations.
Unfortunately, most of the organizations and corporations do not have sufficient protection to prevent data breaches and comply with privacy laws against these evolving and developing threats.
According to Data Breach Investigation Report from Verizon, studies showed that 3.950 data breaches occurred in 16 different industries in 2020. Most of these breaches are perpetrated by external actors and organized criminal groups and 86% of them are financially motivated[1].
In this article, we aim to explain (i) the risks affiliated with cyber-attacks and (ii) cyber insurance product as a method of protection against these risks.
Cyber insurance is an insurance product designed to provide insurance coverage for policyholders in order to hedge against the potential effects of cyber-attacks such as malware, ransomware, phishing, denial-of-service attacks, infected drives and unauthorized access to computer systems by third parties or any other method used to compromise a network and/or sensitive data.
Insured risks are first-party loss (risk on the insured’s own assets) and third-party liability coverage (such as customers) for data breach events, network interruption, privacy violations, and cyber-attacks.
Most common cyber insurance coverages are (i) network interruption and loss of income, (ii) cyber extortion and ransom expenses, (iii) rectifying computer system damage (iv) incident response expenses, (v) regulatory fines and penalties only where insurable by law, (vi) privacy and network security liability and (vii) compensation and defense costs which arise from claims brought by impacted customers from confidentiality obligations.
However, as these are the most common coverages, the cyber insurance coverages are not limited to those stated above and may vary according to content of the insurance policy.
Below you may find a brief explanation of the most typical coverages divided under two categories as (a) first-party loss coverage and (b) third-party liability coverage:
Typical First-Party Loss Coverages
Typical Third-Party Loss Coverages
The main piece of insurance legislation under Turkish law is the Turkish Commercial Code[4] (the “TCC“). Accordingly, the non-life insurance types are divided into two under the TCC as (i) property insurance and (ii) liability insurance. One of the most significant reasons for this division is being based on the party, who suffers the loss, which may be first-party or third-party.
That being said, specific regulations for certain types of insurance are generally regulated by specific communiqués under Turkish legal system. However, as of the date hereof, there is no specific communiqué or other regulation directly for cyber insurance. Therefore, it must be defined as an insurance contract that can be executed by and between the insurer and the policyholder based on the liberty of contract principle.
Subject to the content of the policy, cyber insurance may cover both first-party and third-party losses and therefore the applicable legislation must be determined according to claim and the party, who suffers the loss on a case-by-case basis.
The current lack of legislation may be a business generating opportunity for experienced reinsurers but from legal standpoint, the lack of legislation brings in uncertainty causing grey areas in the interpretation and implementation. Below we listed some of those grey areas under Turkish law related to cyber insurance.
We note that in certain foreign insurance markets, losses arising out of administrative fines, penalties or sanctions imposed by a regulatory governmental body because of a privacy breach may be insurable. In lieu of such coverages, we note similar insurance coverages for data privacy fines is being marketed in Turkey too. However, it is not as simple as it sounds.
Pursuant to the Article 1404 of the TCC, any insurance, which is designed to cover a loss that may arise out of the policyholders actions that is violating personal rights of others and contradicting with the (i) mandatory provisions of law, (ii) public policy, (iii) morality shall be deemed invalid.
Under Turkish Law, administrative fines are for the integrity of the legal system and can only be issued to safeguard the public policy and for the protection society’s well-being[5]. In particular, the Turkish Data Privacy Authority[6] (the “DPA”) can only issue administrative fines to protect the right of privacy guarded by the constitution of the Republic of Turkey.
From public policy perspective, administrative fines have a deterrent purpose and any insurance on regulatory fines can be deemed as an encouraging tool for violation. Therefore, insurability of regulatory fines in terms of falling within the scope of invalid insurance is a matter of discussion and should be evaluated from many perspectives. For instance, any business owner, who may wish to purchase cyber insurance for protection against privacy related regulatory fines instead of complying with many other costly cyber-security requirements (such as encryption, fishing, data segmentation, systemic data deletion and etc.) but still violating the data protection legislation in order to maximize sales, should bear in mind that the insurance may be invalid and thus, may not turn out with the protection it desired.
On the other hand, policyholders may still face cyber-attacks even though all the necessary precautions have already been duly complied with as even Barrack Obama’s, Elon Musk’s, Bill Gates’ and Jeff Bezos’ twitter accounts were hacked by a 17-year-old in the previous months which resulted with approximately USD 100,000 of ransom[7].
In light of the above, the validity of the regulatory fine insurance under a cyber policy must be determined on a case-by-case basis by considering many aspects such as (i) adequate training of the personnel, (ii) being compliant with mandatory data privacy regulations, (iii) already existing cyber security measures, (iv) complying with disclosure requirements to the insurer and many others as the insurability of the privacy related regulatory fines is a grey area in Turkey due to lack of legislation and not being tested in Turkish courts yet.
The cyber insurance generally includes both property insurance coverages and liability insurance coverages. According to Article 52 of the Turkish Law of Obligations[8], the liability insurance indemnity is subject to apportionment pro rata with the contributory negligence the policyholder, which can be basically defined as a behavior that contributes to one’s own damage or loss and fails to meet the standard of prudence for personal wellbeing.
In light of this, in case the policyholder does not take and develop required technical measures in order to protect itself from cyber-attacks, the liability insurance indemnity may be reduced in the apportionment of the contributory negligence or it may not be paid to the policyholder at all.
That being said, the policyholders should be aware to maintain many other protections for cyber-attacks in addition to cyber insurance as well such as (i) providing authority matrix and network security, (ii) creating access log, (iii) creating policies on access, (iv) information security, (v) storage and destruction, (vi) using firewalls and anti-virus programs, (vii) making penetration tests and many more, which must be regulated with data storage polices as per applicable Turkish regulations.
Cyber insurance is a rather new insurance product and offers a very sophisticated protection against cyber-attacks. However, some traditional policies, mostly property or in certain cases liability policies, includes certain coverages, which are already insuring cyber related losses. For example, commercial package insurance policy (“CPP”) may insure policyholders’ computers and other related hardware and/or software for damages. In case of a cyber-attack, this hardware and/or software may subject to repairs and/or replacement, and if there is no cyber exclusion under the insurance policy, this traditional policy will most likely pay the same indemnity without any additional premium.
Furthermore, these traditional policies do not provide effective protection against cyber-attacks as the only protection would generally be the hardware and/or software losses but not the data, crisis management cost, privacy breach compensations and etc. Therefore, it is matter that both the insurers and policyholders must address prudently.
This problem is also defined as “silent cyber” and is a developing technical matter related to policy wording that the underwriters must be aware of. Therefore, it is generally advised that some traditional policies must be revised in light of developing products and include certain exclusions, such as cyber related losses.
Cyber terrorism related losses coverage can be subject to exclusions under a cyber insurance policy.
According to the NY Times, some the US insurers denied more than USD 700,000,000 claims from different policyholders for 2017 cyber-attacks in Ukraine based on those attacks to be defined as cyber-terrorism rather than being simple cyber-attacks[9]. In other words, the interpretation of one single word resulted in more than USD 700 million of losses.
Cyber terrorism has not been defined under Turkish legislation and therefore such exclusion may cause a significant grey area. In such case, other legislations must be addressed rather than specific definitions, such as Anti-terrorism Law[10] that defines the term “terrorism[11]”. However, in any case it is safe to assume that it will not be a discussion, which the policyholders would be happy to be a part of.
Therefore, we strongly advise to draft cyber insurance policies with extreme caution in order to prevent future complications.
Very recently, the US, the UK and Canadian security officials had issued a warning that a cyber-attack was being carried out by a Russian hacker group against organizations involved in the development of the coronavirus vaccine[12].
Although there are and will be many other examples like these, it is nearly impossible to predict cyber-attacks, taking protective measures and reduce the damage that will cost is possible. According to Data Breach Report 2020 prepared by IBM Security, average cost of a data breach is USD 3.86 million, and it takes 280 days to identify and contain such breach[13].
All is crystal clear in the context of cyber-attacks being extremely dangerous and can be devastating. That being said, we are having some busy months over the summer of 2020 as there are several notable cyber-attacks that are all over the news in Turkey.
Below you may find a brief list of publicly known cyber-attacks in Turkey lately:
The evolving and developing technology facilitates our lives and business processes. We are generally all very happy about it as long as it is effective and productive. However, the risks associated with such technological developments cannot be ignored.
To minimize the consequences of a potential cyber-attack, cyber insurance can be a solution. However, it is crucial to purchase to effective coverage to limit the costly the risks associated with disputes and legal proceedings.
On the other hand, the insurers must consider many other factors along with cyber and data privacy related legislations in order to optimize the full potential of the cyber insurance products for sustainable solutions.
Combination of all of these factors is shaping a very interesting future for cyber insurance market, which we are very happy to be a part of from Turkish law standpoint.
[1] https://enterprise.verizon.com/resources/reports/dbir/
[2] Inability to the computer system through due to unauthorized attacks or deliberate overloading of bandwidth connections and/or web servers by means of the sending of substantial quantities of repeat or irrelevant communication or data with the intent of blocking access to your computer system.
[3] Demanding monies (including crypto-currencies) by communicating or proving the intent to (a) release, divulge, disseminate, destroy or use confidential or proprietary information, or personally identifiable information, stored on your computer system; (b) alter, corrupt, damage, manipulate, misappropriate, delete, or destroy data, instructions, or any electronic information transmitted or stored on your computer system; (c) conduct a denial of service attack; (d) introduce an unauthorized computer virus or other material for the purpose of denying authorized users access to your computer system
[4] Turkish Commercial Code no. 6102 which was published in the Official Gazette dated 13/01/2011 and numbered 27846
[5] According to Article 1 of the Turkish Misdemeanors Law no. 5326 which was published in the Official Gazette dated 31/03/2005 and numbered 25772
[6] The competent regulatory body in Turkey to issue administrative fines in case of a privacy breach as defined under Turkish Data Protection Law no. 6698 which was published in the Official Gazette dated 07/04/2016 and numbered 29677
[7] https://www.businessinsider.com/elon-musk-bill-gates-twitter-hacked-bitcoin-crypto-giveaway-scam-2020-7
[8] Turkish Law of Obligations no. 6098, which was published in the Official Gazette dated 11/01/2011 and numbered 27836
[9] https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
[10] According to Article 3 Paragraph 5 of the Turkish Anti-terror Law no. 3713 which was published in the Official Gazette dated 12/04/1991 and numbered 20843
[11] any criminal act that may be committed by a person or persons belonging to an organization in order to disrupt public order or general health by using force and violence, by one of the methods of coercion, intimidation or threat to change the characteristics of the Republic, political, legal, social, secular, economic order specified in the Constitution, to disrupt the indivisible integrity of the State with its country and nation, to endanger the existence of the Turkish State and the Republic, to undermine the authority of the State or demolishing or seizing, destroying fundamental rights and freedoms, disturbing the internal and external security of the state
[12] https://edition.cnn.com/2020/07/16/politics/russia-cyberattack-covid-vaccine-research/index.html
[13] https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf
[14] https://www.haberturk.com/son-dakika-penti-ye-siber-saldiri-2764664-teknoloji
[15] https://www.milliyet.com.tr/ekonomi/e-bebek-geri-dondu-6257798
[16] https://www.hurriyet.com.tr/teknoloji/e-bebek-hack-olayini-dogruladi-iste-ilk-aciklamalar-41559382
[17] https://www.superhaber.tv/son-dakika-haber-kariyernet-hacklendi-haber-293810
Our vision and focus is to use the strength and depth of our company to help our clients reduce the time and money they spend on managing risk. If you need a global group of legal advisers, delivering a creative, commercial and specialist service, talk to Global Insurance Law Connect today.