The EU’s General Data Protection Regulation comes into force in May 2018 and the deadline for transposition of the Network and Information Systems Directive (already in force as of August 2016) into national legislation expires also in May 2018. Together, they mark a stricter EU regulatory framework as regards data protection, which could perhaps lead (there are indeed already some early relevant market indications) cyber insurers to seek to reduce the ambit of cover and toughen up as against claims recovery.
For example, whilst cyber policies used to have long notification of claims periods, as of late policies tend to require immediate notification in what is a condition precedent to the insurer's liability. This may prove to be an impossible task even for a “prudent uninsured” since it may take a couple of months to notice that their pc has been hacked.
In the same context, it appears that insurers are starting to insist that certain exclusions of liability clauses be incorporated in the respective policies, for example the CL380 exclusion clause (exclusion of liability for computer hacking events), which in essence may to a certain extent fail to safeguard the interests insureds primarily sought to protect by getting cover in the first place.
Therefore, in view also of the recent developments and heigthened sophistication in the overall cyber landscape, cyber cover should, inter alia, include property damage cover for both hardware and software, business interruption, cyber crime and reputational damage. Increased insureds' viligance as regards the respective policies' ambit of cover is necessary as is the knowledge that claims recovery may not always be forthcoming.