Font Size: A A A

Home > Reviews > Cyber Risk and Insurance: The Legal Principles

Cyber Risk and Insurance: The Legal Principles

Author Dean Armstrong QC, Thomas Steward, Shyam Thakerar

ISBN No 9781526514134

Review date 03/07/2022

No of pages 204

Publisher Bloomsbury Professional

Publisher URL

Year of publication 27/09/2021


Cyber Risk

Our Review


£ 95, paperback; also ebook

Cyber insurance - whether in case of data loss, a ransomware attack, or a malicious hacking - 'is now a must-have for the vast majority of businesses' say the authors of a book on the legal side of cyber risks. They pose these questions: how does cyber insurance differ from more traditional insurance cover? What are the clauses to look out for, and how might you be vulnerable even if you are covered?

The book starts sensibly with the law on data protection - GDPR in a word (if that is a word?!). We're then talked through where insurance comes in with various data protection principles; and lesser known European Union directives, the PECR that covers privacy and electronic communications, and the NIS (network and information systems) regulations.

Chapters then go on to cover artificial intelligence products (such as driverless cars and the less publicised 'autonomous ships'); cyber extortion (and a cross-over with insurance products in case of business interruption more generally); responding to a cyber attack; blockchain and cyber assets such as electronic wallets; the insurance position with shipping; injunctions (in a case of fraud, or where a hacker is trying to blackmail you, going to court may be a remedy - or maybe not); exclusion clauses - such as failure to keep to security practices (see page 160); and (an example of where NIS applies) the energy sector.

Such a book for legal professionals could easily be a hard read for any other professionals. However each paragraph is numbered, like the Gospels, and dotted through the work are case studies to remind the reader of the stakes.

The book also serves to remind the reader that cyber covers just about every walk of life - intellectual property, the power grid; anyone holding or processing data, which is just about everybody.

While the cover price might be eye-watering, consider that the advice within may pay for the book many times over. For instance; you might think that double insurance - a separate cyber policy and your main policy that also covers cyber loss - might be a good idea (page 167). As the authors set out, that could lead to delays in the settling of a claim; or worse you may fall foul of 'an express exclusion clause' that an insurer is not liable if there's other insurance.

It's also worth reading this book for the insurance angle on well-known cyber security cases, such as the cyber attack on Sony Pictures Entertainment in 2014 (page 165). Namely; 'that insurers are growing increasingly hesitant to cover vast losses arising from a cyber incident', where the attacker appears to be foreign and political; in the Sony case (as was publicly alleged in the United States), North Korea.

Let's look in most detail at that common exclusion clause set by insurers, 'failure to maintain required security practices' - reasonable enough, in terms of response to risk. As the authors say, it's the sort of thing that an insurer will check on, after a claim. The authors advise that you be 'as up front as possible' before you take any policy. That way, it's harder for an insurer to argue that they were unaware of the risk.

While cyber threats may happen faster than physical world ones, and are invisible and make the attacker harder to identify, and harder for disputes to be resolved, yet insurance principles remain the same - to identify threats, risks and impacts.

Early on (page 3) the authors acknowledge that insurance is not the only answer to cyber risk. But to repeat, the 'key concepts' still apply; 'of insurable interests, proximate causes, the indemnity principle, utmost good faith, and mitigation'. This book steers you ably through such waters.

Bloomsbury Professional have also published works on cyber litigation; and blockchain. Visit