Insurers may be able to reject claims arising out of malicious acts by employees

Cyber

Cyber insurance policies may be worthless if company data is hacked by disgruntled employees, according to lawyers.

Unless the policy specifically covers employee actions, insurers may decide not to pay out on claims, according to Manoj Vaghela of law firm Pinsent Masons.

“In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees,” Vaghela said.

Cyber and data protection policies generally cover first and third party liabilities in the event that anything happens to that data, but they may not cover deliberate or criminal behaviour by an employee, he said.

“As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees,” Vaghela said.

According to Vaghela, most policies contain a specific exclusion for deliberate, intentional or criminal acts by the insured.

“Whether this will also apply in cases involving a malicious insider will generally depend on the wording of the exclusion itself,” he said.