German Financial Supervisory Authority Allows Coverage Of Ransom Payments In Cyber Policies

Author:Dr. Henning Schaloske and Kathrin Feldmann
Profession:Clyde & Co

In the September 2017 edition of its monthly journal, the German Financial Supervisory Authority (BaFin) published a statement on the insurability of cyber extortion payments. BaFin decided to allow coverage for cyber extortion payments in combination with general cyber policies. Following this clarification, there is now legal certainty that from now on, cyber extortion payments can be covered under cyber policies.

In the past, cyber extortion payments were subject to the general BaFin provisions on the insurability of kidnap and ransom insurance (K&R). Until 1998, K&R insurance was inadmissible due to the German regulator's strict approach finding that the insurance of K&R claims would foster the risk of kidnapping and would therefore violate public policy. While none of the BaFin publications on this subject are technically legally binding, they can be deemed as a clear indication of the regulator's expectations. Moreover, such publications will usually constitute a self-commitment of BaFin with the effect that BaFin has to treat similar cases alike.

In 1998, BaFin changed its opinion by publishing a circular letter and stating that under certain conditions the provision of product extortion and ransom insurance does not violate public policy. However, BaFin still considered K&R insurance only admissible under strict requirements such as: no combination with other coverage, no advertisements, contract term not to exceed one year, confidentiality as regards coverage (information of no more than three persons). BaFin has adjusted the requirements for K&R insurance three times since the circular letter was published. In 2000, BaFin stated that a separate K&R license was no longer required and, since 2008, has accepted automatic policy renewals as admissible under certain circumstances. In 2014, BaFin stated that in certain scenarios more than three persons may be informed about the K&R policy but also stressed that the other strict requirements for K&R insurance would remain applicable.

Following these strict requirements also for cyber insurance purposes...

To continue reading