For the first time since it was first presented in 2017, the German Insurance Association (GdV) has amended its non-binding basic recommendations in the model terms and conditions for cyber risk insurance. The GdV is thus responding to the new legal and actual requirements in connection with the use of information technology.

The working environment has changed technically and software applications have been moved to the cloud, and not only due to the increased use of home offices. In the opinion of the GdV, these shifts and technical developments would require an adjustment to the insurance conditions in order to include damage to external service providers that was previously excluded. In addition, regulations such as the General Data Protection Regulation (GDPR) have created new claims for damages in the event of data leaks.

The updated non-binding recommendations relate in particular to the following legal areas:

• #DSGVO: The new version now takes into account the provisions of the GDPR, which grants data subjects a right to compensation in the event of data leaks.
• #Homeoffice: It will be clarified that remote access to company IT should also be insured in order to take account of the new ways of working.
• #IT security: The obligations of insured companies have been reformulated to reflect the current state of technology and improve understanding. The basis for an appropriate level of IT security remains familiar measures such as regular data backups, strong passwords, virus scanners and firewalls.
• #External_service_providers: The new version largely removes the exclusion of damage to external service providers (e.g. cloud providers, SasS) and grants insurance cover for certain scenarios such as data manipulation, infection with malware or unauthorized access.
• #Protection against war and state attacks: It is clarified that war within the meaning of the terms and conditions does not necessarily require the use of physical armed force. Damage caused by acts of war, including digital attacks, is excluded. Damage caused by state cyber attacks is also explicitly excluded.

These consequences for the insurance industry can also be transferred to other areas: the rapid pace of technological development requires a wide range of adjustments to companies’ general legal transactions.