Massive Data Breaches Boost Demand for Cyber Insurance
Cyber security risks have become more significant as we store more consumer financial and health information in electronic form. Hardly a week goes…
November 27, 2017 at 06:02 PM
9 minute read
Cyber security risks have become more significant as we store more consumer financial and health information in electronic form. Hardly a week goes by without this topic in the mainstream news. As businesses and consumers become more reliant on electronic storage, there are more opportunities for cyber-attacks. Recent high-profile data breaches against companies such as Equifax, Yahoo and the WannaCry cyber-attack have led to a surge in requests for protection in the form of cyber security insurance policies. However, securing a cyber-liability policy is not simple. Insurers writing this type of coverage need to look at multiple factors to determine if it is worth the risk. For example, they need to look at the business's anti-virus and anti-malware software, the business' risk-management techniques, its physical assets, its intellectual property and even personnel. This will determine rates as each plan is not “one size fits all” and is usually specifically tailored to the business itself.
The ever-evolving landscape of cyber technology poses threats that are especially difficult to assess. It has been estimated that spending on cyber security products rose to a record $73.7 billion in 2016, but only 29 percent of U.S. businesses are insured against cyber threats. Notably, federal and state regulators are displaying an increasing interest in being seen as aggressive in this space. Emerging is an industry consensus: the greatest obstacles for effective cyber security insurance coverage are the lack of standardization and of historical numbers on which to base risk assessments.
Today, companies need coverage for costs to restore lost or corrupted data, reimbursement for loss of income from business interruption, payment of fines or penalties to regulators, costs to notify customers of a breach, costs of credit monitoring for customers whose information was compromised, liability to third parties for transmissions of malware or viruses, liability to third parties for disclosure of confidential or trade secret information, and even costs of third party vendors such as public relations firms.
However, insurers struggle to generate comprehensive policies for a nascent industry with hidden vulnerabilities. This is due in part to the lack of historical data on cyber losses, which significantly inhibits the insurers' ability to build predictive models and properly assess cyber risk. Thus, experts encourage companies to utilize their own data, third party data and other advanced technology to better mitigate potential adverse events. A company armed with these “prescriptive analytics” will have more credence at the bargaining table and craft a better fitting policy than one that merely hopes for the best.
Many experts also decry the inefficiency in this industry; insurance seekers and carriers miss each other's needs. For instance, Equifax holds a policy that would probably cover about $100 million to $150 million but its costs after the recent breach could be multiples higher than the insurance payout. With clearer, industry-wide metrics, risk and pricing would be easier to customize for each company. Some experts propose a system akin to the data available at credit bureaus for consumers relative to their credit performance. The cyber security insurance market might inch toward equilibrium with a common language by which to evaluate and compare risk, like a consumer credit score. Others say policy pricing will level off despite increasing demand because there is a tower of insurance companies involved providing financial ventilation. That might enable companies to purchase more robust coverage. Until then, the imbalance places upward pressure on policy pricing, where insurers can hike up premiums for companies with poor governance and force companies to improve their own processes.
Since these obstacles are still new, the courts must parse, on first impression, the clunky policies of yesteryear. For example, in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of Am., No. C14-1368, 2016 WL3655265 (W.D. Wash. July 8, 2016), the District Court considered whether a “social engineering” type of breach by “phishing” is covered under a company's policy. Hackers targeted the treasurer at Aqua Star USA by posing as a business partner and sharing a “new” account for the businesses' wire transfers. After the Aqua Star employee wired over seven hundred thousand dollars to the hacker, the insurer argued, and district court agreed, that the harm was not covered. The court held that the policy's computer fraud clause explicitly excluded losses for electronic data inputted by authorized employees. Because the employee cooperated with the hacker's fraud, albeit unwittingly, Travelers disclaimed coverage. On appeal, the Ninth Circuit will decide whether Travelers effectively excluded these losses from its promise to cover damage to “Property directly caused by Computer Fraud.” A heavy burden lies on insurance carriers and corporations to find each other, regardless of how this case is decided.
Brian S. Kabateck is the founding and managing partner of Kabateck Brown Kellner, LLP. His expertise is in the areas of personal injury, insurance bad faith, pharmaceutical litigation, wrongful death, class action, mass torts and disaster litigation. Attorney Joana Fang is an associate with Kabateck Brown Kellner, handling a wide range of cases for KBK including consumer class actions, personal injury, wrongful death and insurance bad faith claims.
Cyber security risks have become more significant as we store more consumer financial and health information in electronic form. Hardly a week goes by without this topic in the mainstream news. As businesses and consumers become more reliant on electronic storage, there are more opportunities for cyber-attacks. Recent high-profile data breaches against companies such as Equifax, Yahoo and the WannaCry cyber-attack have led to a surge in requests for protection in the form of cyber security insurance policies. However, securing a cyber-liability policy is not simple. Insurers writing this type of coverage need to look at multiple factors to determine if it is worth the risk. For example, they need to look at the business's anti-virus and anti-malware software, the business' risk-management techniques, its physical assets, its intellectual property and even personnel. This will determine rates as each plan is not “one size fits all” and is usually specifically tailored to the business itself.
The ever-evolving landscape of cyber technology poses threats that are especially difficult to assess. It has been estimated that spending on cyber security products rose to a record $73.7 billion in 2016, but only 29 percent of U.S. businesses are insured against cyber threats. Notably, federal and state regulators are displaying an increasing interest in being seen as aggressive in this space. Emerging is an industry consensus: the greatest obstacles for effective cyber security insurance coverage are the lack of standardization and of historical numbers on which to base risk assessments.
Today, companies need coverage for costs to restore lost or corrupted data, reimbursement for loss of income from business interruption, payment of fines or penalties to regulators, costs to notify customers of a breach, costs of credit monitoring for customers whose information was compromised, liability to third parties for transmissions of malware or viruses, liability to third parties for disclosure of confidential or trade secret information, and even costs of third party vendors such as public relations firms.
However, insurers struggle to generate comprehensive policies for a nascent industry with hidden vulnerabilities. This is due in part to the lack of historical data on cyber losses, which significantly inhibits the insurers' ability to build predictive models and properly assess cyber risk. Thus, experts encourage companies to utilize their own data, third party data and other advanced technology to better mitigate potential adverse events. A company armed with these “prescriptive analytics” will have more credence at the bargaining table and craft a better fitting policy than one that merely hopes for the best.
Many experts also decry the inefficiency in this industry; insurance seekers and carriers miss each other's needs. For instance, Equifax holds a policy that would probably cover about $100 million to $150 million but its costs after the recent breach could be multiples higher than the insurance payout. With clearer, industry-wide metrics, risk and pricing would be easier to customize for each company. Some experts propose a system akin to the data available at credit bureaus for consumers relative to their credit performance. The cyber security insurance market might inch toward equilibrium with a common language by which to evaluate and compare risk, like a consumer credit score. Others say policy pricing will level off despite increasing demand because there is a tower of insurance companies involved providing financial ventilation. That might enable companies to purchase more robust coverage. Until then, the imbalance places upward pressure on policy pricing, where insurers can hike up premiums for companies with poor governance and force companies to improve their own processes.
Since these obstacles are still new, the courts must parse, on first impression, the clunky policies of yesteryear. For example, in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of Am., No. C14-1368, 2016 WL3655265 (W.D. Wash. July 8, 2016), the District Court considered whether a “social engineering” type of breach by “phishing” is covered under a company's policy. Hackers targeted the treasurer at Aqua Star USA by posing as a business partner and sharing a “new” account for the businesses' wire transfers. After the Aqua Star employee wired over seven hundred thousand dollars to the hacker, the insurer argued, and district court agreed, that the harm was not covered. The court held that the policy's computer fraud clause explicitly excluded losses for electronic data inputted by authorized employees. Because the employee cooperated with the hacker's fraud, albeit unwittingly, Travelers disclaimed coverage. On appeal, the Ninth Circuit will decide whether Travelers effectively excluded these losses from its promise to cover damage to “Property directly caused by Computer Fraud.” A heavy burden lies on insurance carriers and corporations to find each other, regardless of how this case is decided.
Brian S. Kabateck is the founding and managing partner of
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAs AI-Generated Fraud Rises, Financial Companies Face a Long Cybersecurity Battle
AI Adoption, Data Center Building Boom Opening More Doors for Cybercriminals, Many of Them Teenagers
Less Is More: The Risks of Excessive Data Collection from Mobile Devices
6 minute readTrending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250