Cyber-Insurance Takes Off
In the realm of cyber-security, the insurance industry has generally been reactive. However, recent data breaches with far-reaching implications are forcing insurers and insureds alike to take proactive measures to minimize potential damages. The need for such insurance is clear. Target is still reeling from a breach that leaked information about 40 million credit cards. A similar hack to Michaels affected 4 million people. On a larger scale, the Verizon 2014 Data Breach Report revealed that in 2013, there were 1,367 data breaches (an incident that results in the disclosure or potential disclosure of data) and 64,437 security incidents (an event that compromises the integrity or confidentiality of an information asset) spanning 95 countries. (1) Even the United States federal government recently published a report highlighting their need to better address cyber attacks. (2) In light of these stark facts, Reuters recently reported that many Fortune 500 companies are hiring expensive “cyber security experts” to potentially deal with the problem before it arises. (3) Ultimately, however, it becomes a matter of when, not if. The current consensus, as put succinctly by FBI Director Robert Mueller, is that “there are only two types of companies: those that have been hacked and those that will be.” (4)
Mr. Mueller’s point has been well taken; as the risk of a cyber breach has grown, the insurance industry has responded. Instead of relying on old commercial general liability (CGL) policies to cover data loss, underwriters are creating new types of cyber-insurance policies, varied both in scope and types of coverage. A 2013 study by the Ponemon Institute revealed that only 31% of respondents had in place a cyber security insurance policy. However, among the companies that do not have one in place, 57% said they would purchase one in the near future. (5) According to the 2013 Betterly Report, no cyber insurance carrier from the previous year’s survey reported negative growth, nor did any carrier report growth of less than 10%. Some of the bigger players reported growth ranging from 25% to over 100%. (6) Today, about 50 carriers offer some type of cyber-specific coverage. This growth has led the New York Times to call cyber insurance the “fastest growing niche in the [insurance] industry today.” (7)
The extent and cost of a data breach can vary wildly, depending on the nature of the information and number of people affected. However, the costs can quickly and easily skyrocket to millions of dollars. According to the Ponemon Institute study, the average organizational cost for a single data breach is $5,403,644, with $565,020 of that being spent on customer notification alone. Those costs include forensic investigations, credit monitoring, notifying the customers of the breach, fixing the breach, and defending against statutory, common-law and regulatory liability claims brought by the Federal Trade Commission and the Federal Communications Commission. True to the nature of the problem, cyber hacking is not unique to the United States. In a stark example that shows both the international breadth of cyber hacking, and the need for small business coverage, the British Pregnancy Advisory Service, a charitable organization within the United Kingdom which runs abortion clinics and provides information on family management, was recently fined £200,000 after an anti-abortion hacker was able to access the personal information of women seeking advice. (8) On the other side of the globe, Allianz estimates that cyber crime costs the Australian economy $1 billion annually. (9)
Zurich and the Changing Landscape of Cyber Insurance
While the stakes remain high, one would think that the extent to which coverage will be afforded to such cyber losses is well defined. Unfortunately, that is not the case. For example, while a typical CGL policy provides distinct coverages – Coverage A (bodily injury and property damage liability), Coverage B (personal and advertising liability), and Coverage C (medical payments) – the notion of cyber-security would seemingly only be applicable to Coverage B claims. That is to say that a data breach would only affect a company’s liability insofar as a person’s privacy and information were published. Indeed, this is the factual basis for countless other data breach claims, such as the infamous Target breach of 2013, and most recently the case described in a New York Supreme Court decision styled Zurich American Insurance Co. v. Sony Corp. of America et al. (“Zurich”). (10)
Yet, Coverage B was found not to afford coverage for the loss in Zurich. In a February 2014 bench ruling, Justice Jeffrey K. Oing ruled that Sony was not covered by Zurich for litigation arising out of the April 2011 hacking of Sony’s Playstation systems, finding specifically that under Coverage B of the commercial general liability (CGL) policy, the acts of third-party hackers did not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy.” While holding that the breach did constitute a “publication,” the court refused to expand Zurich’s liability by holding that the term “in any manner” does not include the acts of third party-hackers.
As Zurich indicates, it is imperative for companies to stay ahead of the game when it comes to insuring their potential liabilities and difficult to foretell the extent to which coverage may exist for potential cyber liabilities; the risk in relying upon traditional CGL policies for coverage of data breach claims would appear to be significant. Given the ever-changing landscape of cyber-insurance law, companies that once derived comfort from their umbrella policies are seeking greater security by turning to specifically tailored cyber liability coverage.
Courts in other jurisdictions have found that there is coverage under a CGL policy for data breach and disclosure of private information claims. See, e.g. Netscape Communications Corp. v. Federal Ins. Co. 343 Fed.Appx. 271 (9th Cir. 2009; Tamm v. Hartford Fire Ins. Co., 16 Mass.L.Rptr. 535, 2003 Mass. Super. LEXIS 214 (Mass. Super. Ct. 2003). While many commentators have debated the Zurich ruling itself, citing these cases and the legal arguments surrounding the wording of the policy and its applicability to cyber-data breaches, the Zurich’s holding may be moot.
Indeed, the common CGL policy (as issued by the Insurance Services Office (ISO), which drafts standard form language) changed this year. The new exclusions are specifically tailored to a cyber liability claims context, excluding coverage for the:
“disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”
Of course, changing the CGL policy creates its own set of issues. Firstly, traditional privacy claims covered under a CGL policy may be excluded as well. For litigation that predated the new exclusions, policyholders may argue that the addition of this new exclusionary language necessarily means that the old CGL forms would have covered cyber liability.
Cyber Insurance: A Context-Specific Venture
However, the main reason Zurich’s holding will be irrelevant is the previously cited increase in cyber-specific policies that are being purchased in order to mitigate any potential liability stemming from these breaches. The existence of cyber-security insurance, however, by no means indicates a “one size fits all” mentality, as the general CGL policies might have indicated. Rather, quite the opposite is true; companies require very specific tailored policies based on their individual risk profile and needs. Most cyber insurance generally falls into one of three categories: liability, remediation, and fines and/or penalties. To the extent that companies are buying cyber insurance, they are buying it differently.
For the insured, it comes down to the question of “what types of risk are we concerned about?” For example, asset managers who generally hold less personal information than other companies like Target may not be inclined to consider broader types of cyber-insurance. While many policies cover public relations, business interruption, and crisis management expenses, this generally does not cover the cost of future business lost from the breach as a result of loss in consumer confidence. For smaller or newer companies, this could be a life-or-death issue.
Relatedly, in terms of cyber espionage (which makes up approximately 25% of data thieves according to the 2014 Verizon Report), it may be exceedingly difficult to determine the extent of a breach or even the identity of the hacker. From the insurance standpoint, it becomes nearly impossible to put a dollar value on a drop in market share that results from the suspected theft of proprietary information when little is known about what was taken. This is especially true of smaller companies in Silicon Valley, for instance, whose intellectual property is the heart of their businesses.
In fact, while the current crop of insureds covered by cyber insurance consists of large companies, the small and middle market will soon emerge as prime candidates for coverage. Companies in this segment may not necessarily think they are targets. However, as these smaller companies increase their online financial presence (51% of small and medium-sized business transferred funds online in 2012, up 6% from 2011), their risk grows. (11) For these companies, the risk lies more so in data loss than in potential exposure to lawsuits over data theft. Just over four years ago, Gartner published a study in which the company found that 94% of companies that suffered a major data loss went out of business within two years. (12) Additionally, smaller companies face many unique challenges based on their lack of resources. These companies are less likely to have secure computer systems, making them more prone to an attack.
The 2013 Betterly Report concluded the annual gross written premium in the cyber risk market is approximately $1.3 billion, an increase from the $1 billion in the previous year. Per company, however, the amounts can vary greatly. In addition to market share considerations, cyber underwriters will evaluate the policies and procedures in place to handle such any breach to determine the premiums. Other considerations will include security budgets, current security controls, the type and amount of records held, and the total transaction value. Insurers may also be more hesitant to cover insureds whose information and data is hosted in a cloud-based computing system, in which case a deeper investigation into the identity of the cloud provider and how it would handle a cyber breach would be required.
As more companies suffer security breaches, insurers are also becoming keenly aware of the type and cost of response needed to handle a given situation. Thus, much like better automobile drivers pay lower premiums, the insured companies have incentives to minimize risk and cost of a security breach. And just as insurers expect their insureds to wear seatbelts and have working smoke detectors, many carriers also require companies to have certain cyber-protection in place before even offering a policy.
The Next Frontier: Insuring for Property Damage and Bodily Liability
What the vast majority of these plans do not cover, however, are claims for property damage or bodily injury. Recall that Zurich, and the new ISO CGL policy, focused on Coverage B, Personal and Advertising Liability coverage. This made sense, as the cyber claims focused on data breaches, privacy intrusions, stolen credit card information, etc. Until very recently, no one acknowledged the potential for Coverage A, Bodily Injury and Property Damage Liability, cyber claims. However, consider the amount of infrastructure that is now being operated on cyber platforms. Power plants, dams, traffic lights, home security systems, and even heart rate monitors are now all potential targets for a cyber attack. The maritime industry in particular is concerned with the potential for their computer systems malfunctioning, whether accidentally or through hackers, as they continue to acclimate their navigational and other operational equipment to the cyber world. (13)
The next frontier, it seems, is to create coverage that is broader than business interruption and privacy claims to include bodily injury and property damage. This concept was recently introduced by American International Group (AIG). Their expanded cyber insurance is the first such cyber insurance policy to cover bodily injury and property damage. It is called CyberEdge PC, and it addresses coverage caps in property, casualty energy, aerospace, marine, environmental, healthcare, and financial lines policies. (14) Even more recently, Marsh L.L.P. has rolled out a product called Cyber Gap Insurance. Citing the increasing concern over data breaches creating fire, explosion, or machinery damage that would not be covered, Cyber Gap Insurance indemnifies the insured in the event that indemnification under the normal property insurance excludes cyber risks. (15)
It remains to be seen if other insurers or brokers will follow suit. While it is certainly too soon to evaluate the effectiveness of such cyber coverage, one thing is clear: as costs for cyber security breaches continue to grow, the insurance industry appears poised to evolve and adapt to meet the increasing complexities brought on by these incidents.
*Originally published at: www.internationallawoffice.com/newsletters/detail.aspx?r=29799
1 Verizon, 2014 Data Breach Investigations Report, available at http://www.verizonenterprise.com/DBIR/2014/.
2 Government Accountability Office, Information Security: Agencies Need to Improve Cyber Incident Response Practices, available at http://www.gao.gov/products/GAO-14-354.
3 Peter Apps, Reuters, REFILE-Upsurge In Hacking Makes Customer Data a Corporate Time Bomb, available at http://www.reuters.com/article/2014/06/09/technology-cybersecurity-idUSL6N0ON0RF20140609.
4 Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA, available at http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies.
5 Ponemon Institute, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, August 2013, available at http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=2&cad=rja&uact=8&ved=0CCcQFjAB&url=http%3A%2F%2Fassets.fiercemarkets.com%2Fpublic%2Fnewsletter%2Ffiercehealthit%2Fexperian-ponemonreport.pdf&ei=RTLFU_HhJM69oQSGuoKoDA&usg=AFQjCNEgvmIAyC5e2FPJZm8sgK8Zt13Lug&sig2=kJkJFsoXTR-LlGBkZxG1aA&bvm=bv.70810081,d.cGU
6 The Betterly Report, Cyber/Privacy Insurance Market Survey – 2013, available at betterley.com/samples/cpims13_nt.pdf
7 Nicole Perlroth and Elizabeth A. Harris, The New York Times, Cyberattack Insurance a Challenge for Business, available at http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html?_r=0.
8 John Leyden, The Register, British Pregnancy Advice Service Fined £200k for Anon Hack, Data Protection Breaches:
Charity Slapped by ICO for Insecure User Info Storage, available at
http://www.theregister.co.uk/2014/03/07/bpas_fined_big_over_hacker_breach/.
9 Allianz, Allianz Launches Cyber Risk Insurance Product, available at
http://www.allianz.com.au/media/news/2014/allianz-launches-cyber-risk-insurance-product.
10 Zurich American Insurance Company v. Sony Corporation of America, et al.,
Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014).
11 Insurance Journal, Hiscox Adds Cyber Crime Protection for Small, Medium-Sized Businesses, available at http://www.insurancejournal.com/news/national/2013/09/11/304838.htm.
12 Jeff Johnson, Nation’s Building News, Back Up Your Company Data – Before It’s Too Late, available at
http://www.nbnnews.com/NBN/issues/2005-04-25/Business+Management/index.html.
13 Judy Greenwald, Marine sector faces cyber risks as navigation systems shift to digital world, Business Insurance,
available at
http://www.businessinsurance.com/article/20140511/NEWS07/305119974?tags=%7C299%7C312%7C76%7C303
14 Wall Street Journal, AIG Expands Cyber Coverage to Include Physical Risks Posed by Cyber Attacks, Security Failures, available at http://online.wsj.com/article/PR-CO-20140423-912263.html.
15 Sarah Veysey, Business Insurance, Marsh Cyber Coverage Includes Fires, Explosions, Machinery Breakdowns, available at http://www.businessinsurance.com/article/20140623/NEWS07/140629962?tags
=%7C59%7C338%7C299%7C310%7C329%7C340%7C303