The Ever-Evolving Nature of Cyber Coverage
To understand the current state of network security and privacy (cyber) coverage, it is helpful to have an understanding of the development and some of the major milestones which helped shape the coverage.
The first cyber policy was written in 1997 through AIG by Steve Haase, an agent who was recently awarded the “Advisen Cyber Legend Award.” Though groundbreaking as the first to address cyber security, it was a third party liability policy only and was basically a “hacker policy.”
Other very early entrants in writing cyber policies include Safeonline, CIGNA, Marsh and others. In the subsequent 17 years, internet use has grown from 1.7 percent of the global population in 1997 to an amazing 40 percent of the global population in 2014 resulting in dramatic changes since the first cyber insurance policy was written.
Currently, the total premium for cyber liability at year-end 2014 is projected to be nearly $2 billion. More than 60 carriers now offer stand-alone cyber policies and more are entering the market all the time. Many experts in this new field have appeared at the carrier, broker and wholesale levels. Experts are needed as each market/carrier has its own form with its own nuances and idiosyncrasies. Definitions for the same words differ on each policy form as do exclusions, terms and conditions.
Early Developments
In 1997, the original policies covered only third party suits arising from breaches originating from outside the company. However, studies at the time showed that over half of all data breaches originated from inside the company from rogue and disgruntled employees. The markets offering coverage at that time responded by broadening coverage to cover loss to the entity, but coverage for loss from the malicious employee was excluded.
This distinction is typically addressed in the definition of employee, which includes wording such as: “Employee means any individual whose labor or service is engaged by and directed by the insured.” Because it is unlikely that an insured would direct an employee to engage in breaching their own system, the employee acting outside the scope of their employment would not be an insured under the policy.
Early malicious individuals were not only attacking networks but many were also gathering information in paper form. The common term for this practice was “dumpster diving.”
It became evident that if insurance policies were to cover sensitive information, they needed to be expanded to include exposures beyond the virtual world of electronic information and cover “real” world losses of information in paper form as well. The change in policies from only electronic to include paper resulted in network security and privacy policies. This small change is a large expansion in the scope of coverage. The inclusion of complete electronic and paper files make cyber policies true security and privacy liability policies.
Another early development of the new cyber product was coverage for business interruption. Recent research shows that due to the waiting periods required — eight hours in most cases — these coverages have not had much loss activity. In many cases during a network outage due to a breach event, the company quickly reverts to manual systems as a stop gap measure to continue operating.
Therefore, the actual business interruption loss is primarily a delay in revenues as opposed to a true loss of income. For instance, just because a hospital system is down, someone with a broken leg or a gunshot wound does not have to wait for treatment until the system is back up. Typically, all the procedures are manually recorded and then input later. In the case of online retailers, if their site is inoperative, many consumers will just wait until it is functional again or use an alternate form of communication such as calling in an order.
Early in the cyber product development cycle data restoration coverage could be included in the policy. This coverage has seen little loss activity because nearly all systems are backed up daily and restoration constitutes reinstalling the data from the day before and recapturing the data lost for just a day. Typically, this is not a large expense.
The one instance where data restoration coverage could become critical is where an employee responsible for the back-up tapes corrupts them for an extended period of time.
Network Extortion, Breach Notification
In the years around 2004, there were a number of network extortion events. Network extortion can take different forms but is essentially using the threat of harm to extort money by using stolen data to threaten the company’s reputation or by corrupting data on the network.
Consequently, extortion resulting from a network attack became and remains a separate insuring agreement on policies. Profiting by criminals in this manner was curtailed when the criminals doing the extorting were being caught by officials when money physically changed hands. It was much more profitable and less risky for the criminals to simply sell stolen information. Extortion activity has again begun to gain some popularity as anonymous digital currency like BitCoin makes the money exchange opaque to law enforcement agencies.
The next stage of development in the history of cyber insurance was the enactment of state breach notification laws making it mandatory to notify people if their individual personal identifiable information is compromised.
California was the first state to enact such a law, which became effective July 1, 2003. Known as the Security Breach Information Act, or Senate Bill 1386 (SB1386), the statute requires any agency or business that conducts business in California, and “that owns or licenses computerized data that includes personal information” to notify affected residents of California of any security breach if “personal information was, or is reasonably believed to have been accessed by an unauthorized person.”
Note that “personal information” in the law means an individual’s first name or first initial and last name in combination with any one or more of the following: a Social Security number; driver’s license or California Identification Card number; or account, credit or debit card number in combination with any security or access code or password.
Since the inception of the California law, all but three states have adopted similar laws. Slow progress toward a federal law to eliminate the current patchwork of state law requirements is being made but may be some years off.
The enactment of notification laws prompted a surge of buying and remains the major driver to the purchase of cyber coverage. Most of the losses that have been paid under cyber policies have been for costs surrounding these state notification laws. The loss is to the insured, not from a liability suit. It is the cost to investigate and respond to a breach or potential breach.
Typically included are the costs for computer forensics, legal and public relations expenses, which typically have separate sub-limits, in addition to notification costs. Estimates range from more than $200 to a few dollars per record. Anecdotally, most underwriters and brokers tend to use an approximate cost for notification of $15 to $30 per record. This cost, coupled with forensic, legal and public relations expenses, can quickly translate into large amounts of money in a breach situation.
Within the last few years most carriers have included fines and penalties coverage either by endorsement or as an additional insuring agreement.
The typical exposure arises from the payment card industry (PCI) or from a federal law such as HIPAA for healthcare or Graham Leach Bliley (GLB) for financial institutions. Originally coverage was for defense only but carriers have expanded coverage to include the penalties assessed. Most carriers include a sub-limit for this coverage.
A Flawed Approach
The rating of cyber coverage has historically been based on revenues. This is an inherently flawed approach since revenue has little direct relationship to the actual exposures, which are the cost to identify and notify individuals with actual or potentially compromised records. For instance, a healthcare organization that has $50 million in revenues would have vast amounts of personal identifiable information. On the other hand, a contractor or manufacturer with the same $50 million in revenues would have very little personal identifiable information.
Recently, more carrier applications are requesting the number of records kept by the insureds and prospects to more accurately determine the actual exposure. Also, there is a trend for carriers’ forms to use the number of records as a limit for notification in lieu of a dollar amount. Beazley, AIG, Axis and AWAC are pioneering forms based on the number of records.
Unique Forms
Coverage for bodily injury and property damage is a recent development in cyber policies. Current general liability contracts are fairly clear that there is coverage for “bodily injury” arising out of the inability to access electronic data. Coverage is less clear with regard to property damage, such as system damage coverage. So far very few carriers are offering this coverage, but others may soon follow. Some carriers have forms that include additional Side A coverage for directors and officers.
All carriers are looking to differentiate their forms from other markets, which make all the forms unique. This uniqueness of each carrier’s forms is one of the most fascinating yet frustrating elements of cyber coverage. There is little standardization making direct comparisons difficult. Also, as is evidenced by the most recent changes, forms are still in flux. The analysis of proper cyber coverage is further exacerbated by the ever-changing threat profile due to attack methods constantly changing and rapid technology changes such as smart phones and tablets.
Cyber forms have been evolving for the last 17 years and will continue to do so into the future as the insurance industry continues to grapple with the dynamic nature of cyber risks.