Cyber Security: Insurance as an Essential Part of Risk Management
The cost and frequency of cyber-related security threats are on the rise. Some estimates claim that one-in-six businesses have experienced a cyber attack in the past year while the cost of cyber attacks on global businesses has risen to more than $300 billion a year.
With these rising numbers comes increased scrutiny from regulators and courts concerned with the ability of companies to safeguard data. Commensurate with the duty to safeguard data is the need to mitigate risk with cyber insurance. We consider the perspectives of insurers, buyers and board members in assessing insurance as a risk mitigation factor.
For insurers, there is opportunity in cyber: Lloyd’s estimates that $2.5 billion in cyber insurance is written by 50 insurers globally with 90 percent of the coverage in the United States. Allianz estimates that this could grow to $20 billion in 10 years.
Indeed, the insurance industry maybe “best-positioned” to solve cyber issues, said Scott Kannry in his article “Insurance Industry Can Solve Cyber,” Insurance Thought Leadership, Sept. 20, 2015. He posits that the “insurance industry is the only industry” able to “correlate controls and protective actions (insight gained during the underwriting process) with losses resulting from the failure of such controls and protective actions (insight gained by paying claims),” permitting insurers to assess cyber risk, provide context for cyber exposure, and identify loss and claims data. Indeed, much like insurers establishing D&O guidelines years ago, the industry may be instrumental in setting insurable standards for cyber security.
From the buyer’s perspective, a business considering cyber insurance must carefully examine what costs and risks are covered and under what conditions, exclusions and limitations.
For example, are past breaches covered? Is business interruption covered? If the Northeast Power Grid was attacked and shut down, it is estimated that the economic effect could be as much as $1 trillion according to Lloyd’s and the Cambridge Centre for Risk Studies. Much of that economic loss no doubt would be business interruption.
Coverage
A stand-alone cyber policy as opposed to a commercial general liability (CGL) policy provides the most comprehensive coverage.
Stand-alone cyber policies cover two areas of liability: first party damage, covering injuries to the company, and third party liability, covering injuries resulting from third party actions.
First party damage that cyber policies cover include damage resulting from data assets and infrastructure being compromised, such as data destruction, business interruption, first party property damage, theft and extortion, and damage to company brands and reputation.
Cyber insurance also covers the costs of: incident response and remediation, investigation and security audit expense. Often times the expense related to incident response far outweighs direct damage. For example, Anthem’s breach exposed personally identifiable non-public information of 80 million records. At an NAIC hearing, it was disclosed that $128 million will be spent on cyber security enhancements with costs related to the incident response totaling $230 million. Of the $358 million Anthem will spend in response to the breach and security enhancements, none of the personally identifiable information that was accessed by the breach has shown up on the Dark web.
Third Party Liability
In addition to first party damages, cyber cover also should address third party liability including: regulatory failures (violation of state breach law notifications) and causes of action related to inadequate data security safeguards, including shareholder derivative actions brought against directors themselves. (For a more detailed discussion of standing to bring such actions, see Rajesh De, John Nadolenco, and Evan Wooten, “The Evolution of Data Breach Litigation in the United States: What’s Happening and What’s Ahead.”)
In view of increased cyber litigation, it is important to assure that any buyer purchases insurance with adequate defense coverage, including directors and officers (D&O) liability coverage.
From a board member’s perspective, before engaging insurers, boards should encourage corporations to perform a cyber risk assessment. Such an assessment identifies those assets which are most valuable and the protections deployed to secure them.
Most importantly, a critical element in any cyber defense is board awareness and responsibility for managing the risk. The buck stops at the board and ultimate responsibility must not be delegated to others. We strongly recommend the development of a Written Information Security Plan (WISP) prepared with the advice of experienced outside counsel and a Data Breach Response Plan (DBRP) with the advice of experienced forensic experts. Those documents will be an essential part of any cyber litigation defense. They may also assist insurance buyers in securing cyber coverage at a lower price.
Corporations and board members should also consider various cyber security guidelines in implementing their cyber framework. A standard often referenced in guiding corporations is that of the National Institute of Standards and Technology. (Framework of Improving Critical Infrastructure Cybersecurity, Feb. 12, 2014).
Alternative standards also worthy of consideration are those set forth by Massachusetts (Standards for the Protection of Personal Information of Residents of the Commonwealth: 201 CMR 17.00) and Start with Security, A Guide for Business, Federal Trade Commission, June 2015. These standards can help to establish more effective cyber security frameworks and obtain cost-effective insurance coverage.