The Cyber Risk Pendulum

Privacy risk is so 2014, right? Ten years ago, numerous retail and healthcare companies were hit with data breaches related to the exposure of credit card or healthcare data. Given many data breach claims, which included fines by state attorney generals and the payment card Industry, the cyber insurance market focused on privacy risk.

This focus remained until 2017, when ransomware claims developed into more substantial matters, triggering large business interruption losses for carriers. Underwriters accordingly focused on ransomware exposure to minimize the potential for business interruption claims.

However, in 2024, with new state privacy laws and renewed interest from the plaintiffs’ bar, carriers are once again seeing privacy claims, based on biometric, pixel or chat technology. While ransomware has not gone away, attacks have evolved from network encryption to the theft and ransom of consumer or confidential corporate information. The cyber pendulum has swung back to privacy risk.

While all 50 states have data breach notification laws, many states have passed comprehensive privacy bills following the model set by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). At the time of this writing, five states have active privacy laws, eight have passed laws that will go into effect within the next two years and 17 other states have active bills. With new state privacy laws, there is a greater ability for state regulators to fine companies who violate privacy provisions. Additionally, many state privacy laws allow for a private right of action for certain violations.

Over the past several years there has been increased activity from the plaintiffs’ bar around biometric, pixel and chat technology. While Illinois’ Biometric Information Protection Act (BIPA) was enacted in 2008, there has been more litigation activity since 2018, with several key decisions made during 2023 that will impact future BIPA cases. BIPA includes a private right of action as well as a statutory-damages provision, keeping potential large damage awards firmly on plaintiffs’ firms’ radars.

Within the last two years, use of website user-tracking technology – such as pixel, chat, session replay, website software development kit, or pen-registers – has spawned litigation by plaintiffs’ firms based on the Video Privacy Protection Act and the California Invasion of Privacy Act. Like BIPA, these acts allow for a private right of action as well as statutory damages, which have the potential to raise the claims price tag.

This activity forms a backdrop to the continued frequency and severity of ransomware claims. Corvus Insurance reported in January, based on data collected from ransomware leak sites, that ransomware activity was up 69% in 2023, based on prior year totals. Carriers also report that severity remains an issue. According to Coalition, average ransomware demands in the first half of 2023 were up 47% over the previous six months, and 74% over the prior year.

While ransomware was historically used to encrypt networks, threat actors have pivoted in recent years to theft of customer or confidential corporate information, and holding that data for ransom, with the threat of publishing it on the dark web. In many instances, there may be a double extortion by threat actors with ransoms both to regain access to the network as well as to stolen data.

In this environment, carriers are refining their underwriting to address the potential for losses. In 2024, there is a greater focus on controls related to “wrongful collection” coverage – the collection of data in a manner that could run afoul of privacy regulations – whether it be on a state or federal level. Several carriers have introduced supplemental applications with questions that focus on consent regarding data collection practices and the use of website user-tracking technology. Underwriters remain concerned about security controls related to ransomware losses, and most carriers require a ransomware supplemental application as a part of the submission process.

As the cyber pendulum has swung back to privacy risk, underwriting preference has swung, too, with regards to industry. While in prior years carriers focused on ransomware losses and the associated business interruption, “brick and mortar” industries fell out of favor. However, now these industries are again preferred by underwriters, while information holders such as healthcare, retail, and financial institutions cause greater concern. And potential new areas for claims include spoofing attacks using Generative AI, attacks on critical infrastructure, or even cyber war.