This blog post has been cross posted from the Insurance Section Blog.
By Dean A. Pappas
Ropers, Majeski, Kohn & Bentley
Disasters beget Standards
The insurance industry was a driving force in the development of modern comprehensive standards and codes relating to the design and construction of buildings. Following analysis of the fire damage triggered by the 1906 San Francisco Earthquake and other major fires, the National Board of Fire Underwriters (whose successors in interest were eventually integrated into the Insurance Services Office, Inc.) recognized the need for more comprehensive standards and codes. Initially, building codes dealt mainly with structural safety under fire or earthquake conditions. Comprehensive codes have grown into documents setting minimum requirements for structural stability, fire resistance, means of egress, lighting, ventilation, and other many other subjects.
Similar forces appear to be driving the creation of cyber security standards. Cyber conflagrations have spread from Excellus BlueCross BlueShield, TalkTalk, Sony, Target, Avid Life Media (owner of Ashley Madison) and many other businesses and entities, public and private. In light of these disasters, big and small, and evolving market forces, regulatory developments are occurring. For example, in October 2015, the National Association of Insurance Commissioners adopted a cyber-security “Bill of Rights” that heightens the cyber security obligations of insurers to policyholders. On a larger scale, the U.S. Department of Justice and the Federal Trade Commission have proposed industry-specific guidance on what constitutes a strong cyber security preparation and response plan. This regulatory trend is not being ignored by publicly traded companies. A survey of a sample of directors and officers across publicly traded companies conducted in September and October 2015 by the NYSE Governance Services, in partnership with cyber security firm Veracode, found that 72% of the survey participants expected more cyber regulation in the near future.
Standards beget Risks
Commercial policyholders have now been collecting and storing data electronically for decades. Recent and developing standards are increasing exposure to third-party losses and claims. The frequency, sophistication, and breadth of cyber-attacks related to the stored electronic data continue to grow. Every new regulatory standard creates a potential foothold for a party injured by a disclosure of personally identifiable information (PII) to establish a breach of a standard of care. These forces combine to foreshadow a firestorm of third-party claims.
Liability claims will not be limited to those asserted by the victims of the disclosure of PII against the insured company. Claims and suits against directors and officers arising out of alleged failure to protect personal data files are becoming common. A subject of these claims will include alleged failure to implement controls and procedures consistent with the developing standards and regulations. Targets of these claims will increasingly include an insured’s chief information officer (CIO) and chief information security officer (CISO). These claims and suits will not merely arise from the action or inaction alleged to have allowed the cyber security breach to occur, they will likely sweep in wrongful acts during and following cyber events. Commercial policyholders will be expected to be prepared to respond to a cyber security breach. Mismanagement of the response to cyber events will be the basis for a second layer of claims against companies and their directors and officers.
In addition to the increased frequency of losses due to cyber attacks, the nature of policyholder’s resulting losses is significantly evolving. First party risks are not limited to the costs of restoring data and indemnifying business interruption losses. A recent study concluded that at least 88% of the S&P’s market value consists of goodwill and intangible assets such as reputation. In comparison, only 17% of market value was goodwill and intangible assets in 1975. Policyholders now face potentially catastrophic reputational harm triggered by cyber events. Such cyber events include an attack causing denial or interruption of services in addition to the stigma of being perceived as an untrustworthy protector of PII.
Insureds are increasingly becoming the targets of hacking or malware. Hackers, for example, have stepped up invasions employing ransomware to lock up an organization’s data and hold it hostage until a ransom is paid. Specialty insurer Beazley recently confirmed that this trend is borne out by its data which shows that breaches involving ransomware among its clients more than doubled in 2015. Beazley also observed that the trend appears to be accelerating in 2016.
Risks beget Insurance
While the existence of cyber security and data privacy insurance is not a recent development, the birth rate of policies covering these risks is rapidly increasing. In a study of 100 U.S. middle-market companies and large corporations, 85% said that they purchase cyber security and data privacy insurance. The cyber insurance market has been projected to triple to about $7.5 billion in the next five years. Some industry observers expect premiums to reach $20 billion by 2025.
Obtaining cyber insurance has proved challenging for many companies. For example, insurance products applicable to a policyholder’s loss of business because of reputational harm caused by a data breach are in their infancy and are not available from many insurers. Almost half of the companies purchasing cyber insurance reported that the biggest challenges they faced when purchasing coverage was finding a policy to fit the company’s needs (47%) or the cost (42%). In its 2016 Market Realities report, Willis North America offered observations about the cyber insurance industry including the following:
Cyber renewals are seeing primary premium increases of up to 15% for most buyers and up to a 150% for point of sale (POS) retailers and large health care companies.
Excess cyber losses have caused a few markets to stop writing large accounts and others to increase their premiums significantly in upper layers of $75M+ placements.
Underwriting requirements continue to rise including conference calls with third-party security experts.
Insurers are also increasing retentions, reducing capacity and exiting certain sectors.
First-time buyers (except for POS retailers and large health care organizations) will continue to see a marketplace with favorable terms, conditions and pricing, though not as favorable as in the past, given the shifting competitive environment and paid losses.
A lack of concrete actuarial data about cyber risk and incidents has been an obstacle for standardization of cyber insurance products. Cyber products developed by insurers have been more customized than other insurance policies and also more costly. The Department of Homeland Security is exploring the possibility of a unified cyber incident data repository where companies can share information about cyber attacks anonymously. The repository may strengthen underwriting and promote uniformity in available insurance products.
In addition to cyber insurance policies, coverage gaps for some cyber-related damage and injury may be addressed by “difference in conditions” coverages (Cyber DIC Coverage). Cyber DIC Coverage is generally designed to apply to a cyber-related loss that would have been covered by a company’s non-cyber policies but for cyber-related exclusions or limitations.
The involvement of insurers has not been limited to developing cyber insurance coverages. Insurers, particularly large insurers, have developed products and programs designed to assist insureds in training and compliance efforts, threat intelligence assessment, and the coordination of a breach resolution.
Insurance begets Claims
The firestorm of cyber insurance claims is just beginning. Nearly half of the companies in the study of 100 U.S. middle-market companies and large corporations that had purchased cyber and data privacy insurance reported having to file a claim with their insurer. Beazley says that its breach response unit handled 60% more data breaches in 2015 than in 2014 in the U.S.
In light of the lack of standardization of cyber insurance policies, it is important to review the entire policy that relates to a particular claim. Policies may, for example, include specific conditions regarding the policyholder’s adherence to certain loss prevention standards prior to a loss. These policies typically include several distinct insurance coverages with separate insuring clauses and related provisions. Coverages may be subject to substantial deductibles or self-insured retentions. Similarly, subsets of covered risks may be subject to specific sublimits. Cyber DIC Coverage will also likely include conditions such as a requirement that the non-cyber insurer issue a written denial of coverage based on a cyber-related exclusion in order to trigger coverage.
Claims beget Coverage Litigation
The companies examined in the Wells Fargo survey with cyber coverage losses overwhelmingly reported that they were satisfied with their coverage and how their claim was handled (96%). This is likely the result of the fact that cyber policies were specifically designed for these risks. This landscape may change over time.
There has been a minimal flare-up of cyber insurance coverage litigation. Cyber insurance coverage litigation may be ignited as losses occur by means that were not contemplated when policy forms were drafted. The lack of standardization of the policies may also give rise to arguments that policy language is ambiguous and must be construed in accordance with the reasonable expectation of the policyholder. As claim experience and loss data begins to be developed and analyzed, risks or types of losses within the scope of current insuring clauses that were not anticipated will be identified resulting either in the narrowing of some coverages or the addition of exclusions. While a firestorm of claims is anticipated, a proportional increase in related insurance coverage litigation is not similarly anticipated in the near future.
The insurance progeny of cyber events may be reaching adolescence but are far from maturity. The breadth of the risks ‒ heightened by the developing standards ‒ will increase the frequency of liability claims. The nature and scope of insurance coverages that may apply to property insurance losses and liability claims are developing. Slight differences in policy language and the absence of legal precedent evaluating cyber insurance coverages will require that the terms and conditions of the policy be closely examined at the onset of the handling of each new claim. Insurance coverage disputes are anticipated but not expected to be overwhelming in volume.
 National Association of Insurance Commissioners (NAIC), NAIC Advances Consumer Bill Of Rights During Cybersecurity Awareness Month, http://www.naic.org/Releases/2015_docs/naic_advances_consumer_bill_of_rights_during_cybersecurity_awareness_month.htm
 U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents, April 2015; U.S. Securities and Exchange Commission, “Cybersecurity Guidance,” IM Guidance Update, April 2015, No. 2015-02; also NAIC, Principles for Effective Cybersecurity: Insurance Regulatory Guidance, http://www.naic.org/documents/committees_ex_cybersecurity_tf_final_principles_for_cybersecurity_guidance.pdf
 NYSE Governance Services and Veracode, Cybersecurity and Corporate Liability: The Board’s View (NYSE), p. 4
 Beazley Group, Beazley Breach Insights 2016 shows sharp increase in hacking and malware, March 8, 2016 (Beazley Breach Insights), https://www.beazley.com/news/news/beazley_breach_insights_2016_shows_sharp_increase_in_hacking_and_malware.html
 Wells Fargo Insurance Services USA, Inc., 2015 Cyber Security and Data Privacy Survey: How prepared are you?, September 2015 (Wells Fargo), p. 2
 Willis North America Inc., Willis Marketplace Realities 2016: Bringing The Pieces Together, October 2015 (Willis), p. 11
 Testimony of Thomas Michael Finan, Chief Strategy Officer, Ark Network Security Solutions, before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, “The Role of Cyber Insurance in Risk Management,” March 22, 2016 (March 2016 Homeland Security Committee) (http://docs.house.gov/meetings/HM/HM08/20160322/104668/HHRG-114-HM08-Wstate-FinanT-20160322.pdf)
 Testimony of Adam W. Hamm, Commissioner, North Dakota Department of Insurance , on behalf of the NAIC before the March 2016 Homeland Security Committee (http://docs.house.gov/meetings/HM/HM08/20160322/104668/HHRG-114-HM08-Wstate-HammA-20160322.pdf)
 See Statement of Subcommittee Chairman John Ratcliffe, March 2016 Homeland Security Committee (https://homeland.house.gov/wp-content/uploads/2016/03/3-22-16-Ratcliffe-Open.pdf)
 Beazley Breach Insights
 See generally Minkler v. Safeco Ins. Co. of America, 49 Cal.4th 315, 321 (2010)