Cyberinsurance typically covers losses caused by or related to unauthorized access to data, destruction of data, extortion or ransomware, denial of service, and other “cyber incidents.” Policy forms are in constant flux in response to both the rapidly evolving nature of cyber threats and the relative lack of maturity of the cyberinsurance market itself.
With other insurance policies increasingly excluding cyber risks, procuring stand alone cyberinsurance has become critical.
Industries That Should Consider Cyberinsurance
While different sources recount wildly disparate instances of breaches in 2016, the only true consensus appears to be that the rate of cybercrime and cyber attacks rose and was at an all time high in 2016, a trend most expect to continue next year.
According to several sources, for the eighth straight year, hacking/skimming/phishing attacks were the leading cause of cyber breach incidents, accounting for 55.5% of all breaches.
While cybersecurity should be a concern across all sectors, certain industries are particularly vulnerable to cybercrime and should closely consider their cybersecurity and cyberinsurance policies. These industries include:
- Healthcare
- Financial institutions
- Large law firms
- Manufacturing
- Transportation (especially the automobile industry)
- Retail
- Utilities/Energy
- Government/Public Agencies
For instance, both healthcare companies and large law firms are susceptible to ransomware attacks, and can face insurance concerns when ransoms are not paid. Both healthcare institutions and large law firms typically store large amounts of confidential and privileged information. While many organizations already carry cyberinsurance, some policies have glaring gaps, and definitions differ as to what constitutes a “breach.”. In addition, many companies have endorsed existing errors and omissions type coverage to add some component of cyberinsurance, but these endorsements often provide limited, and generally insufficient, coverage.
Financial institutions face similar concerns. Most U.S.-based financial institutions have some form of cyberinsurance; however, their cyberinsurance may not always protect against all events, such as certain instances involving credit card fraud. A growing concern is known as the “business enterprise scam,” or the use of social engineering to pose as individuals authorized to request or release funds to effectuate fraudulent transfers. Not all cyberinsurance policies will cover this risk, and careful attention should be paid to key definitions, the requirement of an actual network intrusion (or lack of one) and relevant exclusionary language to determine whether a policy covers this type of risk.
Benefits of Cyberinsurance
With the increase in cyberattacks, cyberinsurance is becoming more of a necessity for businesses and organizations. Benefits of cyberinsurance policies may include:
- Closing gaps between traditional general liability insurance and current needs created by novel cybersecurity threats (although the cyberinsurance policies themselves often contain gaps as well)
- Offsetting many of the expenses associated with data breaches and other issues, and gaining ready access to sophisticated consultants and vendors who respond in the event of a breach
- Training and coaching resources for companies to assist in developing cyber guidance materials and implementing best practices
In addition, cyberinsurance documentation can help provide companies with additional information and data regarding the nature of newer cyber threats. As the field of cybersecurity grows, any new information is certainly welcome, and collaboration between cyberinsurance and cybersecurity teams will help uncover possible areas of risk and liability.
The Current State of Cyberinsurance: Pitfalls and Drawbacks
Cyberinsurance policies are still relatively new, and can often be riddled with challenges to both insurers and consumers. On the insurer side, one of the main issues is a lack of historical data on cyber losses. This can significantly hamper an insurer’s ability to develop predictive cyber risk models, which may limit an insured’s ability to procure sufficient coverage at an affordable premium rate. In other words, it is possible that cyberinsurance has not been sold for a long enough time to develop workable data on market trends.
On the consumer side, policyholders may assume that various cyberlosses are covered by a cyberinsurance policy, when in fact they might not be. This often stems from a lack of understanding of various IT and technical risks. Such disconnect highlights the need for boards to be well-integrated with their IT departments and their chief information officers.
Other limitations of cyberinsurance:
- Not all policies account for additional cyber-related expenses, such as crisis management, damage to reputation, forensics, and additional monitoring of credit, though these coverage can be acquired through most carriers in the market
- Lack of standardized language within the industry, which can limit a buyer’s ability to compare pricing among policies using different terminology and thereby potentially offering materially different coverages
- Products can be expensive and prices inconsistent (though this may change as cyber insurance becomes more readily available to consumers)
- Courts have not yet made substantial findings as to the meanings of key cyberinsurance terms, as is the case in more traditional coverages that have formed an accepted set of terms with widely understood and agreed meanings
Possible Solutions to Cyberinsurance Issues
Deloitte recently released a report addressing various cyber insurance challenges and solutions. For insurers, some approaches that can help the industry progress include:
- Focusing on developing more accurate models for predicting cyberincidents
- Partnering with cybersecurity professionals in order to better understand the nature of various cyber risks and losses
- Creating and issuing more specialized cyberinsurance products that can be tailored to specific types of risks and losses, such as data breaches based on specific types of technology
On the consumer side, organizations should review their policies (both traditional and cyber insurance) to minimize additional, unanticipated liabilities. They should inquire as to:
- Whether the current policy covers losses resulting from employee negligence or error
- What types of data breaches, attacks, and cyber attacks the policy covers
- Whether policies require particularly security measures
- Whether policies cover losses arising out of data owned by the Insured but stored on third party servers, such as in the cloud
- How to determine causality between cybersecurity events and company losses
- Whether there is any policy language that is unclear, illusory, or needs further technical definition
Summary
While cyber insurance may not be a universally standard component of all enterprise risk management portfolios, cyber risk specific coverage is critical as traditional lines increasingly do not cover it and as the nature of cyber attacks continues to evolve.
Issues such as cybersecurity and cyberinsurance can have complex effects on the interests of shareholders, the relationships among business partners and the liability profile of fiduciaries charged with safeguarding assets and protecting value, both of which are increasingly intertwined with information assets and network driven processes. Board members should therefore prioritize cyberinsurance in the same way boards are increasingly prioritizing front end information security. If you have any questions or inquiries regarding cyberinsurance and shareholder rights, contact us today at Kessler Topaz. Our team of attorneys is dedicated to keeping pace with current developments that can affect shareholder rights.