Cyber security risks have become more significant as we store more consumer financial and health information in electronic form. Hardly a week goes by without this topic in the mainstream news. As businesses and consumers become more reliant on electronic storage, there are more opportunities for cyber-attacks. Recent high-profile data breaches against companies such as Equifax, Yahoo and the WannaCry cyber-attack have led to a surge in requests for protection in the form of cyber security insurance policies. However, securing a cyber-liability policy is not simple. Insurers writing this type of coverage need to look at multiple factors to determine if it is worth the risk. For example, they need to look at the business’s anti-virus and anti-malware software, the business’ risk-management techniques, its physical assets, its intellectual property and even personnel. This will determine rates as each plan is not “one size fits all” and is usually specifically tailored to the business itself.
The ever-evolving landscape of cyber technology poses threats that are especially difficult to assess. It has been estimated that spending on cyber security products rose to a record $73.7 billion in 2016, but only 29 percent of U.S. businesses are insured against cyber threats. Notably, federal and state regulators are displaying an increasing interest in being seen as aggressive in this space. Emerging is an industry consensus: the greatest obstacles for effective cyber security insurance coverage are the lack of standardization and of historical numbers on which to base risk assessments.
Today, companies need coverage for costs to restore lost or corrupted data, reimbursement for loss of income from business interruption, payment of fines or penalties to regulators, costs to notify customers of a breach, costs of credit monitoring for customers whose information was compromised, liability to third parties for transmissions of malware or viruses, liability to third parties for disclosure of confidential or trade secret information, and even costs of third party vendors such as public relations firms.
However, insurers struggle to generate comprehensive policies for a nascent industry with hidden vulnerabilities. This is due in part to the lack of historical data on cyber losses, which significantly inhibits the insurers’ ability to build predictive models and properly assess cyber risk. Thus, experts encourage companies to utilize their own data, third party data and other advanced technology to better mitigate potential adverse events. A company armed with these “prescriptive analytics” will have more credence at the bargaining table and craft a better fitting policy than one that merely hopes for the best.
Many experts also decry the inefficiency in this industry; insurance seekers and carriers miss each other’s needs. For instance, Equifax holds a policy that would probably cover about $100 million to $150 million but its costs after the recent breach could be multiples higher than the insurance payout. With clearer, industry-wide metrics, risk and pricing would be easier to customize for each company. Some experts propose a system akin to the data available at credit bureaus for consumers relative to their credit performance. The cyber security insurance market might inch toward equilibrium with a common language by which to evaluate and compare risk, like a consumer credit score. Others say policy pricing will level off despite increasing demand because there is a tower of insurance companies involved providing financial ventilation. That might enable companies to purchase more robust coverage. Until then, the imbalance places upward pressure on policy pricing, where insurers can hike up premiums for companies with poor governance and force companies to improve their own processes.
Since these obstacles are still new, the courts must parse, on first impression, the clunky policies of yesteryear. For example, in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of Am., No. C14-1368, 2016 WL3655265 (W.D. Wash. July 8, 2016), the District Court considered whether a “social engineering” type of breach by “phishing” is covered under a company’s policy. Hackers targeted the treasurer at Aqua Star USA by posing as a business partner and sharing a “new” account for the businesses’ wire transfers. After the Aqua Star employee wired over seven hundred thousand dollars to the hacker, the insurer argued, and district court agreed, that the harm was not covered. The court held that the policy’s computer fraud clause explicitly excluded losses for electronic data inputted by authorized employees. Because the employee cooperated with the hacker’s fraud, albeit unwittingly, Travelers disclaimed coverage. On appeal, the Ninth Circuit will decide whether Travelers effectively excluded these losses from its promise to cover damage to “Property directly caused by Computer Fraud.” A heavy burden lies on insurance carriers and corporations to find each other, regardless of how this case is decided.
Brian S. Kabateck is the founding and managing partner of Kabateck Brown Kellner, LLP. His expertise is in the areas of personal injury, insurance bad faith, pharmaceutical litigation, wrongful death, class action, mass torts and disaster litigation. Attorney Joana Fang is an associate with Kabateck Brown Kellner, handling a wide range of cases for KBK including consumer class actions, personal injury, wrongful death and insurance bad faith claims.