Cyber Coverage Experiences Growing Pains By Denise Johnson
In light of businesses increasing usage of information assets and advancing technology insurers are pulling away from cyber coverage, according to Kevin Kalinich, global practice leader of cyber risk insurance at Aon Risk Solutions.
“A big misconception is that these are creating worse exposures or more severe exposures, but they’re creating different exposures,” said Kalinich.
He said insurers are reconsidering capacity and the scope of coverage as a result.
“The smart insurers are differentiating the insureds now. The smart insurers are taking a look at IT security…who integrates their IT security into an overall risk management strategy that makes it part of the culture of the entity that they might insure,” Kalinich said. “The insurers are taking a strong, second look at each of their insureds now in the cyber insurance market.”
While retailers and financial institutions gain significant media attention from data breaches, a recent review by Travelers’ of its claims data revealed that other industries also are regularly targeted for cyber-attacks, including professional services firms and educational institutions.
Experian Data Breach Resolution and the Ponemon Institute recently released the results of their second annual study on corporate data breach preparedness.
The report, Is Your Company Ready for a Big Data Breach?, found that executives are concerned about the effectiveness of their data breach response, despite taking basic steps to be prepared.
“While more organizations have data breach preparedness on their radar and have developed a response plan, a majority of companies are not putting the support and resources behind having it truly be effective,” said Michael Bruemmer, vice president, Experian Data Breach Resolution.
Key findings from the study include:
- Almost half (43 percent) of organizations surveyed had suffered at least one security incident, up 10 percent from 2013.
- Sixty-eight percent of respondents felt unprepared to respond to a data breach.
- Most haven’t or don’t regularly update their plan (78 percent) to account for changes in threats or as processes at a company change.
- Respondents ranked identity theft protection products and access to a call center as the two most important services a company should provide customers following a breach.
- Sixty-nine percent indicated additional funding as a major need to improve response activity.
“Compared to last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Companies should be careful of not becoming complacent because they have a response plan in place or just completed a security audit. Preparedness requires ongoing maintenance and diligence.”
New Coverage Considerations
Kalinich described some coverage issues that have arisen in the claims payment process that had not been previously considered.
The first issue is that of prior acts coverage, the Aon global practice leader said. He explained that a typical liability policy is intended to cover wrongful acts or incidents that happen from the date that the policy was purchased going forward.
“However, in the cyber exposure context, it’s possible that the wrongful act, there could have been malware already put on the system or there could have been breach of the security prior to the time that you bought the insurance policy, but that incident may not emanate until after you bought the policy,” said Kalinich. “What happens in those types of situations? You need to take a strong look at buying prior acts coverage, which means coverage for wrongful acts or incidents that happened prior to the time you bought the policy but that you didn’t know about the wrongful act.”
Another issue is determining what the remediation costs are versus system upgrade costs, he said.
“Secondly…when they’re actually paying the claims, [insurers] have to take a strong look at what aspect of the cost was remediation to actually fix the breach and fix the incident versus what portion of those costs are actually improvements on the system, because the insurance companies do not want to pay for betterment of a system versus remediation of a cyber-incident,” Kalinich said.
The Financial Impact of Data Breaches
The Aon executive described the typical costs associated with a cyber-breach include legal defense, settlement, event management, forensics, notification, credit monitoring and call center expenses.
“The cost per claim is somewhere north of $200 per claim for personal identifiable information records,” Kalinich said. “Then, you also have to pay your legal defense costs. You may have to pay a legal settlement cost, and a cost that has been underestimated and now is becoming more prevalent as we actually work through claims, are what we call event management costs.”
He explained that event management costs are not just related to work completed by a public relations firm to avert a crisis or mitigate the impact of a data breach. They also include forensics costs, notification costs to any affected consumers or third parties, call center costs, credit monitoring costs, and legal advice costs relating to the 47 states that require compliance with a data breach disclosure law.
Cyber exposure can lead to other lines of insurance being implicated, like Directors & Officers policies, said Kalinich. Traditionally only the property or commercial general liability policies were triggered, but recent data breaches involving Target and Home Depot indicate that shareholder lawsuits are trending.
The result is that there are now insurance riders to clarify policies, Kalinich said. Insurers want to make it certain that property and general liability policies are not intended to cover intangible peril and intangible damages.
He said a seminal case decided in 2014 was Zurich v. Sony.
Sony brought a claim relating to a data breach against its general liability insurer, Zurich.
“Zurich responded by explaining the general liability policy is not intended to cover intangible perils or intangible damage, and you need a special cyber policy,” Kalinich explained. “The court agreed with Zurich and determined on February 21st, 2014, that the general liability policy is not intended to cover those types of cyber exposures. The result is that cyber coverage – cyber-specific insurance policies – have gained much more attention and have gained much more focus to the scope of what those coverages are to fill the gaps from the legacy policies.”
He said that a by-product of this is that additional policies, like D & O, are being targeted for coverage and there are shareholder derivative litigation actions against individual directors and officers of entities like Target.
“It’s a wake-up call for all management, that technology and information assets is not only here to stay, but it’s going to increase in the future in that the D&Os must create a culture of risk management for just these new exposures,” said Kalinich.