It’s time to shift the market dynamic in cybersecurity coverage
This is how insurers can best manage cyber liability and help insureds comply with cybersecurity laws.
The cost of cybersecurity incidents to insurers has continued to skyrocket, reflecting the rapid pace and growing sophistication of cyberattacks. The financial stakes also are unprecedented, with as much as $21 trillion of worldwide economic-value creation at risk over the next five to seven years, according to McKinsey research.
Insureds’ claims for business interruption and remediation costs alone are already significant. Following the 2017 NotPetya ransomware attack, Zurich American received a $100 million claim from international food conglomerate Mondelez, and American International Group (AIG) received a $1.3 billion claim from pharmaceutical giant, Merck. In both cases, insurers denied coverage based on the “act of war” exception, and ongoing litigation will determine if cyberattacks perpetrated by state or state-linked actors are subject to that exception.
Regardless of how courts rule, those two landmark cases suggest that insurers can expect costly claims in the future from corporate and other institutional victims of cyberattacks. In addition to claims for business interruption and remediation costs, insurers may also expect to defend costly lawsuits and face insureds seeking coverage for administrative fines related to cyberattacks.
For example, under the European Union General Data Protection Act (GDPR), entities can be fined up to 4% of their annual global revenue for violations, including violations of the duty to reasonably protect personal identifying information. Following a data breach in 2018, British Airways was fined more than $237 million by the UK Information Commissioner’s Office for having violated the UK GDPR’s data security requirements. Similarly, a handful of US state data security statutes — such as the newly enacted California Consumer Privacy Act (CCPA) — provide a private right of action for violations of data security requirements.
Although U.S. courts have been reluctant to recognize a common law duty to protect individuals’ data from cyberattacks and data breaches, in the 2018 case of Dittman v. UPMC, the Pennsylvania Supreme Court held that employers can have a common law duty to protect employee data from cyberattacks and data breaches. Moreover, many corporations that have suffered data breaches, including Target and Equifax, have faced class-action lawsuits for violations of state statutes regarding data breach notification.
Three steps insurers should take to manage cyber liability
There are two realities that insurers should consider in assessing and managing their exposure to cyber-related risks.
Many companies, of all sizes and across all industries, remain largely unprepared or underprepared to defend their organizations in the current cybercrime environment. Senior management and boards are failing to educate themselves and remain current on what must be done to adequately defend their companies against cybercrime.
As a result of what amounts to a “head in the sand” approach to cybersecurity, a significant burden is placed on the insurers that are expected to compensate for the mismanagement of this critical function by insured companies.
There are steps, however, that insurance companies should take to minimize that liability, both to assess the cybersecurity practices of their insured companies and assist those companies in strengthening their cybersecurity practices. Basic steps include the following:
Insurers need to evaluate whether insureds or prospective insureds are in compliance with potentially applicable laws governing their cybersecurity and data protection practices, including the New York SHIELD Act, CCPA, and GDPR. Insurers should require those non-compliant insureds to bring their policies and practices into compliance with relevant laws.
In addition to non-compliance exposure, insurers need to examine the practices, policies, software, and hardware-related vulnerabilities that could expose insured companies to suffer a preventable cyberattack or data breach. Some of these vulnerabilities may be technical in nature, involving software or hardware. Other risks may involve unnecessary utilization of high-risk technologies or practices, including insecure cloud computing accounts, Internet of Things (IoT) connected devices, or inadequate employee technology use and monitoring policies and procedures.
Although most insurers may not have the internal resources to conduct a rigorous examination of a company’s technical and protocol-related capabilities related to cybersecurity, they should require that insureds provide a documented cyber risk analysis conducted by a qualified 3rd party and that this analysis be conducted on at least an annual basis.
Insurers should consider the creation of an interdisciplinary team to conduct cybersecurity risk assessments of current and prospective insureds. This team would consist of technical subject matter experts as well as outside counsel with expertise in insurance and cybersecurity law. Using an outside law firm ensures that the risk assessment process and findings are cloaked in attorney-client privilege, thereby shielding that information from discovery in the event of litigation. The team approach also fosters the sharing of expertise across professional disciplines and provides economies of scale.
The goal of the interdisciplinary cybersecurity team is to provide the insured with best practices recommendations to minimize its cyber risks to the greatest possible extent. If the insured fails to address detected vulnerabilities to the satisfaction of the insurer’s team, the insurer has a tangible basis on which to increase premiums, to refuse to renew a policy, or to deny initial coverage. Conversely, the carrier can incentivize the insured compliance with the team’s recommendations through a premium reduction. This approach serves to minimize the carrier’s exposure, as well as the liability of the insured.
The property & casualty industry is witnessing what’s likely to be the tip of the iceberg with respect to its exposure to cybersecurity-related claims. A significant portion of the inherent risks are currently related to a prevailing attitude among companies that any shortcomings in their cybersecurity capabilities will be addressed by insurance coverage should a break occur.
But as cybercrime incidents and their related financial implications continue to rise, insurers are obligated — for their own economic welfare — to take a far more proactive and aggressive approach to ensure that cybersecurity coverage is no longer viewed as a safety net to compensate for lack of proper protection by the companies they insure.
Diane D. Reynolds (dreynolds@mdmc-law.com) is a partner and head of the cybersecurity practice group in the Morristown, N.J., office of McElroy, Deutsch, Mulvaney & Carpenter LLP, with extensive experience in privacy/data security and representation of technology companies.
Joyce E. Boyle (jboyle@mdmc-law.com) is a partner and member of the insurance services practice group in the Morristown, N.J., office of McElroy, Deutsch, Mulvaney & Carpenter LLP, representing insurance carriers, including London market companies, in complex coverage and defense matters.
Bradford P. Meisel (bmeisel@mdmc-law.com) is an associate and member of the transactional practice group in the Morristown, N.J., office of McElroy, Deutsch, Mulvaney & Carpenter LLP. His experience in data security includes legal counsel provided to the U.S. Senate’s recent investigative hearings regarding cybersecurity.
The opinions expressed here are the authors’ own.
See also: