Third-party liability claims remain open long after cyber event

Jennifer Wilson, head of cyber at Newfront, says these claims can take a long time.

(Credit: nadia_snopek/Adobe Stock)

Third-party liability claims from privacy violations and data breaches are remaining open and predicted to grow exponentially in the face of rising costs, ongoing expenses and limited insurance coverages.

In light of the Crowdstrike IT outage as well as the recent HealthEquity breach that impacted 4.3 million Americans, PropertyCasualty360.com spoke to Jennifer Wilson, head of Cyber at Newfront, about how the rise in third-party claims represent a significant financial burden for organizations.

In her role, Wilson directs the marketing, placement and claims management of cyber risk and technology E&O insurance. She works with clients to identify and understand their cyber risk exposure, while recommending ways to best mitigate these risks and negotiate the broadest terms available in the cyber insurance marketplace.

PropertyCasualty360.com: Why are third-party liability claims related to IT outages and data breaches remaining open?

Wilson: Third-party claims related to an IT outage take time. It’s not necessarily that they remain open, but in some cases, they are not yet known. Let’s use Change Healthcare as an example again, the ransomware attack occurred in February, it is now August, and I actually just received notice from Change Healthcare that my PHI has been compromised as a result of the attack.

It’s taken me six months to be notified that I’ve been impacted. Once an individual is notified that their protected information may have been compromised, the next step is to consider whether they want to pursue legal action, and if so, they must select a law firm. From that point the law firm has a specified amount of time with which to file a claim or lawsuit related to the matter this can vary state by state. Then insurance gets involved, and the case can either settle or go into litigation. This whole process could and typically does, take years.

PropertyCasualty360.com: How long do these claim remain open?

Wilson: These cases can remain open and in litigation limbo for years, which is why the claims remain open for years with the insurers. 

PropertyCasualty360.com: What types of claims are being filed?

Wilson: There are a few different types of claims that can be filed as a result of a supply chain event. Let’s use a ransomware attack, as an example. The first party costs could be the ransom payment, breach counsel, IT forensics, and business interruption.

Jennifer Wilson

The first party costs are the immediate costs to mitigate the loss, respond, and restore business operations. The third party costs are the security breach claims related to the protected information of individuals the third parties.

PropertyCasualty360.com: Why is the cyber claims landscape so volatile?

Wilson: The cyber landscape is different than any other in that it is constantly changing. The threats we experience today will be quite different than what we’ll see a year from now, which makes it challenging to model for the future. Our concerns went from our files being locked, to data breach, to downstream outage related to an attack on a dependent business.

Social engineering attacks began as crudely written emails that trick individuals into transferring money or confidential information, that have evolved into sophisticated deep fake video calls. In a very short period, cyber-attacks have evolved in scope and scale and we’re just trying to keep up.

Compare this to property claims. Property risks have not changed in over a century – top risks remain fire, earthquake, wind, flood, hail, and theft. The property insurance industry has several decades of claims data with which to model the top catastrophe categories and properly and adequately rate premiums.

The cyber industry has about 10 years of claims data, which is sparse and inconsistent. Additionally, just as the cyber market gets a handle on a specific threat, the landscape changes. Which makes the underwriters job extremely challenging. For example, the insurance industry was not prepared for the ransomware epidemic, which forced drastic rate increases and security requirements for the next 12 months.

As the claims decreased, and capacity increased, we experienced a stabilization, which then led to a drastic decrease in rates. The claims have increased and evolved and we’re expecting another shift in pricing. It’s the tail wagging the dog. With an ever shifting claims focus, the market will continually race to catch up to the threat actors, never quite able to stay ahead.

PropertyCasualty360.com: Why are insurers revising policy language for cyber claims every three to four months to ensure sustainability?

Wilson: The focus of claims continues to shift and escalate in both frequency and severity and the insurance market is trying to continue to offer broad coverage at reasonable pricing, while keeping an eye on sustainability.

As the severity of risk increases, the markets must look for ways to counter balance. While we can’t rate based off of the doomsday event, we also can’t ignore the potential of widespread or catastrophic events. One way for an insurer to address the potential for systemic risk is to amend policy language to limit the exposure. This is done through co-insurance clauses, to limitations in coverage to exclusionary language.

Over the past five years we’ve seen ransomware co-insurance, widespread event endorsements, neglected software limitations, war exclusion removing cyberterrorism coverage, systemic risk and catastrophic event limitations.

PropertyCasualty360.com: How can cyber insurers better respond to industry demands?

Wilson: I think the insurance industry is doing a great job at learning and evolving along with the risks. While not staying ahead of the risk, they are looking at the claims data and establishing criteria to help prevent and mitigate the exposure, while asking the right questions up front to properly understand the risk.

One thing that is missing is standardization in policy language. This would help the insureds and brokers to ensure consistency throughout the excess tower. It would limit the amount of time brokers are required to negotiated terms and conditions from carrier to carrier and it would streamline the claims handling throughout the excess tower.

While the claims modeling tools are improving and the library of claims is expanding, we are forced to model on outdated data. This goes back to my point earlier. With a cyber-claims space that is constantly changing and evolving, and claims data that is four to six months old by the time it is in the system, it is difficult to forward think when it comes to claims modeling.

The expectation is that AI will help insurers better manage aggregation concerns, similar to what we saw with recent events such as Change Healthcare, CDK, Evolve, and Crowdstrike. This might be a bigger picture problem. Should the government be looking into aggregation of interests from a cyber-perspective?

Does it make sense for a company such as Change Healthcare to control a majority of the healthcare billing processing? We now know what an outage to a single company can do to the entire industry. Should the government consider how a cyber-attack might impact and industry or our economy and put in guardrails?

See also: