Cyber Insurance: What you Should Know

By: Robert Jones – AIG
Edited for the Insurance Advocate®

No matter how strong or sophisticated an organization’s IT defenses are, how thorough the vetting of an organization’s vendors may be, or how well an organization trains or plans in preparation to respond to a data breach or other incident, there will still be network security and privacy failures. Relying on IT defenses alone can provide a false sense of security. Recognizing that some risks cannot be eliminated, organizations have increasingly turned to cyber insurance as a method of mitigating and transferring the risk of exposure to cyber events.

Cyber insurance is particularly effective when the cost of additional information security controls do not reduce the risk enough to make the investment in such controls practical. Cyber insurance itself is not a defense; without a rudimentary information security management system, cyber insurance can be prohibitively expensive, and represents an unsustainable solution (for both insurers and companies). It is the application of cyber insurance as another layer—complementing the efforts IT and other information security oriented functions—where its greatest value is realized.

Cyber Insurance Coverage—A Brief History

The first iterations of today’s “cyber” policies appeared in the late 1990s, as the insurance industry began to develop errors and omissions policies to respond to exposures arising out of emerging technologies: the internet and e-commerce. These “internet insurance” policies reflected their E&O roots in that they: i) were limited to responding only to security failures of an insured’s computer system, and ii) did not provide coverage for first-party costs of mitigating a data breach (one of the potential outcomes of security failure). The coverage did not extend to non-electronic records or accidental disclosure. Underwriters were starting to offer first-party coverages of the value of lost data and business interruption (the cyber analog to property insurance), but first-party coverage was not typically underwritten or brokered by members of the E&O insurance community, and these coverages were not widely utilized.

In the mid-2000s, these early cyber policies evolved into forms more recognizable today: coverage was amended to include “privacy incidents,” which expanded the policies’ response to accidental disclosure of sensitive data in both electronic or paper form; liability coverage was expanded beyond civil actions to also include regulatory investigations; coverage started to appear for contractual fines paid to payment card brands for security non-compliance (contractual liability being generally excluded by E&O policies); and new first-party coverages were created to respond to the costs of investigating and mitigating a security or privacy incident.

Two factors in concert contributed to cyber insurance’s growth: i) new regulations which obligated companies to do more to respond to information breaches, such as the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the early electronic breach notification laws like California’s SB 1386; and ii) organized crime’s increasing awareness of the profitability of payment fraud, identity theft and other crimes made possible by stolen information. Whereas victim companies were previously protected from the fallout of security incidents by the public’s lack of awareness of what transpired, these new regulations forced companies to be responsible for data breaches which were caused—or at least exacerbated—by poor security. As cybercrime increased, cyber insurance grew and evolved to meet the exposure.

The cyber insurance marketplace continues to evolve in several different ways:

  • Available limits for in-demand coverages continue to increase, both in terms of per carrier and total marketplace capacity;
  • Coverage continues to evolve to match emerging technologies—an example being the creation of “Cloud Failure Extensions” to respond to the migration to the cloud and the exposure of dependent business interruption;
  • The underwriting requirements are changing in response to the increasing loss developments; and
  • Some insurance carriers are partnering with information security service and product providers so as to not only be able to accept risk from companies, but also assist companies in evaluating and augmenting their information security or “cyber” resiliency.

While pricing, capacity and underwriting requirements are changing, it is clear after more than a dozen high profile breaches that cyber insurance is a risk management tool for information security that is as important as a company’s security training or intrusion prevention systems. In fact, cybersecurity oversight is now rightfully viewed as a responsibility of a board of directors’ enterprise-wide risk management. The Commissioner of the Securities and Exchange Commission noted in June 2014 that “there can be little doubt that cyber-risk also must be considered as part of [the] board’s overall risk oversight.” Board members are increasingly polling their company’s risk managers and IT professionals to confirm that cyber insurance coverage is in place and to better understand the policy offerings in the event that coverage is triggered.

What Does Cyber Insurance Cover?
Generally, most insurers offer cyber policies with coverage on an à la carte basis; a company can choose which coverages are right for it. The main coverage components are:

1. Defense and indemnity for alleged liability due to a cyber or privacy incident (“Liability”)
2. Coverage for investigating and mitigating a cyber or privacy incident (“Event Response”)
3. Coverage for business interruption due to a cyber incident (“Business Interruption”
4. Coverage for the response to threats to harm a network, or release confidential information (“Cyber Extortion”)

The “triggers” of the coverages are important to understand as well: a “cyber incident” typically means the failure of the insured’s computer system security, while a “privacy incident” is any failure to protect “confidential information.” The distinction is a subtle, but important, one: a failure of a company’s computer security can result in a privacy incident, but some privacy incidents don’t arise out of a failure of a company’s computer security. Generally, there is a lower threshold for “privacy incidents” to trigger the policy. Coverages and wordings vary from carrier to carrier. Some carriers split the liability coverage for cyber and privacy incidents, so insureds can buy only one of the two if they choose; other carriers have chosen to combine some of the coverages for marketing purposes; and all of the carriers have slightly different definitions for what “computer system,” “failure of security,” and “confidential information” mean.

It should be noted that the vast majority of cyber policies exclude three key types of loss, which a layman might—understandably—find confusing, but which are a product of the borders between different types of insurance. Those three types of loss are: i) tangible property damage (data not being considered tangible property), ii) bodily injury (bodily injury not including emotional distress), and iii) loss of the company’s funds. Coverage for bodily injury and property damage is usually found in traditional property or casualty insurance, and coverage for stolen funds is usually the domain of Crime coverage. The availability of coverage for a cyber incident under a traditional property or casualty program is often not explicit; insurance carriers are grappling with whether such policies are priced and structured appropriately for this new risk. As technology advances—the Internet of Things, computer controlled medical devices, etc.—and the increasing potential for a cyber incident to result in BI/PD, some carriers are starting to exclude this coverage under traditional property and casualty programs. Other insurers are addressing this gap, offering policies that are geared to respond specifically to cyber-related bodily injury and property damage. It remains to be seen how this growing exposure will be addressed.

The “Liability” or Third-Party coverage provided by typical cyber insurance applies to claims first made during the relevant policy period involving allegations of damages due to a cyber or privacy incident. Liability cyber insurance functions much in the same manner as traditional third-party errors and omissions insurance. Like other professional liability forms, a cyber policy’s liability insurance typically covers the following liability expenses: the costs of the legal fees to defend third-party lawsuits; costs of electronic discovery; class action administration costs; and judgments and settlements, often including substantial plaintiff attorney fees. For companies defending a third-party cyber lawsuit, a sound defense strategy will contemplate indemnity rights and recovery efforts.

Two noteworthy extensions exist to the Liability coverage. First, “Regulatory Coverage” extends the Liability coverage so as to also respond to investigations brought by regulators—such as the Office of Civil Rights at the Department of Health and Human Services, the Federal Trade Commission, the Securities and Exchange Commission, and state attorneys general—arising out of a cyber or privacy incident. With this extension, defense costs are covered not only for civil actions, but also for an investigation by such regulators. Coverage may also extend to any fines and penalties to the extent they are insurable under State Insurance Law. As regulators are becoming more aggressive in investigating data breaches and levying fines on affected companies, this coverage has become increasingly important.

The other extension to the Liability coverage is coverage for the assessments of contractual fines by credit card brands for failure to comply with the Payment Card Industry Data Security Standards (“PCI-DSS”). Such fines include the costs of reissuance of affected credit cards and the reimbursement for fraudulent transactions to affected consumers. This coverage is becoming more important as it becomes evident that breaches affecting large amounts of consumer payment card information will result in mass reissuance of cards and substantial reimbursement of fraudulent transactions to the consumers by the card brands, which pass those costs back to the liable party.

First-party “Event Response” coverage usually applies in response to an actual or suspected cyber or privacy incident first discovered during the policy period. Typical first-party coverage includes coverage for the following: forensic investigators to determine the scope of the cyber or privacy incident; a law firm to act as breach counsel to advise the insured of its obligations arising from any breach of sensitive data; costs of notifying affected individuals; a public relations firm to provide advice on whether and how to make public statements; credit and/or identity monitoring; and call center support. Cyber policies will help to stem an event but do not correct or remediate technical problems or provide the upgrades necessary to prevent future data breaches.

“Business Interruption,” also referred to as Network Interruption, covers lost net income and extra operating expenses resulting from a material interruption of an insured’s business as caused by a security failure. The business interruption coverage usually applies after the greater of: i) a dollar amount of loss (the retention), or ii) a “waiting period” has elapsed.

“Cyber Extortion” will cover the costs to assess the cause and validity of privacy and security related threats and any monies paid to end such threats. Privacy threats involve attackers who claim to be able to disclose confidential information. Security threats involve attackers who claim to be able to commit or further an attack against a network.

Cyber insurance is evolving just as fast as technology. What is considered core coverage today was not available as little as three years ago, and enhancements to coverage are being negotiated in the marketplace every day.

Increasing Front-End, Pre-Breach Loss Prevention Services

To provide valuable and differentiating policy enhancements, a number of insurers currently offer preventative tools and consultative solutions to insureds that bind a cyber policy. Loss prevention services may include (i) infrastructure vulnerability scanning, (ii) cybersecurity risk assessment, (iii) “dark net” mining and monitoring, (iv) generation of third-party vendor security ratings, (v) isolation and “shunning” of malicious IP addresses, (vi) mobile apps which provide news, claims data, and related information, and (vii) online employee education and training. These preventive tools, when properly implemented and utilized, provide an additional line of defense in the prevention and mitigation of cyber incidents.

How Much Coverage Is Appropriate?

Almost every purchaser of cyber insurance buys the liability and the first-party coverage for the value of data; the majority—about four-fifths—also buys the first-party coverage for the costs of investigating an incident and coverage for extortion demands. Roughly half of buyers are purchasing the business interruption coverage. As companies evaluate the current and future dependency on computer systems to run their business, they should re-evaluate whether they are purchasing the right types of cyber coverage, not only the right amount.

Based on the variance of the above factors, the costs of cyber insurance will vary from organization to organization. Nevertheless, reports estimating the costs of data breach—the leading type of loss in the cyber insurance space—are relatively easy to find. Many estimates assess costs in relation to records exposed. The NetDiligence 2014 Cyber Claims Study pegs the maximum cost per record at $33,000 (the average was $956.21, and the median $19.84). In May 2014, the Ponemon Institute published a report entitled, “Cost of Data Breach Study,” a global survey of 1,690 information technology, information security, and compliance professionals from 314 organizations, all of whose companies had experienced cyber breaches. The widely cited Ponemon report concluded that the average per-record cost of a breach in the U.S. was $201 in 2014, up from $188 in 2013. The report went on to peg the average cost of a U.S. data breach at $5.85 million.

These figures should be used as a reference point for potential median data breach losses, and they should be part of a broader review of the risk a company has to cyber exposure from both unavailability of its computer system/data and repudiation of its computer based communications.

While there is no simple answer to the amount of cyber insurance an organization should buy, some important factors to consider include: the size of the insured entity; the amount of sensitive data stored; the industry; the degree of potential reputational risk; organizational resiliency; the degree of regulatory attention paid to the company; threat vectors—for example, state actors or cyber activists (also referred to as “hacktivists”)—and of course the company’s own risk appetite.

The evolving nature of the cyber insurance marketplace means the adequacy of cyber insurance should be evaluated on an annual basis and that new insurance tools and offerings should be fully considered. Companies should work with their brokers or other specialized insurance professionals to consider the differences in insurance products offered across the market at the time of placement. Consideration should be given to the differences in coverages and offerings between carriers, the availability and strength of any loss prevention services offered by the carriers, and each carrier’s commitment to a company’s sector.

To view this white paper in it’s entirety, please visit: https://www.symantec.com/content/en/us/enterprise/white_papers/what-every-ciso-needs-to-know-cyber-insurance-21359962-wp.pdf

Robert Jones of AIG
Robert J. Jones is the Global Head of Financial Lines, Specialty Claims, at AIG. Robert is responsible for claims within the Cyber, Technology, Media, Fidelity and Kidnap & Ransom lines of business. Robert has developed Financial Lines expertise through a variety of technical and managerial roles in Claims, Reinsurance and Underwriting. Robert began his career at The Travelers in 1989 and joined AIG in 1992. Robert received a B.S. from the State University of New York at Binghamton.

About AIG
American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 100 countries and jurisdictions. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit ourwebsite at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.