Brokers: You Really Need to Know About Cyber Insurance

Legislative and Regulatory Update
by Amy Roberti – Council of Insurance Agents and Brokers
(edited for the Insurance Advocate®)

Where there’s smoke there’s fire—and where there’s a crisis, there are state and federal lawmakers and regulators trying to be helpful. Major data breaches are in the news every day in both the private and public sectors. Experts are telling us we could experience a massive cyber terrorist event that could cause major market disruptions, and even physical damage to property and critical infrastructure. The general public is at the mercy of villainous cyber criminals who could cripple society with one malicious click of a mouse. So it makes sense that Congress and state and local governments would take a look at this risk and explore ways to help prevent cyber crime. They’ve even been looking at the burgeoning cyber insurance market and how cyber insurance could—as insurance has done throughout history with every type of coverage—encourage better, safer cyber behavior. To add to the frenzy, jurisdiction over cyber issues is broad. While legislation with the greatest chances of success has come out of the House and Senate Intelligence and Homeland Security Committees, approximately 15 committees in Congress have claimed at least some jurisdiction over cybersecurity issues. These include House Energy & Commerce and Senate Commerce; House Financial Services and Senate Banking; Science, Agriculture, Armed Services; and others…not to mention the Administration and the States. Here’s a little taste of what they’ve been up to.

CONGRESS
Since January 2015, the 114th Congress has seen a flood of data and cybersecurity bills introduced; however, most have failed to gain traction. The bills that are currently in play with the most potential to move forward are the cybersecurity information sharing bills—two have been passed by the House and one is under consideration in the Senate. In late April, the House voted on and passed two information sharing bills: HR 1560, the Protecting Cyber Networks Act, sponsored by Rep. Devin Nunes (R-CA), chair of the Intelligence Committee, and HR 1731, the National Cybersecurity Protection Advancement Act, sponsored by Rep. Mike McCaul (R-TX), chair of the Homeland Security Committee.¹ The goal of information sharing legislation is to help the public and private sectors, through a reciprocal process of sharing cyber threat indicators, improve their cyber defenses.

Progress on information sharing legislation has been slower in the Senate. The legislation with the greatest chance of success is S. 754, the Cybersecurity Information Sharing Act (CISA), which passed the Senate Intelligence Committee in April. CISA is sponsored by Intelligence Committee Chairman Richard Burr (R-NC) and has bipartisan support. This legislation would establish a process for reciprocal sharing of cyber threat indicators between the public and private sectors through the Department of Homeland Security.

This legislation would provide liability protections for private entities that share and/or receive such cyber threat indicators through this process and exempts that data from Freedom of Information Act (FOIA) requests.² CISA faces opposition from privacy advocates who fear that this is essentially a surveillance bill that allows the federal government to collect even more sensitive personal information on individuals.³

In June, Senate Republican leadership tried to add CISA to the National Defense Authorization Act (NDAA). That move was blocked, however, when the Senate voted 56-40 in favor of opening debate on CISA as an amendment to the NDAA, four votes short of the 60 needed to invoke cloture.⁴   In a final attempt to vote on CISA before the August recess, Senate Majority Leader McConnell filed cloture on CISA on August 3. Ultimately, Republican and Democratic leadership were unable to agree on a finite number of amendments, the clock ran out, and CISA was pushed to September or later.

Legislation creating one uniform, national standard for data breach notification would be a likely next candidate for action once information sharing is addressed.⁵  Lawmakers could also attempt to attach a data security bill to a larger cybersecurity bill. There is considerable support from the business community to create such a standard, because the 47 disparate state reporting laws and regulations can make compliance burdensome and confusing for companies that have experienced a breach that affects consumers across multiple states. The House Energy and Commerce Committee passed a data breach bill, HR 1770, the Data Security and Breach Notification Act, which provides rules for how companies must protect personal data and notify customers if it is stolen. Republicans are still fine-tuning the measure, trying to win Democratic support. Notably, the bill passed out of committee on a party line vote, without the support of its only Democratic cosponsor. Any legislation that pre-empts state law, however, always faces a steep uphill battle in Congress and we are not likely to see action on such legislation this Congress.⁶

Hearings on cyber threats and the state of data security in the United States in various sectors, including two hearings on the breach at the Office of Personnel Management that exposed personnel records of tens of millions of federal employees, have continued throughout the year. Over two dozen cyber and data security-related bills have been introduced. We can expect to see many more cyber-related bills and hearings, as the issue straddles an astounding 15 committees in the House and Senate.

WHITE HOUSE
The White House has been active on the cyber front as well. On January 13, 2015, President Obama sent three cybersecurity and data breach legislative proposals to Congress. Those included Enabling Public-Private Sector Information Sharing; Modernizing Law Enforcement Authorities to Combat Cyber Crime; and Creating a National Standard for Data Breach Notification.⁷ In early February, the President announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC)—based out of the Office of the Director of National Intelligence—which will “be a national intelligence center focused on ‘connecting the dots’ regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers.”⁸

On February 13, President Obama also convened a summit on “Cybersecurity and Consumer Protection” at Stanford University where he signed an Executive Order (EO). The EO, Promoting Private Sector Cybersecurity Information Sharing, encourages the development of Information Sharing and Analysis Organizations (ISAOs); develops a common set of voluntary standards for information sharing organizations; clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations; streamlines private sector companies’ ability to access classified cybersecurity threat information; and “ensures that information sharing enabled by this new framework will include strong protections for privacy and civil liberties.”⁹

Department of Homeland Security
For the past several years, the Department of Homeland Security (DHS) has been bringing together insurance carriers, brokers, consumers, Chief Information Security Officers, and critical infrastructure to talk about cyber threats and how cyber insurance can and should play a role in both mitigation and recovery. During the first four workshops, there was talk about creating a cyber incident repository to meet the industry’s need for data on cyber risk. Despite the interest, DHS has no intention of establishing such a repository and instead hopes that by facilitating discussion among the private sector, some sort of private sector repository (or several repositories) may emerge.

In February of this year, the National Protection and Programs Directorate (NPPD) at DHS established a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:

1. The value proposition for a cyber incident data repository;

2. The cyber incident data points that should be shared into a repository to support needed analysis;

3. Methods to incentivize such sharing on a voluntary basis; and

4. A potential repository’s structure and functions.

In July, the NPPD circulated a white paper entitled “The Value Proposition for a Cyber Incident Data Repository.” The white paper is the culmination of the first charge. The CIDAWG will explore and report on the other three topics next.¹⁰

TREASURY DEPARTMENT
The Treasury Department and the Federal Insurance Office (FIO) convened a meeting in November 2014 of mid-market carriers and brokers to talk about cyber insurance. FIO Director Michael McRaith proposed two ideas: (1) FIO wants to develop underwriting “principles“ for cyber insurance policies; and (2) FIO wants to get more involved in risk mitigation. Director McRaith has stated that the federal government fully supports the insurance industry as they try to better protect themselves and quickly adapt to the ever-changing cyber threat landscape. Another Treasury official also indicated that Treasury is concerned there are no underwriting standards for cyber insurance. Given this concern, Treasury and FIO have been paying close attention to the burgeoning cyber insurance market.¹¹ Cyber is a regular topic of discussion at the Federal Advisory Committee on Insurance.

STATE INSURANCE COMMISSIONERS
The National Association of Insurance Commissioners (NAIC) formed a new Cybersecurity Task Force at their November 2014 meeting. This was the first foray into cybersecurity for the state regulators as a whole. The NAIC has been mainly focused on three areas:

1. Protecting their own data
2. Making sure that the entities they regulate are adequately protecting their own data
3. Monitoring the development of the cyber insurance market

The Cybersecurity Task Force, chaired by North Dakota insurance commissioner Adam Hamm, drafted a “Cybersecurity Bill of Rights” which outlines consumer “rights” regarding their personal, private information, how it should be handled, and what they are entitled to in the event that information is compromised.¹² The Task Force anticipates that the Bill of Rights will be distributed to consumers by their state insurance commissioners, but many companies and trades in the insurance industry have concerns that it could create consumer confusion by outlining so-called “rights” that are not codified in every (or any) state laws or regulations. The NAIC also intends to use portions of the Bill of Rights to update their model laws on privacy.

On April 16, the Cybersecurity Task Force adopted the “Principles for Effective Cybersecurity Insurance Regulatory Guidance.” These twelve principles outline the types of safeguards regulators expect insurers and producers to have in place to protect consumer information from cybersecurity breaches.¹³

STATES
Forty-seven states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have established “data breach notification” laws to better inform consumers when their personal information has potentially been stolen or compromised. While each statute varies, the laws generally require entities that own, license, or process personal information to notify affected parties when personal information is, or is believed to be, acquired without authorization. Many states make exceptions to notification requirements if the breach is not believed to have caused the affected party harm. State data breach notification laws establish standards on who gives and receives the notice, what information is considered personal or private information under the law, methods and timing for conveying the notice, content requirements that must be contained in the notice, and provides penalties for non-compliance of the law. California was the first state to implement a state data breach notification law, and many states have utilized its model to implement their own law. Below, we have highlighted three states as an example of the variance found in the individual state data breach notification laws.

California
Covered entities under California’s state data breach notification law are any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information. California defines a “breach of the security of the system” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” The law does not contain a specific risk of harm analysis whereby an entity would not have to give notice should no harm be done to the person whose information was compromised. A notice of breach must be made in the most expedient time possible and without unreasonable delay. Notice may be provided via written, electronic, or a substitute notice. Substitute notices can be utilized if the breached company can demonstrate that the cost of providing breach notices exceeds $250,000 or more than 500,000 individuals were impacted. Substitute notices require the breached entity to send email notices to any individual for whom they have an email address, post on its website, and notify major statewide media. California allows a private right of action for affected individuals to recover damages.¹⁴

_{New York}
Covered entities under New York’s state data breach notification law are any person or business which conducts business in New York state, and that owns or licenses computerized data that includes private information. Service providers are also covered. Any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization is required to be notified. The law does not contain a specific risk of harm analysis, although the definition of “breach” may incorporate risks. A notice of breach must be provided “in the most expedient time possible and without unreasonable delay.” Further, the notice can be provided to the affected person via written, electronic (if consent is given), or telephone notice. A “substitute notice” is allowed if the cost to provide notice exceeds $250,000 or over 500,000 individuals are involved in the breach. New York does not allow a private right of action for affected individuals.¹⁵

Florida
In Florida, covered entities include any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. In the event of a breach at a third-party service provider (i.e., credit card processing company), the third-party is required to notify the covered entity within ten days. The covered entity is then required to provide breach notifications to the affected individuals. Florida does not require breach notifications “if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.” Notices must be made “as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred.” A notice to an affected individual can be sent via written notice or via email. Florida allows substitute notices similar to California and New York. Florida’s statute allows state enforcement for violations of the breach notification law but does not allow private rights of action.¹⁶

These are just three examples out of more than 47. Unless and until there is a single, uniform national standard for data breach notification, the variances in each state law make it absolutely essential that an entity that has experienced a breach of consumer data consult with legal counsel and law enforcement to ensure they are complying with the law in every state in which there are affected consumers.

ABROAD
Although many cyber insurance policies are written out of Lloyd’s of London, the majority of UK businesses lack proper cyber insurance protection. According to a report by The Corporate Executive Programme, only 13% of large and mid-sized businesses in the UK have cyber insurance, compared to 40% in the United States.¹⁷ Additionally, a joint report by Marsh and the government found that only 2% of all businesses in the UK had cyber insurance, although 81% of companies reported that they have suffered a breach in the past 12 months.¹⁸

In the United Kingdom, the government, in partnership with the insurance sector, launched a Cyber Essentials Scheme intended to make the UK the global leader in cyber insurance while also encouraging better cybersecurity practices among businesses. A pillar of the Cyber Essentials scheme would see brokers adopt Cyber Essentials (CE) accreditation while performing risk assessments for small and mid-sized businesses. Similar to the NIST Cybersecurity Framework in the US, Cyber Essentials is a foundation for basic cyber hygiene best practices for all types of organizations to adopt and build upon.¹⁹

The European Union (EU) has been working on a data breach protection law, which would require organizations to notify those affected by a breach within 72 hours. Additionally, the proposed legislation would make it possible for organizations to be fined if it is concluded that negligence was the cause of the data breach.²³

1- Eric A. Fischer and Stephanie M. Logan, Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 as Passed by the
House (CRS Report No. R43996) (Washington, DC: Congressional Research Service, 2015), 1-29, http://fas.org/sgp/crs/misc/R43996.pdf
2- Cybersecurity Information Sharing Act of 2015, S.754, 114th Congress, 1st Sess. (2015).
3- Nadia Kayyali, “Stop CISA: Join EFF in a Week of Action Opposing Broad “Cybersecurity” Surveillance Legislation,” Electronic Frontier Foundation, July 27, 2015, accessed September 1, 2015, https://www.eff.org/deeplinks/2015/07/stopcisa-join-eff-week-action-opposing-cyberspying-0.
4- Cory Bennett, “Senate Democrats block cyber amendment,” The Hill, June 11, 2015, accessed June 11, 2015, http://thehill.com/business-alobbying/244723-senate-moves-to-enddebate-on-cyber- amendment.
5- Amy F. Davenport and Norma M. Krayem, “Data Breach Legislation Continues To Be A Congressional Priority,” The National Law Review, May 11, 2015, accessed September 1, 2015, http://www.natlawreview.com/article/databreach-legislation-continues-to-becongressional-priority.
6- National Association of Attorneys General to the Congressional Leadership, July 7, 2015, http://www.naag.org/assets/redesign/files/signon-letter/Final%20NAAG%20Data%20Breach20Notification%20Letter.pdf.
7- “Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts,” The White House, accessed January 20, 2015, https://www.whitehouse.gov/the-pressoffice/2015/01/13/securing-cyberspacepresident-obama-announces-newcybersecurity-legislat.
8- The White House, Fact Sheet: Cyber Threat Intelligence Integration Center, February 25, 2015, https://www.whitehouse.gov/the-pressoffice/2015/02/25/fact-sheet-cyber-threatintelligence-integration- center.
9- The White House, Executive Order – Promoting Private Sector Cybersecurity Information Sharing, February 13, 2015, https://www.whitehouse.gov/the-pressoffice/2015/02/13/executive-order-promotingprivate-sector-cybersecurity-information-shari.
10- Department of Homeland Security, The Value Proposition for a Cyber Incident Data Repository: Enhancing Resilience Through Cyber Incident Data Sharing and Analysis, June 2015, http://www.dhs.gov/sites/default/files/publications/dhs-value-proposition-white-paper-2015.pdf.
11- Mark Hollmer, “Feds Support Insurers Seeking Protection From Cyber Attacks,” Claims Journal, April 9, 2015, accessed April 14, 2015, http://www.claimsjournal.com/news/national/2015/04/09/262735.htm.
12- “Cybersecurity Bill of Rights,” The National Association of Insurance Commissioners,http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_draft_cybersecurity_bill.pdf.
13- Caitlin Bronson, “Regulators issue cyber security guidelines for insurers and producers,” Insurance Business America, April 21, 2015, accessed April 22, 2015, http://www.ibamag.com/news/regulatorsissue-cyber-security-guidelines-for-insurersand-producers-22176.aspx.
14- Cal. Civ. Code §§ 1798.29, 1798.80 et seq.
15- N.Y. Gen. Bus. Law § 899-aa
16- Fla. Stat. Ann. §501.171
17- Warwick Ashford, “UK lags US in cyber insurance, study shows,” Computer Weekly, February 9, 2015, accessed February 17, 2015, http://www.computerweekly.com/news/2240239989/UK-lags-US-in-cyber- insurancestudy-shows.
18- HM Government and Marsh Ltd, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, March, 2015, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf.
19- HM Government, Cyber Essentials Scheme (London: Crown Copyright, 2014), https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/317480/Cyber_Essentials_Summary.pdf.
20- HM Government, PwC and InfoSecurity Europe, 2015 Information Security Breaches Survey (London: Crown Copyright, 2015), http://www.pwc.co.uk/assets/pdf/2015-isbsexecutive-summary-02.pdf.
21- “Government cyber backstops needed: Lloyd’s,” Reactions, July 13, 2015, accessed July 16, 2015, http://www.reactionsnet.com/Article/3470524/Government-cyber-backstops-neededLloyds.html?ArticleID=3470524.
22- “Public, private cyber catastrophe reinsurance scheme would add clarity to U.K.’s cyber insurance market, encourage take-up: report,” Canadian Underwriter, July 31, 2015, accessed August 5, 2015, http://www.canadianunderwriter.ca/news/public-private-cyber-catastrophe-reinsurancescheme-would-add-clarity-to-u-k-s-cyberinsurance/1003742884/?&er=NA.
23- Sarah Veysey, “European Union gets serious about data protection,” Business Insurance, August 2, 2015, accessed August 5, 2015, http://www.businessinsurance.com/article/20150802/NEWS06/308029995/upcomingeuropean-union-data-protection-lawtightens-cyber-breach?tags=|75|83|302.