Articles Posted in News and Policy

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information.  It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.

To get the nitty-gritty details and RSVP, follow this link.  Hope to see you there!

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Hollywood Presbyterian Medical Center recently made headlines when cyber-extortionists prevented access to all electronic patient files for 10 days.  Reports of the hackers demands ranged from $3.4 million dollars to 3.4 million bitcoin (over $1.4 billion).  In the end, a $17,000 ransom unlocked the files.  One has to wonder, however, what type of threat to patient well-being persisted during the intervening week and a half due to this historic disruption of a business charged with keeping us healthy, and, in some cases, alive.

A few days ago, the New York Times ran an article by Fred Kaplan about another Hollywood hack – the one in the 1983 film “War Games,” where Matthew Broderick hacked into the United States Military’s defense command system.  The article reports that President Ronald Reagan saw the movie, and it prompted him to pose a question to his highest-ranking advisors: “Could this really happen?”

After General John Vessey, Jr. reported back, “the problem is actually much worse than you think,” Reagan issued the first official U.S. policy statement on cybersecurity…in 1984.  Though Congress overrode the directive due to privacy concerns (30 years ago, they didn’t want the NSA spying on Americans…now…), research leading to the directive revealed that hacking was a known threat as far back as the 1960’s.