By

On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining Victoria Hale, General Counsel of the Denver Employees Retirement Plan, and pension attorney Chris Waddell.  We emphasized that the cyberinsurance procurement process is unique as compared to the renewal of traditional lines.  The coverage is highly negotiable and definitely not one-size-fits-all.  Here are a few pension-fund specific tips.

First, make sure intentional employee misconduct is covered.  Insider misuse is among the most prevalent causes of data breaches for financial and public institutions.  Yet, because cyberinsurance forms largely trace their roots back to commercial general liability policies, some of them still contain the traditional ‘intentional acts’ exclusion that bars coverage for an insured’s intentional misconduct.  To make sure that your policy covers one of the most common breach causes, push back on this exclusion.  Carriers will typically agree to a carve-out for ‘rogue employees,’ or will limit the definition of “insured” to employees only when acting within their scopes of employment.  Either should leave coverage in tact when employees purposefully misbehave.

Second, be wary of cyber-endorsements to E&O and D&O policies.  These endorsements are presented as low-cost alternatives to stand-alone cyberinsurance, but, as I covered here, you may be purchasing dangerously limited coverage.  Many of these endorsements cover only third party risks – i.e., the class action lawsuit filed by individuals whose data has been compromised.  This is likely not the most significant risk faced by funds.  In fact, the most expensive elements of a data breach for public and financial institutions are legal advice for breach notification, forensic IT work to identify the problem and fix it and the breach notification itself, which generally costs $2-3 per notice recipient.  Cyber-endorsements can be inexpensive, but they are only valuable if they contain an appropriate mix of first and third party coverages, the former of which must include breach coaching, IT response and breach notification.

Continue reading

By

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

By

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

Continue reading

By

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

Continue reading

By

For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies.  On October 25, 2016, the Northern District of Alabama issued a decision in Camp’s Grocery, Inc. v. State Farm, one of the few decisions interpreting cyber coverage to date, that demonstrates why insureds should be wary of opting for cyber endorsements instead of stand-alone policies.  Docket No. 4:16-cv-0204, 2016 WL 6217161.

Camp’s had a series of no good, very bad days.  First, hackers accessed its network and compromised customers’ credit card, debit card and check card information.  Yipes.  Then, three credit unions sued Camp’s to recover card reissuance, fraud reimbursement and fraud prevention expenses.  Double yipes.  Finally, Camp’s tendered the claim to State Farm, which informed Camp’s that the Computer Programs and Electronic Data Extension of Coverage and related endorsements to its property and casualty policy only covered Camp’s first party data breach losses.  The endorsements did not cover, in State Farm’s view, third party liability claims like the credit unions’.

The court agreed.  It held that State Farm and no duty to defend or indemnify Camp’s with respect to the credit union lawsuit.  It explained that “[i]nsurance contracts generally are assigned to one of two classes: either ‘first party coverage’ or ‘third party coverage’…’First party coverage’ pertains to loss or damage sustained by an insured to its property…In contrast, if the insurer’s duty to defend and pay runs to a third party claimant who is paid according to a judgment or settlement against the insured, then the insurance is classified as ‘third party insurance.’  Thus, wholly different interests are protected by ‘first-party coverage’ and ‘third-party coverage’.”  In holding that Camp’s endorsements offered only first party coverage, the essentially held that Camp’s had no coverage since it was only attempting to deal with the credit unions’ third party claims.

Continue reading

By

First, I have to say that Paul Stockman at McGuireWoods has beaten me to the punch in his article, “Cyber Risk ‘IRL’.”  So, read that.

Stockman addresses a coverage issue I’ve noted in cyber policies across carriers.  They tend to say something like: “The Company shall not be liable for Loss on account of any Claim or for any Expense…for bodily injury…or damage to or destruction of any tangible property.”  Carrier’s position: If the data breach or malware attack causes an explosion, that’s on somebody else.  My take – well, it would depend on the facts, the policy wording and the state of the law in the relevant jurisdiction.  Of course.

It’s now clear, however, that cyber attacks can do more than corrupt and steal electronic data.  Cyber attacks can also result in machine malfunctions that cause physical harm ‘IRL,” or “in real life.”  Consider a hacker taking control of an HVAC system, or a car or a nuclear centrifuge (it separates uranium isotopes to make nuclear bombs).  The result: IRL, broken stuff, injured people damage.

Continue reading

By

The struggle to identify appropriate policy limits continues to frustrate many in the market for cyberinsurance.  So does the difficulty involved with comparing premiums across policies offering coverage terms with a lot of variation.  But publicly available data continues to improve, and this piece from the folks at Cyber Data Risk Managers is particularly interesting.  CDRM shared data on 34 actual clients’ premiums and limits based on industry and annual revenue.  Among the highlights:

Highest Revenue: A pharmaceutical benefits management company with annual revenues of $4B bought a policy with a $5M limit for a premium of $84,000.

Highest Limits:  A data storage center with annual revenues of $15M bought a policy with a $20M limit for a premium of $120,000.

Continue reading

By

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.
Continue reading

By

Here is how it is supposed to work.  Something bad happens.  You’re insurance company pays for it.  Then, your carrier sues the bad guy who harmed you.  That’s subrogation.

In the data breach context, this timeless construct presents numerous challenges.  The most notable is the difficulty associated with finding the bad guys.  But that isn’t your problem.

The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem.  You probably pay a monthly fee.  Depending on the size of your company, that fee is probably a modest amount.  For smaller organizations, it might only be $20 or so per month.  Now, consider what this vendor is holding – all of your data.  Yikes.

Continue reading