This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation. I’ve included the full publication on my Resources page.
Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public. This is our world.
Somewhat like higher education institutions, public pension funds and other institutional investors are at the center of the bulls-eye, as they may maintain all three types of information. In my home town, Philadelphia, we saw it in 2011. A Philadelphia Public School Pension Fund employee mistakenly posted an unencrypted file on a public website, compromising the personal information of over 2,000 members. It was unclear how much of that data was actually accessed or misused.
In 2014, the Arizona State Retirement System suffered a considerably larger data breach, again without the kind of hacking attack that most associate with data breaches. The ASRA had sent two unencrypted computer discs to a dental benefits company. The discs contained personal information for over 44,000 members, but the discs never arrived. The ASRA spent almost $300,000 to ensure that the information on the discs was not obtained and misused by a third party. Again, it did not appear that any of the information was misused.
That, however, was not the case this June, when hackers infiltrated at least 91 City of Chicago municipal employee retirement accounts and drew fraudulent loans in excess of $2.6 million. That same month, hackers stole the personal data of over a million Japanese citizens from the country’s pension system.
When, not if.
It has become increasingly accepted that a director, whether of a public or private enterprise, has a duty to ensure that his or her enterprise has protections and policies in place for cybersecurity. There is also an apparent trend to formalize these requirements by regulation in particularly vulnerable industries, as is happening in New York in the financial and insurance industries.
It is equally settled that the best laid plans of mice and men will in this context most definitely go awry. Enterprise risk management must therefore include both front-end security and back-end risk transfer mechanisms, such as stand-alone cyberinsurance.
Cyberinsurance generally offers first party coverages that enable an insured to pay the considerable costs associated with identifying the source of a breach, mitigating the breach and complying with legal notice, credit monitoring and other potential post-breach obligations. These policies also offer coverage for cyberextortion, the ransomeware events that have made so many headlines in the healthcare industry, in addition to public relations coverage to address negative post-breach press. Most carriers also have available digital asset coverage, to cover the cost to restore corrupted or lost data, and business interruption insurance to address losses caused by network down time or other security related incidents. While not all of these first party coverages are appropriate for every entity, many believe that some combination of them is as or more important than the third party liability type coverages that more closely resemble commercial general liability coverage.
Cyber policies do provide these third party coverages, such as coverage for liability and defense in the event of a lawsuit by data subjects – the folks whose information was compromised. These policies also offer regulatory coverage, as government agencies have increasingly taken an aggressive role in investigating breaches and assessing substantial penalties against breached entities.
These basic coverage elements are fairly well understood at this stage in what is becoming an increasingly mature market. Not quite 20 years old, the cyberinsurance market generated almost $3 billion in premiums last year. Many project that that number will reach $5 billion or more by 2020. Few doubt that this market will eventually run parallel to the traditional property insurance market that generates $100 billion in annual premiums.
Given the maturation of the market and the influx of new carriers into it, it has become increasingly important to have a deeper understanding of cyber coverage beyond the fact that it is a necessity. Forms and language vary widely from carrier to carrier, and there is a wide range of products purporting to address cyber risk.
Not all products are created equal. A key misconception is that endorsements to other policies, such as professional liability policies, provide sufficient protection. While these endorsements can often be inexpensively added to traditional coverages, you get what you pay for. On October 25, 2016, one of the few courts to address cyber coverage to date specifically ruled that endorsements to property and casualty policies provided only first party, and not third party defense or indemnity coverage, after a grocery store chain was hacked and sued by various credit unions. Camp’s Grocery, Inc. v. State Farm Fire & Casualty Co., 2016 WL 6217161 (N.D. Ala.). Endorsements to other lines must be closely scrutinized, with a working assumption that they offer only limited or partial coverage for cyber risk.
Another area that is sometimes misunderstood is the relative value of data, with many assuming that financial information is the most valuable. Credit card numbers and bank account numbers, however, can be changed. The value window of that data is therefore small. Health information, on the other hand, may never change and is the most valuable data. For entities maintaining this information, cyberinsurance underwriters will want to see this data segregated from other less valuable data, with greater controls in place to limit access to it. Premiums will depend in large part on these protections and the number of records maintained by the insured.
To make a final, but critical point, insureds must carefully review exclusions that relate specifically to cybersecurity measures. Entities should be extremely wary of any exclusion requiring “reasonable” security or that speaks to specific security controls. Good policies will not include these types of exclusions because underwriters understand that what is reasonable or required today will change tomorrow, if not later today. And speaking as a lawyer, the last thing I would want for a client post-breach is a dispute with an insurer about whether security controls were reasonable.
The cyberinsurance procurement process is unique. Policies must be read. Language can be and is often negotiated. Form policies have greatly improved, but many of the provisions in them are new, have not been tested in court or have never been applied in the rapidly evolving digital landscape. Take advantage of this moment in time to work with carriers and brokers to tailor policies to your entity’s needs so that when, not if, a breach occurs, your policy is ready to respond.