This article originally appeared in Cybersecurity Law & Strategy.
IT security professionals used to warn that only two types of businesses exist: those that have been hacked, and those that will. Now, many are even more pessimistic and divide the world’s businesses into companies that know that they have been hacked, and those that don’t.
While it is unlikely that every company has experienced a data breach (whether known or unknown), no business is immune from this threat. Cyber incidents have become the third largest risk to businesses worldwide according to a recent report from the Insurance Information Institute. These cyber threats impact both small and large businesses, non-profit and publicly traded corporations, and even local and federal governments. The actors behind these threats are as wide-ranging as their targets. In recent years we have seen state-sponsored attacks against businesses for political purposes, hacktivists seeking social change, and a plethora of individual attacks for financial gain. The recent spate of high profile breaches show that many of these incidents play out very publicly, and may have devastating and long lasting consequences.
Not all is doom-and-gloom, however, and businesses do not have to switch to communicating via carrier pigeon just yet. These high-profile breaches have encouraged many businesses to proactively assess their own cyber liabilities and implement prevention and response plans. Fortunately, there are more technology options available to protect businesses than ever before, and both the U.S. government and private industry have made great strides in understanding and combating some of the most common cyber threats.
As discussed in an earlier article, successfully managing cyber risk begins with acknowledging that it requires attention, resources, and a higher priority than businesses have given it in the past. See, “Cybersecurity Beyond Traditional Risk Management,” InsideCounsel (Sept. 15, 2016). This means not only committing time and resources to preventing breaches, but also to mitigating the effects of a successful breach. Businesses need to consider cybersecurity insurance as the other side of the cyber risk management coin. Businesses should also consider cybersecurity insurance with a different degree of prioritization and attention than “traditional” insurance. Just as traditional risk management approaches may be ineffective for managing cyber risks, viewing cybersecurity insurance as a subset of liability insurance fails to recognize the unique nature of cyber coverage.
An Ounce of Prevention
Cyber insurance is often characterized by high cost and complex coverage terms. Many businesses shy away from purchasing cyber coverage for these two reasons. While cybersecurity insurance is expensive in terms of real dollars, it can also be invaluable. The trick for businesses is to bring down the cost of insurance while maximizing coverage in the right places. Understanding the cybersecurity insurance landscape is a critical first step in lowering cost and ensuring that businesses are adequately protected for a cyber incident.
Insurance companies price coverage based on an actuarial analysis of an insured’s risk. The problem with cyber coverage is that insurers lack the historical data to reliably price cyber risk policies. In a 2016 report, PricewaterhouseCoopers noted that statistical figures regarding the scale and financial impact of cyber attacks aren’t available to insurers. See, “The Promise and Pitfalls of Cyber Insurance.” It is not surprising that insurers err on the side of higher premiums and deductibles when the scope of the risk is uncertain.
Some insurers have turned to more qualitative, rather than quantitative, analyses of potential cyber policy holders. These insurers require detailed self-audit questionnaires and even onsite investigations to analyze an organization’s security culture and potential risk exposure. Businesses that can provide a level of comfort to insurers can see benefits in the amount of coverage offered and the cost of policies. Businesses should take preliminary steps to put their best cybersecurity foot forward prior to seeking cybersecurity insurance coverage.
While we have already discussed some general recommendations for cybersecurity management,there are a few additional items insurers will look for.
Businesses should consider following voluntary standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). First published in 2014, the NIST CSF presents a baseline best practice for cybersecurity. These standards provide strategic guidance centered on five principles related to cybersecurity: Identify, Protect, Detect, Respond, and Recover. Following these nationally recognized and voluntary standards helps insurers more accurately assess risk and reduce cost to the insured.
Businesses should establish an incident response plan. Like the voluntary standards above, it shows insurers that a business has conducted a critical self-assessment and is prepared to mitigate losses resulting from a breach. Even better, businesses should conduct regular vulnerability assessments and penetration testing by third-party vendors to assess security vulnerabilities and be able to demonstrate that they have closed any potential vulnerability.
Maintain Best Practices
It is critically important to remember that cyber insurance is not a replacement for a good cybersecurity culture. It is not only a good idea to maintain cybersecurity best practices, but it is often required. As Cottage Health System learned last year, failing to follow “Minimum Required Practices” may result in cyber coverage being excluded.
The Standardization Problem
Not all cybersecurity policies are created equal; in fact, very few are. “Cybersecurity insurance” is a generic term for a broad variety of coverage for losses due to Internet-related risks. Policies covering cybersecurity incidents first emerged as a product in the mid-1990s. Individual insurers have revised policy terms in reaction to emerging threats and trends over the last two decades. Unlike Commercial General Liability (CGL) insurance, which consists of highly standardized coverage terms that have been interpreted and litigated for decades, there is little consistency between the cybersecurity coverages offered by the major insurers.
Cybersecurity insurance may include an array of coverage for both First-Party (covering losses or expenses to the insured) and Third-Party (covering the insured’s liability to third parties) claims. Common coverages include costs to restore lost or corrupted data, reimbursement for loss of income from business interruption, payment of fines or penalties to regulators, costs to notify customers of a breach, cost of credit monitoring for customers whose information was compromised, liability to third parties for transmissions of malware or viruses, liability to third parties for disclosure of confidential or trade secret information, and even costs of third party vendors such as public relations firms.
Because cybersecurity policies are unique, determining the right coverage requires evaluating the potential risk exposure to a business. A few simple questions can help a business choose the right scope of coverage.
What Customer Data Do I Store?
More and more businesses are leveraging big-data and storing large amounts of customer information. The unauthorized release of a customer’s personal information can be costly. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted legislation requiring consumers to be notified of any breach of personally identifiable information (PII). In addition, where a customer’s private financial data has been compromised, many businesses choose to provide credit monitoring services as a method of mitigating the impact to the customer (and potential liability for the company).
It is not surprising that many of the most expensive cybersecurity breaches in recent years have involved the disclosure of large amounts of sensitive customer information, such as social security numbers, credit card details, and personal health records. Because some cyber insurance policies cover breach notification and credit monitoring costs, a potential insured should assess both the type and volume of customer data that it stores as part of a comprehensive cyber risk assessment. Many policies have sublimits for breach notification and credit monitoring costs, so businesses should carefully analyze these sublimits to ensure that coverage is adequate in this regard. For example, a company with a $500,000 cybersecurity insurance policy may be surprised to learn that it has a sublimit of only $10,000 for notification and credit monitoring costs, which may be totally inadequate.
What Would Happen If My Network Went Down?
Some cyber attacks are designed to overwhelm and disrupt or even disable a network. For others, system downtime is merely an unfortunate consequence of identifying and remediating a breach. The result is the same for the business: reduced productivity and lost income. It can take time to effectively discover and remediate a breach. According to a 2015 study by the Ponemon Institute (2015 Cost of Cyber Crime Study: United States), the average time to resolve a cyber attack was 46 days. This can place substantial financial pressure on businesses that rely heavily on a technology to operate efficiently — or at all. As many cyber insurance policies offer coverage related to business interruption, insureds should evaluate how they may be impacted by a sustained network disruption. Business interruption coverage varies widely and insureds should closely evaluate what is covered (such as lost opportunities or increased operational costs) as well as triggering events for coverage (such as a minimum downtime).
Hackers understand that network downtime is money for businesses. They have exploited this reliance on technology at a staggering rate in recent years through the use of ransomware. In a ransomware attack, cyber extortionists install malware on a system that encrypts and locks digital files. Criminals demand a ransom in exchange for a key to unlock the system. In late November, criminals targeted San Francisco’s light rail transit system. They demanded $73,000 (100 bitcoins) to unlock the agency’s internal computer systems. Instead of paying the ransom, the city allowed users to ride for free over the holiday weekend until the system could be restored from back up files. For organizations without back up files, a ransomware attack can bring business to a standstill. Many businesses are left with no option but to give in to the hackers’ demands. While some small and midsize businesses have reported paying a few hundred dollars to regain their networks, larger organizations have faced larger demands. In February 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom to a hacker in order to regain access to patient files in a high profile breach.
As these cyber attacks have not only grown in number but also sophistication, many cyber insurance policies have begun offering coverage for such payments. Businesses should evaluate the terms of the coverage, which often include strict requirements that the insured must follow, including ensuring that the threat is not a hoax, making “reasonable” efforts to resolve the threat without ransom payment, obtaining C-level approval of the payment, and strict notification requirements to the insurer. Engaging counsel early in a breach process can ensure that such requirements are met.
How Will a Cyber Security Breach Impact My Reputation?
Businesses want to ensure customers that their personal information is safe. Cybersecurity breaches can have immediate and substantial harm on a company’s reputation if not properly managed. For example, UK based telecom provider TalkTalk was hacked in October 2015, exposing the personal details of over 150,000 customers. It soon became public that TalkTalk failed to properly encrypt its customers’ data, allowing a 16-year old hacker to access the information “with ease.” TalkTalk lost nearly 100,000 customers and incurred costs of approximately £45,000 in the months following the hack. When Sony Pictures was hacked in 2015, the headlines were less about the leaked personal information of Sony employees, and more about the release of Sony’s internal emails. The leak caused embarrassment for the company that eventually led to the resignation of key executives.
While cyber insurance does not specifically insure against “reputational risk,” many cyber policies will cover costs associated with mitigating negative media attention. Some policies will cover costs to retain a public relations firm in the immediate aftermath of a breach to assist with advertising or strategic decisions related to communicating the breach to customers and the public. Insurers can often assist with identifying preferred public relations firms, and some policies even require that an insured select a firm from a pre-approved list of vendors.
What Kind of Physical Damage Could a Cyber Breach Cause?
Most cyber insurance policies do not cover property damage or physical bodily injury. The rationale is that these risks are traditionally covered under a separate insurance policy, such as a standard CGL policy. The problem for insureds is that almost all CGL policies specifically exclude cyber-related perils. This leaves gaps in coverage for many businesses. A risk averse and proactive insured who has purchased both CGL and cybersecurity coverage may find itself in a position where it is covered for physical damage and cyber-attacks, but not physical damage from a cyberattack.
These “cyber-physical risks” are real, and growing. In one of the first cyber-physical incidents on record, a computer “worm” affecting the controls of the centrifuges at Iran’s Natanz uranium enrichment plant caused destruction of the equipment in 2010. Several years later, hackers manipulated the control systems of a German steel mill, causing massive damage when a blast furnace could not be properly shut down. While the risks to entities in the energy, power, and chemical industry are readily apparent, other businesses face risks as well. Any brick and mortar storefront could face risks if its fire suppression system is deactivated or impaired. A disabled HVAC system may only seem like an inconvenience, but this can be costly for businesses that have servers in temperature controlled rooms or cooling cabinets.
Some insurers have recently started offering coverage for these cyber-physical risks. These policies have emerged slowly over the last few years, and coverage terms and exclusions vary widely. Most businesses would be well served to consult with a trusted insurance broker or lawyer when reviewing these new polices. It is also highly recommended that whoever is charged with procuring insurance coverage for a business has a good understanding of the company’s network and security controls or involves the company’s IT department so that it can obtain the correct types of coverage and ensure the business’ cybersecurity protocols meet the requirements of the insurer. Otherwise, coverage could essentially be lost.
Changes on the Horizon
Although there is currently very little consistency among cyber insurance policies, this may be changing. Several organizations, such as the National Association of Insurance Commissioners, have emphasized the need for greater standardization in the area of cyber insurance.
The changing nature of cyber threats will continue to present new challenges for insurers. As the “Internet of Things” continues to grow, the definition of “cyber risks” will continue to evolve and may touch every aspect of a business. New threats are also emerging. At a recent presentation by the FBI, a special agent involved in Electronic Crimes Task Force noted that malware in mobile devices may become mainstream in the next five years. If businesses do not implement new security measures to combat this new threat, it’s unclear whether insurers could disclaim coverage under the “Minimum Required Practices” or similar exclusions.
Changes in the legal landscape also pose difficult questions regarding the scope of coverage under existing policies. For example, New York’s Cybersecurity Requirements for Financial Services Companies legislation (23 NYCRR 500), which was substantially revised after input from the industry, requires certain banks, insurance companies and financial services providers to develop and implement a cybersecurity policy and program. The law is now slated to become effective March 1, 2017, and requires that a regulated company’s policies and program are “approved by a Senior Officer.” If the approved policies and program are ineffective in preventing a breach, it’s unclear whether an insured’s certifying Senior Officer may be covered under traditional E&O or D&O policies.
In a future article, we will explore specific types of coverage available and some problematic exclusions.
Sean Cooney is an attorney with Keesal, Young & Logan’s Long Beach office. He focuses his practice on litigation matters in the financial service, mortgage banking and maritime industries. Sean also advises clients on issues related to insurance coverage disputes and cybersecurity. He may be reached at firstname.lastname@example.org.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.