There is an especially large and growing need for cybersecurity insurance:
1. Breaches are costly. (While breach cost estimates vary widely and typically depend on the type and magnitude of data affected, what is clear, however, is that breach cost analysis must include cost of business interruptions, tangible and intangible customer losses, class action lawsuits, and civil fines. For large breaches this cost can easily run into the millions. )
2. Information technology is too entrenched in corporate processes and breaches will become part of the business landscape (That is most businesses will eventually be hit by some kind of breach or suffer damage from a cybersecurity attack.)
3. Changing legal and regulatory landscape. Class action lawsuits will increasingly make their way through the courts. These will be especially expensive for most companies that have experienced a large breach.
In our view the changing US legal and regulatory landscape are of special concern. Recent examples include:
July 2015. “To date, an overwhelming majority of courts have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, an essential element for standing under Article III of the US Constitution. In Remijas v. Neiman Marcus Group, a Seventh Circuit panel disagreed with the analysis of those courts, concluding that customers who have been the victims of data breaches have standing to sue not only after fraudulent charges appear on their cards, but also for an increased risk of future harm and harm-mitigation expenses. Such expenses include lost time and money incurred in resolving fraudulent charges and in protecting against future identity theft, including money spent to purchase credit monitoring. The three-judge panel, led by Chief Judge Diane Wood, has held that an increased risk of future harm resulting from a data breach satisfies the injury-in-fact requirement.” (Source: Amanda Fitzsimmons, law firm of DLA Piper)
Considerations for cybersecurity insurance
While the market of cybersecurity insurance is growing at 30 % year, it is still nascent and only about 30% of “large enterprises” have some sort of cybersecurity insurance. (Source: Dept. of Homeland Security).
In response, in 2014 the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), conducted workshops focused on improving access and the quality of cybersecurity insurance.
The NPPD identified three areas that contribute to lack of progress:
1. Insurers don’t have enough actuarial data to adjust premiums based on what security controls and security tools are most effective.
2. In absence of more cyber risk actuarial data, insurers struggle to conduct proper incident consequence analysis in order to better determine coverage scope and pricing.
3. Lack of broader adoption of Enterprise Risk Management (ERM) practices in end user organizations, which should also include cyber risk assessments, to translate IT-based losses into terms of potential harm to investment, market cap, and reputation.
For contemporary cybersecurity insurance buyers, these limitations may force them into buying cybersecurity insurance policies that include strict measures or “exclusions” which limit payouts from a breach. When exclusions are analyzed post-breach, many adjusters will find that enterprises, prior to any breach, paid lip service to their own security posture in protecting their IT assets. That is prior to the breach the insured did not have any of: adequate policies; privacy practices; physical; technical; or administrative controls surrounding the use of their data. Without some or all of these controls, adjusters could set up an effective trigger for exclusion i.e. non-payment of claims.
Thus, it behooves both buyers and issuers of Cybersecurity insurance, to:
1. Promote the adoption of preventative measures in return for more coverage
2. Reduce insurance premiums if there were reasonable controls in place prior to any breach
3. Agree on how “exclusions” could be addressed prior to any breach