The Ever-Evolving Nature of Cyber Coverage

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancejournal.com/magazines/features/2014/09/22/340633.htm

To understand the current state of network security and privacy (cyber)
coverage, it is helpful to have an understanding of the development and
some of the major milestones which helped shape the coverage.

The first cyber policy was written in 1997 through AIG by Steve Haase, an
agent who was recently awarded the “Advisen Cyber Legend Award.” Though
groundbreaking as the first to address cyber security, it was a third party
liability policy only and was basically a “hacker policy.”

Other very early entrants in writing cyber policies include Safeonline,
CIGNA, Marsh and others. In the subsequent 17 years, internet use has grown
from 1.7 percent of the global population in 1997 to an amazing 40 percent
of the global population in 2014 resulting in dramatic changes since the
first cyber insurance policy was written.

Currently, the total premium for cyber liability at year-end 2014 is
projected to be nearly $2 billion. More than 60 carriers now offer
stand-alone cyber policies and more are entering the market all the time.
Many experts in this new field have appeared at the carrier, broker and
wholesale levels. Experts are needed as each market/carrier has its own
form with its own nuances and idiosyncrasies. Definitions for the same
words differ on each policy form as do exclusions, terms and conditions.

Early Developments

In 1997, the original policies covered only third party suits arising from
breaches originating from outside the company. However, studies at the time
showed that over half of all data breaches originated from inside the
company from rogue and disgruntled employees. The markets offering coverage
at that time responded by broadening coverage to cover loss to the entity,
but coverage for loss from the malicious employee was excluded.

This distinction is typically addressed in the definition of employee,
which includes wording such as: “Employee means any individual whose labor
or service is engaged by and directed by the insured.” Because it is
unlikely that an insured would direct an employee to engage in breaching
their own system, the employee acting outside the scope of their employment
would not be an insured under the policy.

Early malicious individuals were not only attacking networks but many were
also gathering information in paper form. The common term for this practice
was “dumpster diving.”

It became evident that if insurance policies were to cover sensitive
information, they needed to be expanded to include exposures beyond the
virtual world of electronic information and cover “real” world losses of
information in paper form as well. The change in policies from only
electronic to include paper resulted in network security and privacy
policies. This small change is a large expansion in the scope of coverage.
The inclusion of complete electronic and paper files make cyber policies
true security and privacy liability policies.

Another early development of the new cyber product was coverage for
business interruption. Recent research shows that due to the waiting
periods required — eight hours in most cases — these coverages have not had
much loss activity. In many cases during a network outage due to a breach
event, the company quickly reverts to manual systems as a stop gap measure
to continue operating.

Therefore, the actual business interruption loss is primarily a delay in
revenues as opposed to a true loss of income. For instance, just because a
hospital system is down, someone with a broken leg or a gunshot wound does
not have to wait for treatment until the system is back up. Typically, all
the procedures are manually recorded and then input later. In the case of
online retailers, if their site is inoperative, many consumers will just
wait until it is functional again or use an alternate form of communication
such as calling in an order.

Early in the cyber product development cycle data restoration coverage
could be included in the policy. This coverage has seen little loss
activity because nearly all systems are backed up daily and restoration
constitutes reinstalling the data from the day before and recapturing the
data lost for just a day. Typically, this is not a large expense.

The one instance where data restoration coverage could become critical is
where an employee responsible for the back-up tapes corrupts them for an
extended period of time.

Network Extortion, Breach Notification

In the years around 2004, there were a number of network extortion events.
Network extortion can take different forms but is essentially using the
threat of harm to extort money by using stolen data to threaten the
company’s reputation or by corrupting data on the network.

Consequently, extortion resulting from a network attack became and remains
a separate insuring agreement on policies. Profiting by criminals in this
manner was curtailed when the criminals doing the extorting were being
caught by officials when money physically changed hands. It was much more
profitable and less risky for the criminals to simply sell stolen
information. Extortion activity has again begun to gain some popularity as
anonymous digital currency like BitCoin makes the money exchange opaque to
law enforcement agencies.

The next stage of development in the history of cyber insurance was the
enactment of state breach notification laws making it mandatory to notify
people if their individual personal identifiable information is compromised.

California was the first state to enact such a law, which became effective
July 1, 2003. Known as the Security Breach Information Act, or Senate Bill
1386 (SB1386), the statute requires any agency or business that conducts
business in California, and “that owns or licenses computerized data that
includes personal information” to notify affected residents of California
of any security breach if “personal information was, or is reasonably
believed to have been accessed by an unauthorized person.”

Note that “personal information” in the law means an individual’s first
name or first initial and last name in combination with any one or more of
the following: a Social Security number; driver’s license or California
Identification Card number; or account, credit or debit card number in
combination with any security or access code or password.

Since the inception of the California law, all but three states have
adopted similar laws. Slow progress toward a federal law to eliminate the
current patchwork of state law requirements is being made but may be some
years off.

The enactment of notification laws prompted a surge of buying and remains
the major driver to the purchase of cyber coverage. Most of the losses that
have been paid under cyber policies have been for costs surrounding these
state notification laws. The loss is to the insured, not from a liability
suit. It is the cost to investigate and respond to a breach or potential
breach.

Typically included are the costs for computer forensics, legal and public
relations expenses, which typically have separate sub-limits, in addition
to notification costs. Estimates range from more than $200 to a few dollars
per record. Anecdotally, most underwriters and brokers tend to use an
approximate cost for notification of $15 to $30 per record. This cost,
coupled with forensic, legal and public relations expenses, can quickly
translate into large amounts of money in a breach situation.

Within the last few years most carriers have included fines and penalties
coverage either by endorsement or as an additional insuring agreement.

The typical exposure arises from the payment card industry (PCI) or from a
federal law such as HIPAA for healthcare or Graham Leach Bliley (GLB) for
financial institutions. Originally coverage was for defense only but
carriers have expanded coverage to include the penalties assessed. Most
carriers include a sub-limit for this coverage.

A Flawed Approach

The rating of cyber coverage has historically been based on revenues. This
is an inherently flawed approach since revenue has little direct
relationship to the actual exposures, which are the cost to identify and
notify individuals with actual or potentially compromised records. For
instance, a healthcare organization that has $50 million in revenues would
have vast amounts of personal identifiable information. On the other hand,
a contractor or manufacturer with the same $50 million in revenues would
have very little personal identifiable information.

Recently, more carrier applications are requesting the number of records
kept by the insureds and prospects to more accurately determine the actual
exposure. Also, there is a trend for carriers’ forms to use the number of
records as a limit for notification in lieu of a dollar amount. Beazley,
AIG, Axis and AWAC are pioneering forms based on the number of records.

Unique Forms

Coverage for bodily injury and property damage is a recent development in
cyber policies. Current general liability contracts are fairly clear that
there is coverage for “bodily injury” arising out of the inability to
access electronic data. Coverage is less clear with regard to property
damage, such as system damage coverage. So far very few carriers are
offering this coverage, but others may soon follow. Some carriers have
forms that include additional Side A coverage for directors and officers.

All carriers are looking to differentiate their forms from other markets,
which make all the forms unique. This uniqueness of each carrier’s forms is
one of the most fascinating yet frustrating elements of cyber coverage.
There is little standardization making direct comparisons difficult. Also,
as is evidenced by the most recent changes, forms are still in flux. The
analysis of proper cyber coverage is further exacerbated by the
ever-changing threat profile due to attack methods constantly changing and
rapid technology changes such as smart phones and tablets.

Cyber forms have been evolving for the last 17 years and will continue to
do so into the future as the insurance industry continues to grapple with
the dynamic nature of cyber risks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!