Posts made in April 2017

Cyber Insurance – Many Choices Now That There Is NO Choice

Cyber Insurance: Many Choices Now That There Is No Choice


Every organization, of every size and operational orientation, needs cyber insurance to manage its exposures in this age of networked information.

That was one thing speakers agreed on at the recent 2017 Cyber Liability Symposium held by the Professional Liability Underwriting Society (PLUS).

No organization is off the radar for bad actors who relentlessly seek the weakest links for accessing valuable personal and financial information, threatening to shut down an operation, or seeking to do physical damage.

For example, said Robert Anderson, a managing director for Navigant, the health care sector is now under siege from “rampant” attacks by “ransomware,” malicious computer coding that essentially captures or disables an organization’s information assets until a ransom is paid.

“It’s not just payroll that’s affected,” he said. “You can’t do surgery. You can’t do dialysis. Every aspect of the institution is tied up.”

In a subsequent session, attorney Jennifer Coughlin, a partner in Mullin Coughlin LLC, commented, “Did we ever think hackers could take down an MRI? At one care facility, they took down the patients’ tracking anklets. For some time, they couldn’t find two patients. That’s a big deal.”

As cyber attacks and data breaches become more common, organizations “victimized” by an attack will find themselves under potentially harsh scrutiny for their level of security and preparedness. “If you suffer a major breach, it’s an investors’ event, it’s a board event,” said Brad Gow, global cyber product leader for Endurance.

Cyber vulnerabilities will almost certainly increase exponentially as the Internet of Things (IoT) expands. Today, there are now more equipment sensors and related devices connected to the Internet than cell phones, and Zurich estimates there will be more than six connected devices per person worldwide by 2020.

As a reflection of the spread of “smart” technology, symposium keynote speaker Pieter Zatko noted that a current fighter jet has 3,500 components that are directly or indirectly connected to the Internet. Zatko, known by the nickname “Mudge,” is a renowned hacker who has worked for the federal government and now serves as director of the Cyber Independent Testing Lab (CITL).

Adding to the pressure on organizations is the increased attention federal and state regulators are devoting to cyber security.

Symposium attendees heard several references to “OCR” and “NIST,” the federal Office of Civil Rights and the National Institute of Standards and Technology, respectively. OCR, a branch of the Department of Health and Human Services, is entrusted with promoting NIST standards with regard to the security of individuals’ health information.

Speakers expressed hope that the Trump Administration would relax OCR activity in this regard, but there was no indication of that yet.

“I’ve seen OCR step up its involvement [in recent years],” said Jennifer Coughlin. “The states are also more comfortable starting [cyber-security investigative] proceedings the past few years.”

“We were hoping for [the OCR] to step back [since President Trump’s inauguration], but unfortunately that’s not happening,” added Kimberly Horn, global focus group leader for Beazley breach response and information security claims.

As regulators consider whether to require organizations to obtain cyber insurance, a growing number of companies are requiring their business partners to do so. These requirements raise a fundamental question, according to Angela Gleason, senior counsel for the American Insurance Association: “What constitutes cyber insurance?” she asked. “Would standard data breach coverage suffice, or is something more needed?”

As organizations increasingly recognize the imperative of purchasing cyber insurance, they are still confronted with a complex variety of policy forms and coverages, and a daunting application process.

Cyber insurance is available from about 70 carriers, most of them with very different coverage features, according to Stephanie Snyder, national cyber sales leader for Aon. “When you look at coverage offers and review the triggers, definitions, and exclusions, it really runs the gamut.”

Moreover, she added, cyber risk changes from month to month, as do an organization’s exposures for digital assets, and the methods and systems for securing those assets. Given all this complexity, Snyder said even organizations that have purchased cyber insurance “may not have the appropriate coverages” when claims come in.

For example, she noted, retailers need coverage for breaches or violations of Payment Card Industry Data Security Standards, better known as “PCI DSS.” The presence or absence of a single coverage like that can be overlooked, however, when applicants are considering comprehensive packages.

Things are starting to improve for cyber insurance buyers, however. For one thing, “we’re starting to see policies come together;” i.e., become more standardized, according to Snyder.

Also, insurers recognize they can no longer compete effectively using applications with a “list of 100 questions,” said David Gilmore, director of business development for Symantec. Yet, he added, “there’s no three-question magic bullet either.”

Sales of cyber-insurance are bolstered by a slowly changing attitude toward the coverage among IT professionals.

Whereas IT professionals once considered cyber-insurance as unnecessary, or implicitly critical of their work, Snyder noted that “there’s been a change in IT professionals’ perception of cyber-insurance. They now understand how cyber-insurance is a backstop that protects them.”

“Cyber insurance is a part of cyber security,” added Gilmore from Symantec, an important acknowledgement from a leader in cyber-security.

 The purchase of cyber-insurance coupled with risk control and event response services is becoming a routine part cyber-security planning, according to Kevin Kirst, director within the forensic technology practice of PricewaterhouseCoopers.

 Given resource constraints, Kirst said that even highly sophisticated IT operations must choose between mission-critical cyber risks they must manage themselves and risks they can transfer. For some organizations protection of personally identifiable information of customers will be a top priority for maintain customer confidence and avoiding regulatory sanctions. For others, avoiding disruption of operations will be the top priority.

 Adding to the complexity of the process is the daunting array of cyber-security programs available from IT vendors.

 There are more than 600 products on the market for protecting digital assets, said Shaun Brady, executive director of the Center for Model Based Regulation. Some large organizations utilize and manage more than 100 of them.

 Acquiring cyber-security software is no guarantee that one will be protected from breaches, however. Zatko’s Cyber Independent Testing Lab rigorously examines networked applications for security vulnerabilities, and has concluded that “about a third of the vulnerabilities are vulnerabilities of security software we have installed to protect our systems.”

 For all organizations, therefore, the most important factors in loss control continue to be well-established and well-communicated employee data management practices, reinforced by staff training and stringent individual accountability for lapses.

 “Some of our clients push down accountability to the business units,” said Kirst of PricewaterhouseCoopers. “The business unit manager should be responsible.”

 Cyber-insurance may do little good for an organization, however, if the organization does not immediately recognize an attack or breach and notify the insurer. On this score, some IT departments are still slow to act, believing they can handle the problem themselves, or that reporting an incident will be seen as acknowledging an error on their part.

“There’s a real disconnect sometimes between frontline IT and the risk manager,” said Kim Horn of Beazley.

Horn shared an anecdote of a client that had contracted for credit monitoring service and engaged a forensics firm and several lawyers before notifying the cyber carrier of a breach. It turns out that the cost of most of those services fell unreimbursed to the client, as those services were not covered under the policy.

“It could have been so much better if they had come to us first,” she said. “It you work with your carrier, your whole response might be covered. At least you will be acting with an informed view when you respond.”

Horn’s observations were echoed by Brad Vatrt, assistant vice president for cyber, media, and technology for AIG. It’s common, he said, for an IT department to “sit on” a breach report, and then try to address it, before reporting it to upper management. “Now we’re not dealing with a claim a few hours old but a few days old,” he said. “[Response] work may have already begun, some of it not covered.”

 The sooner you call the carrier, the better,” said attorney Coughlin in her remarks. “The longer you wait, you’re losing evidence, perhaps over-notifying people, and perhaps giving the wrong notice information.”

While an incident must be reported immediately, the response should not start, if possible, until the principal actors under the nature and extent of their cyber coverage.

“You need to understand how those coverages [in a cyber policy] relate to each other,” Vatrt said. “You have multiple retentions and multiple waiting periods. Know the costs [of notice and remediation] but also know how those costs are allocated under the policy.”

By now, no one should feel embarrassed at being the target of a cyber attack, even a successful one, as long as their response is prompt and effective.

“Attacks keep happening, and we can’t stop them completely,” said Matt Shabat, director of performance management for the U.S. Dept. of Homeland Security. The key question, he said, is “what do I do when that breach occurs?”

By Joseph S. Harrington, CPCU, ARP | April 12, 2017



Cyber Insurance ~ Understanding the Pitfalls


Cyber Insurance – Understanding the Pitfalls

As more and more companies enter the burgeoning cyber insurance marketplace, they often ask policyholder counsel like me how they can choose the best cyber policy when confronted with so many choices.

When the marketplace was still in its infancy just a few years ago, this was a considerably harder question because the policy forms, including the scope of first party and liability coverages being offered by different insurers, varied so drastically. But as the cyber insurance marketplace enters its adolescent stages, there is beginning to be more standardization in available coverages and exclusions, at least at a high level.

But what has not changed is that many key terms of these policies remain negotiable (considerably more so than for other types of insurance policies), and the courts have been presented with few opportunities to provide guidance on how key provisions in these policies are likely to be interpreted.

Cyber insurance remains a work in progress when it comes to assessing the risks carriers face and providing a clear…

The net result is that prospective policyholders can and should continue to negotiate aggressively in the underwriting process, especially when purchasing cyber coverage for the first time. But what provisions should a prospective policyholder be most concerned about? The answer depends largely on the most prevalent risks faced by individual companies, which are unique to them.

However, there are some provisions common to many cyber policies that, in my view, present risk to all policyholders due to imprecise or inappropriately restrictive coverage language. Because these provisions are almost certain to be the basis of numerous denials of coverage, they are likely to be tested in litigation in the next few years and deserve particular focus by prospective policyholders. Some of these looming battleground provisions include:

Retrospective dates

Most cyber policies are subject to a specified retrospective date, which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered. Often, the insurer will set the retrospective date at the inception date of the first policy the insurer issues to a particular insured. This can be a significant problem, especially for first-time insureds, due to the close temporal proximity between the retroactive date and any potential claims.

To make matters worse, many cyber policies contain language purporting to relate all causative events back in time to the date of the initial causative event. In many cases, this problem will begin to alleviate itself over time if the policyholder renews its cyber policy with the same insurer (i.e., the retroactive date will remain fixed at the initial inception date as successive policies are issued). That said, I still see more cyber claims denied on this ground than any other.

Some cyber insurers will agree to backdate applicable retroactive dates for prospective policyholders and some will not. Particularly with respect to the latter, significant factual disputes regarding the specific events precipitating an otherwise covered claim are entirely foreseeable. The complex technical aspects of data networks and the inherent uncertainties regarding the genesis of many breaches are likely to exacerbate these disputes even further.

Unauthorized access to computer systems

Many cyber policies provide coverage only where access to the insured’s computer system is “unauthorized.” Some insurers will argue that this precludes coverage where an employee negligently provides access (such as losing his or her password) or is tricked into providing access (such as in a spear phishing attack).

Some insurers have sought to clarify the scope of “unauthorized access” by defining that term in their policies, but others have not. Like many cyber policy provisions, the scope of this definition may be negotiable, and any ambiguities should be resolved in favor of the policyholder under general principles of insurance policy interpretation. But given the ever-increasing frequency of cyber fraud and the ever-increasing ingenuity of cyber fraudsters, the extent to which there is coverage under cyberpolicies for unintentional but arguably authorized access to computer systems is likely to be disputed vigorously.

War and terrorism exclusions

Many cyber policies exclude loss arising from acts of war and terrorism, and define those terms broadly. Because these exclusions are carryovers from older types of liability policies, they often are overlooked as mere boilerplate for companies whose operations are largely domestic. But the danger of these exclusions in the cyber context, if not worded appropriately, is that they potentially preclude coverage for cyber attacks initiated by individuals or entities in foreign countries, where many of the most serious attacks originate.

I have seen a number of these exclusions in which the insurer could make a reasonable argument that a state-sponsored attack by a foreign government (e.g., the North Korean attack on Sony), or even loosely affiliated groups or individuals with a particular political or social agenda, fall within the scope of the exclusion. Because cyber attacks by foreign entities are now so ubiquitous, this should be a serious concern for policyholders, not just an academic discussion.

Some insurers are now willing to negotiate a more appropriate scope of these exclusions (e.g., carving “cyberterrorism” out of the exclusion). But for insurers that refuse to negotiate this language, the extent to which attacks originating abroad constitute acts of war or terrorism is likely to be a hotly disputed issue.

Exclusions for generalized acts or omissions

Some cyber policies exclude coverage where the insured fails to follow “minimum required security practices,” employ “best security practices,” or comply with its own security policy. In my view, these exclusions are inappropriately overbroad and lend themselves to subjective application.

Even though these exclusions are becoming far less common in cyber policies (probably due to marketplace pressures to remove them), they still persist in some cyber policy forms. In fact, one of the few coverage lawsuits filed to date involving coverage under a cyber policy was focused on precisely this issue (although it was dismissed on other grounds). As long as these exclusions persist, their inherent ambiguity and uncertain application are likely to make them the subject of considerable dispute.