CYBERSECURITY INSURANCE: INSIGHTS FOR BUYERS FROM TECHUMEN

There is an especially large and growing need for cybersecurity insurance:

1.      Breaches are costly. (While breach cost estimates vary widely and typically depend on the type and magnitude of data affected, what is clear, however, is that breach cost analysis must include cost of business interruptions, tangible and intangible customer losses, class action lawsuits, and civil fines. For large breaches this cost can easily run into the millions. )

2.      Information technology is too entrenched in corporate processes and breaches will become part of the business landscape (That is most businesses will eventually be hit by some kind of breach or suffer damage from a cybersecurity attack.)

3.      Changing legal and regulatory landscape.  Class action lawsuits will increasingly make their way through the courts. These will be especially expensive for most companies that have experienced a large breach.

In our view the changing US legal and regulatory landscape are of special concern. Recent examples include:

July 2015.  “To date, an overwhelming majority of courts have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, an essential element for standing under Article III of the US Constitution. In Remijas v. Neiman Marcus Group, a Seventh Circuit panel disagreed with the analysis of those courts, concluding that customers who have been the victims of data breaches have standing to sue not only after fraudulent charges appear on their cards, but also for an increased risk of future harm and harm-mitigation expenses. Such expenses include lost time and money incurred in resolving fraudulent charges and in protecting against future identity theft, including money spent to purchase credit monitoring. The three-judge panel, led by Chief Judge Diane Wood, has held that an increased risk of future harm resulting from a data breach satisfies the injury-in-fact requirement.” (Source: Amanda Fitzsimmons, law firm of DLA Piper)

September 2015. “The Third Circuit Court of Appeals affirmed denial of Wyndham Worldwide Corporation’s motion to dismiss the FTC’s lawsuit against it. This ruling is significant for several reasons. First, the ruling finds the FTC has the authority to regulate corporate data security practices under the unfairness prong of Section 5 of the FTC Act (“Section 5″). Second, the FTC is not required to publish regulations or rules as to what reasonable data security practices are before suing businesses for lax cybersecurity practices under the unfairness prong of Section 5. The FTC persuasively argued that consumers could not reasonably avoid injury because Wyndham’s misleading privacy policy overstated its cybersecurity practices. (Wyndham’s privacy policy stated that it safeguarded its customers’ information by using “standard industry practices” and took “commercially reasonable efforts … and other appropriate safeguards.”)  The Court declared that a company acts unfairly, not just deceptively under Section 5, when it publishes a privacy policy “designed to attract customers concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, [and] exposes its unsuspecting customers to substantial financial injury…” (Source: Nora Wetzel, Cybersecurity Today published by, Sedgwick Law LLP).


Considerations for cybersecurity insurance

While the market of cybersecurity insurance is growing at 30 % year, it is still nascent and only about 30% of “large enterprises” have some sort of cybersecurity insurance. (Source: Dept. of Homeland Security).

In  response, in 2014 the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), conducted workshops focused on improving access and the quality of cybersecurity insurance.

The NPPD identified three areas that contribute to lack of progress:

1.      Insurers don’t have enough actuarial data to adjust premiums based on what security controls and security tools are most effective.

2.      In absence of more cyber risk actuarial data, insurers struggle to conduct proper incident consequence analysis in order to better determine coverage scope and pricing.

3.      Lack of broader adoption of Enterprise Risk Management (ERM) practices in end user organizations, which should also include cyber risk assessments, to translate IT-based losses into terms of potential harm to investment, market cap, and reputation.

For contemporary cybersecurity insurance buyers, these limitations may force them into buying cybersecurity insurance policies that include strict measures or “exclusions” which limit payouts from a breach. When exclusions are analyzed  post-breach, many adjusters will find that enterprises, prior to any breach, paid lip service to their own security posture in protecting their IT assets. That is prior to the breach the insured did not have any of: adequate policies; privacy practices; physical; technical; or administrative controls surrounding the use of their data. Without some or all of these controls, adjusters could set up an effective trigger for exclusion i.e. non-payment of claims.

Thus, it behooves both buyers and issuers of Cybersecurity insurance, to:

1.      Promote the adoption of preventative measures in return for more coverage

2.      Reduce insurance premiums if there were reasonable controls in place prior to any breach

3.      Agree on how “exclusions” could be addressed prior to any breach 

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.