What exactly is a cyber risk, and in particular a risk that is covered by insurance, is a constantly evolving concept. Insureds, insurers and reinsurers are continually faced with new types of risks and claims that fall within the rubric of “cyber.” What is a cyber risk is often broadly construed as anything related to the use of a computing device or network. As cyber risks expand, so do their impact on insurance lines, both those designed to apply to them and those that are impacted inadvertently in what has become known as “silent cyber” coverage. Thus, insurers in all lines need to become familiar with identifying and addressing cyber risks.
The types of events that can trigger cyber coverage, and the scope of coverage afforded by cyber policies, still vary considerably. In the early 2000’s, in the wake of the enactment of data breach notification laws that began in the U.S. in 2003 in California (and now are present in 48 states in the U.S. and worldwide), most cyber policies focused on payment of breach investigation and notification costs for events that involved the loss or theft of protected personal information maintained in electronic formats. That is still a fundamental coverage afforded by almost all cyber policies, and is often a coverage added on to other types of policies. However, in recent years, there has been an expansion of the type of cyber events to which businesses, and their insurers, are subject. Some of the current cyber events do not even involve an actual breach of computer systems, but merely the threat of one.
Even the basic exposure of businesses to theft and loss of protected personal information has increased in scope. Laws and regulations in the U.S. are expanding the definition of what constitutes protected personal information, for example increasingly including on-line log-in credentials and biometrics. Jurisdictions outside the U.S., many of which already had a broad definition of protected personal information, are adopting notification requirements, such as the EU’s General Data Protection Regulation (“GDPR”) that will go into effect in May 2018. This has increased the exposure to businesses, and to their insurers who provide coverage for the costs of investigating and responding to a data breach. While cyber insurers offering stand-alone cyber coverage are likely aware of these developments, insurers offering breach response add-on coverage to “traditional” lines of coverage such as professional liability and other E&O insurance may not be fully taking into account the impending increase in exposure presented by these developments.
Moreover, there has been expansion of cyber risks well beyond the theft or loss of information. As demonstrated by recent news stories, cyber events now include denial of service attacks and attacks directed at destruction of information and systems. This is in addition to the rapid increase in cyber extortion and ransomware, funds transfer frauds utilizing social engineering and electronic communications to trick business employees into making wire transfers to bank accounts controlled by criminals (often referred to as business email compromise), and similar events that may not include a theft of information or breach of a business’s own computer systems. Often, the resulting damages are well beyond investigation and notification costs, and include economic losses resulting from denial of access to systems, property and data damage, bodily injury (particularly when medical devices are affected) and an array of third party claims by corporate and individual customers, business partners, and others affected by the event.
These days, just the vulnerability to a cyber-attack, even if an attack or breach has not occurred, can generate claims against a business by regulators, customers, and shareholders. Increasingly, there are regulatory and legal proceedings that allege failure by a business to comply with the growing number of laws and regulations that require cybersecurity protection to be in place or require disclosure of data collection and security practices, with resulting fines, injunctive relief and potentially other damages awarded for non-compliance. Recent lawsuits against a law firm and a medical device developer, while so far unsuccessful, generated substantial legal defense costs. Regulatory proceedings investigating businesses compliance with security and disclosure requirements for cyber risks can also be expensive to defend. Vulnerabilities in cybersecurity have led to finger pointing by businesses to their cybersecurity vendors and other business parties. Vulnerabilities in software that increase the risk of cyber-attacks of any kind, be it auto theft, data compromise, or privacy violations, can also generate claims even before a breach or loss occurs.
Businesses faced with such losses and claims often look not only to stand alone cyber insurance policies to pay, but also to other types of policies they may have in their insurance arsenal. Many “traditional” lines of insurance have expanded to include add-on coverages for breach response or other designated cyber risks to first party property, third party professional liability and other types of E&O lines, and even general liability.
However, often other lines less deliberately, and often inadvertently, get caught up in claims that arise from cyber risks, and are faced with requests to cover claims of economic losses, property damage or bodily injury. Virtually every insurer has been faced with a claim they never anticipated, which arose from what can be described as a cyber event because it involved use of or affected a computer system even tangentially.
Crime insurers are now facing the increasing number of funds transfer frauds that involve usage of computers, resulting in a series of conflicting court decisions as to coverage. D&O insurers have been faced with claims by shareholders against boards of companies that sustained data breaches for their role in alleged inadequate cyber security or breach response. Employer’s liability insurers may see claims from employees disciplined or terminated because of cyber events and perceived fault. Media liability insurers (and cyber insurers offering media coverage as part of stand-alone cyber policies) are faced with claims arising from the content of statements on business websites and social media. Products liability and product recall insurers are likely to see claims arising from allegedly defective cyber security in devices connected to networks, which these days include a broad range of consumer and health-related products. Property insurers have long dealt with claims arising from events ranging from stolen computers to network outages, resulting in property damage and business interruption claims both direct and contingent. Some insurers on these lines have embraced extensions of coverage that knowingly encompass such cyber risks. Others have relied on cyber exclusions that can be difficult to fashion to exclude all possible exposures from all possible cyber related events. Personal lines insurers, such as homeowner insurers, are not immune, as individuals as well as businesses are at times faced with claims, as demonstrated by those against families who have a member accused of cyberbullying.
Thus, it is increasingly important for insurers to train both underwriters and claims handlers involved in other lines of insurance than cyber stand-alone policies to recognize the risk of cyber exposures when drafting coverage forms and exclusions, underwriting prospective insureds, and receiving notice of a claim. Often, identifying a potential cyber related claim and consulting with internal talent experienced in addressing such risks can be key to controlling the risk and exposure both on an individual and aggregate basis for the insured, the insurer, and the reinsurer.