Tremors from two recent cyber breaches are still reverberating in the corner offices of companies and insurance underwriters alike.
The first incident was “celebgate”— the theft and online posting of revealing photos of celebrities like Jennifer Lawrence and Kate Upton in late August. Presumably fearing that hackers had targeted the victims’ iPhones or that the theft had resulted from a breach in iCloud, Apple rushed to control the damage. Following a 40-hour probe, the company “discovered that certain celebrity accounts were compromised by a very targeted attack on usernames, passwords, and security questions, a practice that has become all too common on the Internet,” according to a September 2 statement on Apple’s website.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.” The statement added that Apple was continuing to work with law enforcement agencies to find the “criminals” involved.
The second breach was no less sensational. On September 8, Home Depot announced that hackers had penetrated its payment data systems, starting as long ago as April. Experts say that the number of cardholders affected could easily exceed the 40 million involved in the three-week breach of Target’s systems in the fourth quarter of 2013. (Total cost of Target’s data breach so far: $146 million, with $236 million of expenses offset by a $90 million insurance receivable, the company revealed on August 20.)
If CEOs and directors weren’t paying attention to cyber security before, they are now. More than likely they have questioned their CFOs and chief risk officers about their own companies’ cyber-liability coverage. At the same time, commercial general liability underwriters are anxious to make sure they’re not on the hook for cyber risks. In the case of existing CGL policies, they’ve contended that the broad-scope insurance was never intended to pay for the unforeseen consequences of computer hacking.
Now, however, the consequences are more foreseeable. Attempting to avoid the courtroom completely, many insurers want to exclude cyber risk from CGL coverage when corporations negotiate their next policy renewals, experts say. Instead, they’ll be seeking to steer their corporate clients toward more costly stand-alone policies.
Says Robert Parisi, national cyber risk practice leader at Marsh USA, which recently launched its own cyber insurance policy: “The insurance market writ large isn’t saying it isn’t going to cover cyber risk, it’s just saying that they’re going to cover [the risk] under cyber policies.”
Unless corporate buyers are careful, however, the risk that ends up being covered could be very narrow. To guard against that, companies would do well to get a firm grasp of what their cyber exposures are.
“If we were the subject of a cyber attack, our concern would be our clients’ data as well as our internal financials,” says Peter Bible, CRO of EisnerAmper. To determine how well protected that data is, the accounting firm hired “the best and brightest hackers” to attack it and asked them to “tell me how you got in my system,” he says. Although EisnerAmper renews its liability coverage annually, the firm’s insurer meets periodically throughout the year with Bible, as well as the firm’s CEO, general counsel, and head of information technology.
Yet even companies that haven’t experienced a hack on their proprietary systems can be held liable for a cyber attack on their cloud providers. Before companies negotiate renewals of their liability insurance policies, it’s important for CFOs and risk managers “to understand how your company manages and hosts data,” says Joshua Gold, who chairs the cyber insurance recovery group at Anderson Kill, a law firm that represents corporate policyholders.
In particular, finance chiefs need to know whether their companies use cloud computing. “If you do, you want to make sure that whatever policy you’re looking at is going to respond [when] the breach may not be on your end but on the cloud vendor’s end,” Gold said.
Sony Corp. of America learned as much in February, when the New York Supreme Court ruled in favor of its insurers, Zurich American and Mitsui Sumitomo, in such a case. In 2011, outside hackers hit Sony’s PlayStation Network and extracted personally identifiable information from more than 77 million people, an event that spawned 58 class-action lawsuits. The court denied that the insurers had a duty to defend Sony against charges stemming from the attack.
Yet Sony itself didn’t appear to have been technologically responsible for the attack. Instead, a hacker used Amazon’s Elastic Computer Cloud service to attack Sony’s online entertainment system, according to a Bloomberg story. (Sony is appealing the decision.)
Besides fighting uphill battles in court for cyber coverage under existing liability policies, corporations will have to drive hard bargains with their CGL carriers to get any protection at all on their policy renewals. On May 1, optional cyber exclusions to CGL policies drawn up for the insurance industry by the Insurance Services Offices and approved by regulators in most states became effective.
That means that insurers using the widely deployed ISO forms could more easily “bar coverage for privacy claims” and claims of property damage stemming from a data breach on the new policies they offer, says Gold.
The Sony case underlines a big reason that CGL insurers may have grown so wary of underwriting cyber liability: Many cases morph into class-action lawsuits. Even though most suits haven’t resulted in big judgments or settlements, the costs of attempting to get a case dismissed or designated for summary judgment can be huge, Gold says.
“Invasion” vs. “Breach”
Still, under most existing CGL policies, the costs of lawsuits brought against policyholders by victims of a data breach would seem to be covered. “There’s a coverage under the CGL policy that’s referred to as ‘invasion of privacy,’ which is basically the public disclosure of a private fact,” Parisi notes. Such instances include the taking and use of a private image of a public figure, often for commercial purposes like placement in an ad, or similar exposure of private medical records, he says.
On the other hand, a “breach of privacy”—in which someone illegally collects or uses confidential information not for the purposes of publishing it but for use in a fraudulent transaction—isn’t covered in the typical general liability policy, Parisi says. Examples are identity thefts and their use in credit card frauds.
The reason such privacy breaches aren’t likely to be covered under liability policies is that such coverage tends to be triggered “by a written demand from someone stating or alleging that you harmed them,” explains Parisi. By contrast, breaches of privacy come to light when FBI agents or bank security officials, for instance, tell a company that they’ve discovered that many fraudulent credit card transactions have converged on it.
A company hit by a privacy breach, he notes, is likely to incur a host of out-of-pocket expenses. For example, the company may have to pay for forensic investigations into the cause of the breach; legal interpretations of the forensic findings; and public relations efforts to manage reputational risks. “All of those costs are going to be incurred before a claim is alleged, so even the broadest liability policy is not going to pick those up,” Parisi adds.
Enter the stand-alone cyber insurance policy. “Underwriters, like everyone else, see the frightening headlines on one breach after the next, and want to limit or eliminate coverage on their existing standard policies,” observes Gold, and see “if they can’t force you to buy this different coverage.”
Well-written stand-alone policies, on the other hand, can provide corporations with the data-breach liability protection that general liability insurance coverage never has, Parisi contends. Further, they can be tailored to pay for compliance with the actions of regulators like the Federal Trade Commission, which has been active in consumer-data breaches, and the U.S. Department of Health and Human Services, which is concerned with violations of patient confidentiality.
If an employer loses personally identifiable information, it’s sure to face a regulator, according to Parisi. “The regulator isn’t going to say that you harmed anyone, he’s going to say that you are in violation of the regulation. You’re going to have to defend yourself in an investigation, and there may be fines or penalties assessed,” he says.
Gold agrees. Noting that the market for such policies is quite competitive these days, he adds that buyers “can request specific coverage and get [their] coverage needs fulfilled.” But companies will require a sharp-eyed broker to do that, the policyholder attorney contends. Because stand-alone policies are so customized, “you need to have the expertise to wade through 40 pages of mind-numbing policy language to figure out what’s covered and what’s not.”