The Evolution of Cyber Insurance
How did we get here and where are we headed?
By Mitchell Ayes , Paul Lanza
Chances are high that you have been affected by some of the more famous—or infamous—breaches of network security recently. Breaches involving Sony Pictures Entertainment, JPMorgan Chase, Target Corp., Ashley Madison, Yahoo!, the federal government, and many others that have fallen victim to this new wave of injury have been well publicized and well documented over the past few years. So how can we protect our data, customers, clients, and ourselves going forward?
The easy answer would be to disconnect from the internet, as that appears to be the only fail-safe method of securing our networks from a potential breach of security and the resulting damages. Since disconnecting from the internet is not practical, we will need to familiarize ourselves with how we got to this point in time and what we can do to prepare better and protect ourselves from future breaches. Over the course of the year, we will provide you with quarterly articles on the state of cyber liability throughout the industry and how insurers and insureds can be proactive in preventing breaches and implementing preparedness strategies.
Before we get too far into the details, let’s examine how the insurance industry has evolved on the subject of cyber liability. Policies first originated in the 1990s as a way to afford errors and omissions coverage to companies that generally were already purchasing errors and omissions coverage. However, these new policies extended coverage to include destruction of data, unauthorized access to a client’s system, and viruses impacting client services.
These first policies did not contemplate the problems that we are facing today, specifically threats from hacktivists, foreign governments, or unscrupulous outsiders looking to make a name for themselves by unearthing salacious and personal information. Further, early cyber liability policies did not have to cover the concerns of an internet-dominated culture to the level we have today. Since these first policies were written, there has been a tremendous quantity of sensitive and personal data added to and floating around in cyberspace that was not anticipated in the 1990s, and the insurance industry is in the process of catching up to ensure its policyholders are properly protected.
Following the issuance of the first cyber liability policy, coverage has evolved to include many additional areas, such as data breach notification. Currently, 47 of the 50 states maintain data breach notification requirements with varying detail, as the requirements are state-specific. The general consensus is that individuals must be notified when a breach occurs and their data are at risk of being compromised.
Cyber liability policies also have evolved from riders and endorsements to a general commercial liability policy to stand-alone policies, as there is exclusionary language in most commercial liability policies that bars cyber liability coverage for breaches and resulting damages from both a first-party and third-party perspective. Now, depending on the policy purchased, insureds have the ability to be covered for the costs stemming from a breach for coverage types. Further, insureds now can be protected and covered for costs associated with assembling a breach team, breach notification, data monitoring, forensic investigations, business interruption, and excess business costs from the breach, among other coverages.
In the 20-plus years that cyber coverage has been around, it has expanded in order to keep up with the changing landscape and reality of data breaches. Likewise, just as cyber liability policies have evolved, so have the forces that have been driving this evolution. As mentioned, the sheer quantity of data in cyberspace simply was not contemplated in the 1990s by the insurance industry, nor were other influencers.
New technology also is compelling changes in the cyber insurance industry. From cloud technology to 3D printing, we can anticipate that cyber coverage will continue to change to meet innovation. Notably, cloud technology presents a unique concern for cyber insurers because cloud service providers act as data aggregators. If there is an attack, then it could result in large-scale data-breach losses and business interruption for many companies. Further, drones, autonomous vehicles, and internet-connected home appliances are additional examples of new technologies that are governing the future evolution of cyber coverage.
Interestingly, given the rapid growth of technology, experts cannot even come to a consensus in order to predict the number of internet-connected devices expected to be in use by the year 2020. Notwithstanding, we can expect a minimum of 20 billion internet-connected devices, and some experts predict a trillion devices to be connected by the end of the decade.
The increasing complexity of cyberthreats, however, continues to be one of the most significant forces creating the ever-changing landscape of the cyber coverage industry. The quantity of attacks alone continues to rise. In 2015, the Identity Theft Resource Center reported that there were 780 detected cyber breaches in the U.S., exposing nearly 178 million records. Of those breaches, 37.9 percent were the result of hacking. As of November, there were already 873 breaches in 2016. Moreover, the expanding number, scope, and sophistication of these breaches only makes it more difficult for businesses and the insurance industry to keep pace. Large-scale breaches can lead not only to business interruption damages, but also damage to a business’s reputation and expensive investigatory and legal costs.
Now that we have explored the beginnings of the cyber liability insurance industry and how it has transformed over the decades, in successive columns we will begin to explore how best to prepare for a breach and to safeguard sensitive information. As we proceed throughout the year, we will address both preventive measures and the steps to take after a breach occurs to ensure the most efficient and seamless continuity of operations as possible. Also, as the cyber liability industry is constantly evolving, we will explore other issues that transpire over the course of our series.