Morley Speed, Managing Director, UK Cyber Solutions; Kirsten Eickstaedt, Managing Director, European Division and Casualty Solutions Group ; Mike Brown and Jeremy Platt, Co-Leaders of Cyber Solutions Specialty Practice
From data breaches, to network business interruption to cyber extortion, the frequency and severity of cyber-attacks that have struck governments, utilities, individuals, medical and academic institutions and companies of all sizes are on the rise.
Consider the recent health data breach at Community Health Systems, Inc. In a regulatory filing, the company said an attacker took identification information - such as names and social security numbers - of some 4.5 million individuals. Patients and regulators were notified as required by US federal and state law. The company, which carries cyber liability insurance, said it will offer identity theft protection services to the affected individuals.
In another reported incident, internal records of some 25,000 employees of the US Department of Homeland Security may have been compromised when a hacker penetrated the system of a federal contractor that handles security clearances.
The growing danger of cyber-attacks has led to an increased demand for cyber insurance. These high-tech assaults can result in damages that include business interruption losses such as when systems are unavailable both internally and externally. Other costs include those for measures taken to notify customers, recover systems and data or minimize reputational damage. In fact, cyber-attacks can pose a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, outsourcers, counterparties and supply chains. Additionally, the aggregation of data from many companies in a cloud service could spell catastrophic loss for those entities if an attack or breach occurred.
Third-party losses stemming from a cyber-attack has the potential to be extremely costly. Companies may face class action lawsuits and have to pay damages to customers in data breach cases. In addition, the legal costs that result from a cyber-attack can include lawyers’ fees for legal analyses, trial expenses, and costs associated for keeping cases out of the courts.
The massive cyber breach in 2013 suffered by one of the largest retailers in the United States, Target Corporation, is a case in point. According to Target’s regulatory filing for the quarter ending May 3, 2014, payment card data from approximately 40 million credit and debit card accounts of shoppers at its US stores was stolen via its point-of-sale system. Also stolen were names, mailing addresses, phone numbers or email addresses, for approximately 70 million individuals. Target said in the filing that it incurred USD88 million of cumulative expenses, partially offset by expected insurance recoveries of USD52 million, for net cumulative expenses of USD35 million.
Another high profile incident involved the UK charity, British Pregnancy Advisory Services. It was fined GBP200,000 in February 2014 following a data breach by a hacker who targeted its website because he disagreed with abortion. The hacker threatened to publish the stolen data.
These incidents exemplify the increasing severity of cyber-attacks worldwide that is driving the demand for cyber-specific insurance. However, companies are uncertain of how much coverage they need and whether their current policies provide them with adequate protection. This uncertainty stems from the difficulty in quantifying potential losses because of the lack of historical data.
Yet, interest in cyber insurance continues to increase, according to the recent Marsh benchmarking trends report on cyber insurance. The report found that the number of the firm’s clients who sought to purchase this type of coverage increased by 21 percent from 2012 to 2013. Since traditional insurance products often do not cover damages resulting from an incident like a data breach, specific cyber liability insurance may be necessary. Carriers have been adapting their policies to include a variety of loss prevention and risk mitigation tools, ranging from turnkey breach response teams to pre-emptive risk analytics.
Marsh estimates the US cyber insurance market could reach as much as USD2 billion this year; up from an estimated USD1 billion in gross written premiums in 2013. The European market is significantly less, at approximately USD150 million but could reach EUR700 million to EUR900 million by 2018.
A lack of consensus in Washington means that Congress is unlikely to establish new federal laws regulating data protection and individual privacy. However, nearly all the US states have enacted cyber laws regarding breach notification and consumer protection. It is a patchwork further complicated by existing regulatory and legal frameworks for certain industries such as health care and financial services. The complexity introduces opportunities for class action lawsuits as well as punitive actions by regulators, state Attorney Generals and federal agencies.
The European Union is seeking to update its data protection regulation in order to harmonize European law and introduce new measures including notifications of data breaches and removing data of individuals who withdraw consent for the information to be held. Fines and penalties for non-compliance are expected to increase.
As cyber-attacks increase and governments impose more legal obligations to safeguard data, the demand for comprehensive and customized cyber risk insurance coverage will only intensify.