The Rise of Cyber Liability Insurance: Regulations Helping Contain Cyber Risk May 2014 BLOG POST
Increase in Cyber Liability is a Reality Recent high-profile data breaches at Target Corp., LinkedIn, Sony, Citigroup – just to name a few – have led to a surge in the demand for Cyber Liability Insurance (CLI), making CLI one of the fastest growing segments in commercial insurance, globally. A major insurance broker in the US reported to have witnessed an increase of over 20% in the clients purchasing CLI across all industries from 2012 to 2013 – financial institutions and retailers/wholesalers are leading the way. Tracie Grella, Global Head of Professional Liability, Financial Lines, AIG mentioned, sales of cyber insurance grew by 30% in 2013 as compared to 2012. Given the rise in cyber attacks, the US government passed the Cyber Intelligence Sharing and Protection Act (CISPA) in 2013. Under CISPA, government agencies are authorized to share relevant cyber security information with private companies, the companies that have been breached (successfully or not) are allowed to share their experiences without legal consequences and companies are encouraged to voluntarily share threat information with other companies and the government.
Regulations to Mitigate Cyber Liability In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity to help organizations – which are leading the US's financial, energy, healthcare and other critical systems – better protect their information and physical assets from cyber attacks. The US government also announced incentives to support adoption of the Cybersecurity Framework including Cybersecurity Insurance – Government agencies would engage with the insurance industry to develop the standards, procedures, and other measures that comprise the Framework and the Program. This collaboration would help build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing, and foster a competitive cyber insurance market. In 2011, the Securities and Exchange Commission (SEC) issued guidance instructing listed companies to describe in their filings material cyber security risks and how they would mitigate those risks, using measures such as insurance coverage. In addition, certain state laws in the US make it mandatory for companies to notify affected customers, after the discovery of an information security breach, without unnecessary delay. Many cyber insurers offer CLI policies that cover such notification costs after a cyber attack.
The Rise of Cyber Liability Insurance: Regulations Helping Contain Cyber Risk
Page 2
More Needs to be Done for Enacting the Regulations The Health Insurance Portability and Accountability Act (HIPAA) require healthcare organizations to implement protective measures concerning patient information and to notify affected patients in case of any breach. However, in April 2014, the US FBI alerted healthcare providers of increased cyber attacks due to the mandatory transition to electronic health records (EHR), lax cyber security standards, and a higher financial payout for medical records in the black market. Under these circumstances, healthcare companies’ need to deal with the issue on a priority basis and act quickly to put additional cyber security measures in place and at the same time avail of CLI to cover losses arising from any cyber attack.
Recent Developments in Cyber Liability Insurance Market In the retail industry, rampant cyber attacks on major players have made underwriters of CLI somewhat cautious. According to a report from Business Credentialing Services, after the data breach at Target Inc., CLI coverage limit for retailers dropped by about USD100 Mn. Moreover, retailers would be required to pay higher premiums for CLI coverage compared to other industries. In this crisis, state regulations for protection of consumers’ personally identifiable information (PII) will help reduce the high cyber risk. Retailers’ fight against cyber crime will be bolstered by the US National Retail Federation’s (NRF) Information-Sharing and Analysis Centre (ISAC), to be launched in June 2014.
Outlook Cyber Liability Insurance will play a major role in risk mitigation for companies with the emergence of ‘Internet of Things’, where a greater number of electronic devices will be connected to and managed through the Internet. Retailers, healthcare companies and financial institutions will drive the demand for CLI considering their need to collect and store high volumes of personal and financial data. Small- and mid-sized enterprises are at a greater risk due to lack of financial resources to overcome the costs that might have to be incurred in the event of a Cyber Liability incident, while reputational risk is considered more important than the financial risk – especially for larger firms. Legal compliances would also continue to drive the adoption of CLI as the understanding of cyber risk matures.
The Rise of Cyber Liability Insurance: Regulations Helping Contain Cyber Risk
Page 3