Cyber Surge

The embrace of cyber liability insurance has been a long time coming. Although several insurers have offered coverage for a decade or longer, only recently have customers moved to outright purchase of insurance protection. The road to get there has been a “tough slog,” suggests at least one underwriter.

“Brokers needed at first to understand the exposures and talk about them with clients,” says Matthew Davies, senior underwriter at Chubb and Canadian manager of professional and media liability. “I think brokers are still learning in this space. It is a wide spectrum — some have been early-adopters and built a team of specialists; others have taken a more generalist approach.”

Many brokers cite the importance of client preparedness in accepting cyber coverage as a key component of their insurance package. “Five years ago, I was doing seminars for companies on privacy and data security and the reaction was very polite, but there was definitely more faith in the IT [information technology] systems and a sense that cyber insurance was not necessarily a good fit,” says Brian Rosenbaum, senior vice president and national director of legal and research practice for Aon. “What has changed today is we are seeing a push down from the C-Suite [chief executives], who are asking tough questions of their IT and risk management staff about how these exposures are being covered.”

Davies, Rosenbaum and other sources interviewed for this article say they have seen a distinct rise in the volume of cyber liability policies purchased over the past year. At Chubb, Davies notes monthly submission volume has increased by 40% over the same period last year.

Tracking the actual premiums for cyber insurance is difficult: it is not viewed as a distinct “line” of business in industry statistical reports. Sources report that 25 to 30 insurers in Canada offer some form of cyber insurance coverage, with an estimated capacity of $150 million to $200 million.

“We have seen a significant increase in the take-up rate of cyber policies, both in terms of the number of submissions coming in and the number of people buying the coverage,” says Jeanette Lawrence, assistant vice president of professional liability for Chartis. “Historically, the sales cycle for this type of product could be quite long, since companies had to examine the coverage and budget for it. But (that) cycle has shortened considerably. I also think broader coverage is available in the market at more appealing price points.”

Types of Coverage

Cyber insurance in today’s market is offered on a standalone basis. But it is also provided through endorsement, often to an errors and omissions (E&O) policy and, in some cases, to existing general liability policies. A popular trend is the “modular” approach to policy design, with clients selecting insuring agreements that fit their needs.

“We tailor coverage to what our client needs are,” notes Michael Petersen, national leader of the communications, media and technology practice for Marsh Canada. “There are a lot of new products in the market today and not all are identical.”

Cyber insurance, for example, can be purchased on a strictly third-party liability basis, which would cover exposures such as legal defence costs and regulatory fines. More comprehensive insurance includes first-party coverage for the costs associated with a data breach. As part of this, insurers often offer access to service providers such as credit monitoring facilities, call centres, forensic accountants, law firms and public relations and crisis management companies. Many sources suggest the quality of these services will distinguish whether or not clients will select a given cyber insurance product.

Insurers are also seeing a growing interest in network interruption coverage — a modified form of business interruption insurance for computer or data losses that have no “trigger” of physical damage.

A greater awareness exists today that traditional insurance policies, such as CGL (commercial general liability), commercial property and business interruption, were not designed for cyber risk, Petersen offers. “We are frequently getting questions from clients about whether or not they have coverage for cyber risk,” he says. “We point out where the gaps are in traditional policies.”

As well, high-profile data breaches have knocked some of the stuffing out of companies’ confidence in their data security systems. “Historically, there has been some pushback from IT people on the need for cyber liability insurance,” observes Lawrence. “Many were adamant that their IT security protocols were so well-established that they were unsusceptible to a breach. But as we have seen more security breaches at high-level organizations, that pushback has subsided. It is becoming much more a business and enterprise risk management issue.”

Everyone is at Risk

Cyber security has also become a reputational issue for companies and organizations. The Ponemon Institute conducted a survey of 850 executives to determine the negative effects of a data breach on brand equity and reputation. It reported last October that the average time it takes to restore an organization’s reputation is one year, with average loss in the value of the brand ranging from $184 million to more than $330 million.

Privacy breaches associated with top brand names have imparted a sense that everyone is at risk, even organizations previously thought to be “untouchable,” Petersen says.

FBI director Robert Mueller recently predicted that cyber risk would eclipse terrorism as his agency’s number one concern. “He basically said: ‘There are only two types of companies: those that have been hacked, and those that will be,’” Petersen recalls. In fact, the FBI itself has been hacked by a group called Anonymous.

In Canada, the University of Victoria suffered a data breach when thieves broke into the school’s administrative building in January 2012. A digital storage device containing sensitive information on more than 11,000 employees was stolen. The university said it would pay for credit monitoring services for all employees affected.

“It was interesting that this case did not involve customer credit card data, but rather employee information,” says Davies. “How many companies and organizations have this exposure?”

Elaborate hacking schemes tend to dominate concerns about data security, but plain carelessness often leads to compromised personal information. “Cyber risk implies an online or strictly computer-based risk,” explains Timothy Boyle, senior underwriter of specialties and technical lines at Zurich Canada. “Policies can go beyond simply ‘cyber.’ They address breaches or a loss of personal information by other causes, whether due to a lost laptop, a missing USB or improper disposal of information,” he says.

At a seminar sponsored by Chartis in April 2012 called Data Breaches, Coming to a Network Near You, Jason Straight, managing director of the risk consulting company Kroll Inc., said: “I cannot tell you the sheer volume of the cases that we have of laptops that have been left at a supermarket parking lot. There’s a patch for software, but there’s no patch for stupid.”

Regulatory, Legal Responses

Other factors are also in play when it comes to heightened awareness around cyber liability. One is regulation. In Canada, Alberta is the only province that requires mandatory breach notification for private sector companies (federal legislation and provincial regulations require public sector organizations and health care institutions to automatically report loss of confidential infor
mation).

Parliament is currently considering Bill C-12, an act that would amend the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) to force organizations to notify the federal privacy commissioner of any “material” breaches of security surrounding their personal information.

Similar mandatory breach notification legislation exists in 46 U.S. states and in many European countries.

If Bill C-12 passes, some sources say there will be a sea change in the market for cyber liability insurance. “I think eventually you will see legislation in Canada with more teeth to it in terms of what has to be done if there is a release of private information,” says Scott Schleicher, vice president and underwriting manager of technology E&O for XL Insurance. “When that happens, this will take off. Buyers, brokers and carriers will flood into the cyber insurance market.”

Michael Trendler, vice president of professional risk for ACE INA Insurance, agrees. “I think the insurance solutions. . . will become a more routinely sought coverage in Canada, particularly as more stringent notification laws develop and come into force both provincially and federally.”

In April, the Office of the Privacy Commissioner of Canada and its counterparts in British Columbia and Alberta released a guidance document entitled, Getting Accountability Right With a Privacy Management Program. It outlines key steps that organizations must take to be in compliance with federal and provincial privacy legislation, such as hiring a privacy officer, implementing policies and education and assessing risk.

Davies calls this a “very important” document. “This document basically outlines how a breach will be investigated and what kind of things privacy regulators expect from a company,” he says. “Organizations should be looking at this carefully in terms of guidance and compliance on privacy and data breach protocols.”

In addition to regulation, the threat of litigation is also creating a higher profile for data security and privacy breach issues. “In Canada, for any privacy issue that has been in litigation, the damages have been fairly low,” notes Davies. “But that does not take into account defence costs: it may have cost hundreds of thousands of dollars to get to that damage settlement. If you look at the United States, the litigation there has been much more aggressive. There are emerging theories and causes of damage for privacy breaches.”

Rosenbaum cites an interesting case in Canada, Jones v. Tsige, which involved a bank employee whose personal information, including financial records, was spied on by another bank employee. In a January 2012 ruling, the Ontario Court of Appeal recognized the tort of “intrusion upon seclusion,” a particular type of privacy breach and common law cause of action.

“It is interesting that the plaintiff did not have to actually prove any financial loss or damages for invasion of privacy,” Rosenbaum says. While the case is specific in its facts, he notes if the same principles apply to third-party liability, “it could be a whole new ball game.”

In an article on the case, Tamara Hunter, associate counsel and head of the privacy group for Davis LLP, noted: “It would seem that the greatest potential for litigation arising from Jones v. Tsige lies in the possibility for class actions in situations where an organization intrudes into the private information of a large number of individuals in a similar fashion (in circumstances where the invasion would be highly offensive to a reasonable person). With this in mind, one wonders if some social media providers may be taking a closer look at some of their practices.”

For Schleicher, one of the main sources of increased litigation on privacy issues, particularly in the United States, is customer anger. “There is a sentiment that has really taken root in the U.S. that companies and industries should be doing a much better job of protecting personal information,” he says. “There is a sense of: ‘They should pay if my personal data is compromised.’”

All of these factors — reputation, regulation, litigation and customer sensitivity — have resulted in a much tighter focus on data security at many organizations, sources say. This is opening the door for brokers to have a more engaged discussion with clients about cyber liability insurance and related services for data breaches.

“What should appeal to brokers is that this is new business,” Davies says. “It is not about making clients shift their existing business from another broker. Most organizations have this exposure; brokers just need to find it to generate new premium dollars.”

Davies adds that an emerging trend is the requirement for cyber liability insurance in contractual obligations, as part of a legal or financing agreement. “Some parties are being asked to show that they have the backstop of cyber insurance. Brokers have presented this opportunity more and more in recent months.”

Schleicher reports brokers or agents in the United States have been using cyber liability insurance as a point of distinction to compete in the market. “If you can discuss the exposures with clients and offer solutions, you are at a literal advantage in distinguishing yourself from another broker,” he says.

Challenges to insuring cyber

With opportunities in cyber insurance come challenges. A key problem is spreading the knowledge base about data security risk from a smaller group of brokers to a much wider audience, Schleicher says. “Right now, that expertise resides in a small pocket of brokers,” he notes. “It has to expand, especially to regional brokers across Canada.”

Nate Spurrier, director of business development for IDT911, a provider of data risk management solutions and breach services, still observes a lack of awareness when it comes to data security. “People are aware of the cyber risk, but don’t necessarily know how to deal with it,” he says. “There are large knowledge gaps, not just for the organizations, but for brokers. More education is needed on what kind of solutions represent the best fit and why they are needed.”

This education may be targeted to small- to mid-market clients, a segment of the marketplace that has not yet fully embraced cyber risk, according to several sources. “My opinion is that smaller, Main Street clients don’t feel like they need to purchase more insurance,” says Schleicher. “Most still don’t see cyber risk as a huge exposure to their business.”

Trendler agrees that in the middle market space, “the cyber policy has not reached the status of an ‘everyday buy’ as of yet.” Still, he adds, “many companies are ‘kicking the tires’ and requesting both educational materials/sessions and premium projections.”

Spurrier observes that the biggest take-up in cyber insurance policies in Canada has been through endorsements to existing policies. Standalone coverage has been a tougher sell. “This goes back to the knowledge gap,” he says.

“In some cases, buyers don’t understand what the product actually covers. For example, clients may think they have a limit of $1 million to $2 million, but in some policies there is a sub-limit on first-party exposure. If there is a privacy breach, that $2 million suddenly becomes $400,000. That won’t cover all the costs, such as credit monitoring. Another issue is very high deductibles,” Spurrier adds.

While more comprehensive cyber security and privacy coverage is offered on a standalone, monoline basis, Zurich’s Boyle also notes that “a number of insurers are offering stripped down cove
rage as endorsements to Commercial General Liability for small- to mid-sized businesses. In these situations, limits are usually low and they may not provide coverage for breach notification costs.”

Others share the same concern that endorsements may not provide the right kind of cyber security protection. “We always propose that standalone coverage is more comprehensive than an endorsement to another insurance platform,” Davies says. “If you introduce cyber risk, you are adding it to a whole set of other exposures. I think it can also stretch the aggregate limits of a policy. However, we also understand the reality that an endorsement may represent a more attractive premium for the client.”

Arguably the biggest concern for cyber liability insurance is the lack of solid data on claims frequency and severity. The absence of hard figures on claims history may lead to challenges in pricing assumptions and coverage wordings. “I think underwriters are still struggling with what to charge for cyber insurance and finding the right rates for the exposures,” says Petersen.

Davies says the media is not necessarily presenting a full picture of what is going on. “Those are just the companies that have been ‘outed,’” he says. “The media also focuses on the actual breach, not the months of credit monitoring and resolution. There have been claims paid in this area, but we don’t have a great deal of information about them. If you made only one or two bad bets in this line, your premium volume could be eaten by losses.”

These “bad bets” represent a moving target for insurance companies when it comes to the increasing sophistication of hackers. In addition to denial of service attacks and malware, new concerns, such as advanced persistent threats (APTs), which are designed to steal intellectual property over a long period, will pose potential problems for cyber liability insurance. “Risk will most certainly continue to evolve as hackers become more inventive and sophisticated,” Trendler says. “I think the insurance solutions will continue to match this evolution.”

Davies predicts a future trend in cyber liability insurance of fewer but more specialist underwriters in the field. “I think in the next few years cyber liability insurance will be seen as one of the key coverages that organizations must buy,” he observes. “I compare it to D&O [directors and officers] coverage for private companies in Canada. It used to be fairly rare; now it is very common. You will see a similar development with cyber protection. It will be more of a standalone offering that can be customized, with brokers presenting clients with a range of options.”

Rosenbaum also compares the evolution of cyber insurance to D&O. “In Canada, the market for professional liability was nowhere 20 years ago. People just weren’t interested,” he says. “Now it is part of the internal toolkit of the risk manager. The same evolution is happening with cyber liability insurance.”

Others see the market for cyber risk expanding into more industries and sectors of the economy. “I think that you will see cyber risk emerge as a key component of boardroom discussions,” says Lawrence, who adds data security will become a more prominent item for “critical infrastructure companies” in addition to non-profit organizations and charities.

Ultimately, boardrooms and senior management will decide when and how their organizations need to take responsibility for data security and cyber risk, sources conclude.

“Senior management is realizing this is a reputational and business continuity issue,” Davies says. “If you don’t have good privacy and data security practices and procedures, insurance will not be the solution. It should always be a contingency, not a replacement for sound risk management practices.”