by ~ Julian Miller (Email) (Web Site) ~ and ~ Hans Allnutt (Email) (Web Site)
Cyber risk presents a growing set of exposures for insureds, insurers, and reinsurers worldwide. As commerce increasingly moves online, and vast amounts of personal information increasingly reside in online databases, professionals who work in and with the insurance industry face increasing challenges, both in complying with regulations designed to mitigate against cyber risks and defending insureds when a data breach occurs. But, cyber risk insurance also presents opportunities for carriers who underwrite policies in that space.
People conduct their business and personal lives electronically more than ever before subjecting their business and personal information to an unprecedented degree of risk. Data security breaches, and consequent litigation, have proliferated, with legislative and regulatory efforts scrambling to keep pace. All of this is of acute interest to insurers, whose policyholders face growing and uncertain cyber risks in a rapidly evolving technological and legal environment.
What Is Cyber Risk?
Cyber risk is an umbrella term embracing any risk faced by an organization through its use of online networks or systems. Those risks can include denial of networks and systems by natural phenomena, electronic phenomena (e.g., viruses), and humans; and data lost through error or theft. Cyber risk may encompass first-party losses such as network damage, website damage, data or intellectual property theft, denial of service attacks, business interruption, or espionage. They may also include third-party losses such as breach of confidentiality, breach of privacy, failure to protect personally identifiable information, defamation, and intellectual property infringement.
Cyber Risk Policies
For those carriers that underwrite against cyber risk, current policies generally take one of two available forms. Some are simply endorsements to existing policies (e.g., professional indemnity policies) providing limited coverage for claims arising from, for example, email, website, or damage by hackers. Others, however, are stand-alone, modular policies that provide more robust coverage for data security, media liability, data breach costs, information and asset rectification, business interruption, and/or cyber extortion. Common exclusions to such coverage include those for (i) deliberate, reckless or dishonest acts; (ii) losses arising from use of IT systems in a personal capacity; and (iii) loss of goodwill.
Cyber Risk Examples
Of particular interest to insurers and reinsurers is the magnitude of potential losses that cyber risk claims can occasion. Several recent examples of cyber-risk-related litigation and incidents include:
Zurich American Insurance Co. v. Sony Corp., No. 651982/11 (N.Y. Sup. Ct.). Zurich American Insurance Co. filed suit against Sony in New York state court seeking a declaration that it is not obliged to defend or indemnify Sony against claims relating to three separate breaches of Sonys PlayStation network, in which 100 million customer records were exposed. The alleged damages are $171 million.
Epsilon Data Management. Epsilon Data managed email communications for large companies such as Marks & Spencer and JP Morgan Chase. Hackers stole an estimated 60 million email addresses. The resulting losses, including forensic audits, fines, litigation, and lost business, are estimated at $4 billion.
Boris Berezovsky v. Roman Abramovich (U.K.H.C.). In this titanic struggle between two Russian oligarchs in the United Kingdom High Court, a hacker allegedly hacked into and obtained confidential information from Boris Berezovskys lawyers and offered it to Roman Abramovich. Judgment was recently given in Abramovich's favour, awarding him $6.5 billion the biggest private court case in British legal history. This incident demonstrates how exposed law firms are to cyber risks.
Draft European Data Protection Regulation
Recognizing the human and financial cost that arises when data breaches occur, in January 2012, the European Union issued a draft General Data Protection Regulation intended to go into effect after 2014. The Regulation casts a wide net, and will apply to any data controller or data processor within the European Union. The draft Regulation will also apply to companies outside the EU who offer goods or services to, or monitor the behavior of, EU citizens.
The Regulation requires that data controllers and processors implement appropriate measures to ensure a level of security appropriate to the risk represented by the processing and the nature of the personal data protected, in light of the state of the art and the costs of implementation. The draft currently requires that data controllers notify the supervising authority without undue delay, and where feasible, not later than 24 hours after becoming aware of a personal data breach. The notification must describe the nature of the personal data breach, communicate the identity and contact information of the data protection officer where more information can be obtained, recommend measures to mitigate the possible adverse effects of the breach, describe the consequences of the breach, and describe the measures proposed or taken by the data controller to address the breach.
The Regulation further provides that the data controller must inform the subject of the data breach of the incident without undue delay, when the breach is likely to adversely affect the protection of the subjects data or privacy. It provides for fines of up to €1M, or in the case of an company 2% of annual worldwide turnover, for noncompliance. The Regulation also provides that data subjects have the right to have personal data erased when no longer necessary in relation to the purposes for which it was collected, or where the data processing does not comply with the Regulation. Fines for violation of this provision range up to €500,000, or in the case of an enterprise 1% of annual worldwide turnover. Finally, the Regulation provides for private rights of action for damage suffered as a result of unlawful processing of data or an action inconsistent with the Regulation.
Cyber risks may pose complex coverage issues. These include:
Scope Of Coverage. Cyber risks may present questions as to the scope of coverage, such as the dispute in Zurich v. Sony. Questions may also arise under various exclusions to coverage for instance, whether hacktivist cyber attacks constitute terrorism that is excluded under a policy.
Aggregation. Aggregation issues may come into play for reinsurers where, for example, one causative agent (one hacker) inflicts damage on multiple victims.
Attachment, Awareness & Notice. Many cyber risk insurance products are claims-made policies, but breaches can take years to come to light. When breaches are ultimately discovered, moreover, one part of a corporation may be aware of the breach (e.g., the corporations IT department), but others may not.
Insurance companies are well placed to advise policyholders on strategies for mitigating cyber risks. Given their depth of expertise and global operations, insurers can be in a good position to assemble global response teams that can provide the swift action and expert advice that data breaches often require.We use the very best in technology to make these elegant cheap handbags uk,cartier replica watches,swiss replica watches and replica watches.
Julian Miller is a partner at DAC Beachcroft in London, United Kingdom. He can be reached at firstname.lastname@example.org. Hans Allnutt is an associate at DAC Beachcroft in London, United Kingdom. He can be reached at email@example.com.
2012 DAC Beachcroft LLP. All rights reserved.
« Back to Articles