Cyber insurance 2015: Inside a robust and rapidly changing market

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.propertycasualty360.com/2016/01/01/cyber-insurance-2015-inside-a-robust-and-rapidly-c

2015 will be remembered as the year the Cyber insurance market began to
really take shape. The market remains robust and continues to present for
insurers opportunities for unprecedented growth. However, the market
conditions for large and small to medium-size enterprises differs greatly.
That is because, in part, insurers are targeting small and mid-size
enterprises as highly profitable. 2015 will also be remembered as the year
data breach coverage disputes under stand-alone cyberinsurance policies
began to leak into the courts. This article will address these trends of
continued, albeit segmented, market growth and cyber-coverage litigation
and whether we can expect them to continue in 2016.

An insatiable demand for Cyber insurance

We have continued to see in 2015 once-in-a-lifetime growth in the insurance
market, driven almost exclusively by Cyber insurance. And, growth trends
are showing no signs of slowing. According to a survey conducted by RIMS,
74 percent of those without Cyber insurance are planning on buying it
within the next one to two years. Likewise, total annual premiums for
stand-alone Cyber insurance are projected to grow to $20 billion by 2025.
This growth stems, in part, from increased awareness of the importance of
first-party Cyber coverage and business interruption risks from data
breaches.

What is holding back an even greater increase in premiums collected is the
general lack of capacity in the market. Some carriers are responding by
adding capacity. For example, ACE recently announced it will offer Cyber
insurance policies with a $100 million limit. Further, despite a reduction
in capacity by some carriers, according to Neeraj Sahni of Willis, large
policyholders can still obtain maximum limits of between $350 million and
$400 million, although doing so may require self-insurance at one or more
layers of the tower of coverage.

A related trend that continued in 2015 is carriers retreating from the
market. It appears today that fewer than 10 domestic carriers, plus the
London market, remain willing to write primary stand-alone Cyber insurance
(other carriers write only excess coverage). This trend is likely due to:
(1) carriers being snake-bitten by Cyber insurance losses and the potential
for devastating aggregated losses, (2) carriers not having a comfort level
with the required qualitative assessments of their policyholders’ cyber
security defenses (as opposed to quantitative assessments historically used
to underwrite property and casualty risks), and (3) the lack of individuals
with substantial expertise in both insurance underwriting and cyber
security. This talent gap is especially problematic given that the
underwriting of cyber-risks necessitates technical dialogues with the
board, including the CISO/CIO/CTO, of highly sophisticated multinational
conglomerates.

A final trend from 2015 is the spike in cost of Cyber insurance renewals
for point-of-sale retailers and large health care companies. Some carriers
are imposing 150 percent premium increases. Companies in those industries,
or other industries plagued by data breaches, must thus be prepared to
purchase very expensive, albeit necessary, Cyber insurance coverage.

The emergence of Cyber insurance litigation

It was only a matter of time before courts began to see coverage litigation
under stand-alone Cyber insurance policies. These policies have been sold
for years, and data breaches are ubiquitous. Moreover, anti-policyholder
rulings by Connecticut and New York courts in prominent coverage litigation
under commercial general liability (CGL) policies, in addition to the
promulgation by ISO of specific data breach loss exclusions, left Cyber
insurance policies as the last place for policyholders to turn to in the
aftermath of a data breach. Coverage disputes under Cyber insurance
policies thus were inevitable.

Two recent cases should inform the Cyber insurance marketplace in 2016 and
beyond. First, inTravelers Property Casualty Co. of America v. Federal
Recovery Services Inc., a Utah federal court found the insurer had no duty
to defend its policyholders in the underlying lawsuit. The most significant
aspect of the decision is that the parties were disputing coverage under
the Network and Information Security Liability and Technology Errors and
Omissions Liability parts of a CyberFirst Policy. This was the first
coverage decision with respect to a standalone Cyber insurance policy.

Notably, the case did not involve a data breach or other like cyber
security loss, but rather a classic intent to injure versus negligent
conduct dispute. Nonetheless, it is important to recognize that the court
interpreted the terms of the Cyber insurance policy under the same
framework it would use for a traditional CGL or Errors & Omissions
liability policy. This approach should reassure those concerned that
judicial interpretations of Cyber insurance policies might be totally
unpredictable (because of their novel terminology). Instead, the district
court’s opinion suggests that Cyber insurance disputes will not be decided
against a blank canvas.

Second, in Continental Casualty Co. v. Cottage Health Systems, Columbia
Casualty Company (CCC) filed a declaratory judgment action in federal court
in California, seeking a declaration that it is not obligated to cover
Cottage Health System (CHS) and that it is entitled to full reimbursement
from CHS of defense costs and settlement payments paid on behalf of CHS.
The litigation concerns a NetProtect360 policy, containing Privacy Injury
Claims and Privacy Regulation Proceedings coverage parts.

The claim giving rise to the coverage litigation involved a data breach
that resulted in the release of private healthcare patient information.
This spurred a class action lawsuit, which settled for $4.125 million. CCC
paid the settlement, but unilaterally reserved its right to seek
reimbursement of attorney’s fees and settlement payments attributable to
uncovered claims.

The subject policy contained a Failure to Follow Minimum Required Practices
Exclusion, which stated that CCC was not liable to pay any loss based upon
CHS’ failure to “continuously implement the procedures and risk controls”
identified during the underwriting process. CCC contends that CHS failed to
adhere to certain basic security practices, and that its failure to do so
was the cause of the data breach and subsequent loss. These alleged
failures include deficiencies in CHS’ file transfer protocol settings on
its internet servers, maintaining security patches, assessing information
security exposure, and detecting network intrusions.

This case was dismissed so the parties could pursue alternative dispute
resolution. Nonetheless, this litigation serves as a cautionary tale to
policyholders to negotiate for the removal of these and other broad
exclusions from their Cyber insurance policies. Policyholders do not want
to be like CHS and think they are covered for data breach losses, only to
find out post-breach that because they did not carefully read the policy,
the deficiencies in their cyber security apparatus left them exposed not
only to data breaches, but also may leave them uninsured.

In sum, 2015 was a year of robust overall Cyber insurance market growth,
although large accounts and certain industries began to find that Cyber
insurance may not be as viable (read: affordable) an option as it once was.
There are no signs of this trend abating in 2016, especially as market
consolidation, the talent gap, and an inability to devise effective data
breach modeling persist. Additionally, 2015 saw coverage litigation in its
nascent stages. There can be no doubt this trend will continue, too, as
policyholders and insurance carriers utilize the courts to find common
ground as to the meaning of non-standardized policy terms. Ultimately,
Cyber insurance for data breaches was in 2015, and will certainly continue
to be in 2016, the most important issue to the insurance marketplace.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!