Legal Mandates Fuel Cybersecurity Insurance Growth

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bna.com/legal-mandates-fuel-n57982066172/

The rise of state data breach notification laws, as well as federal breach
notice and data security obligations affecting some businesses, largely
created the demand for cybersecurity insurance, analysts told Bloomberg BNA.

The cybersecurity insurance policy sales have skyrocketed. They essentially
offer protection for companies from network security risks associated with
data breaches and other cybersecurity and privacy liabilities.

The boom in cybersecurity insurance will likely continue as small- and
medium-sized companies seek initial coverage and larger companies seek
enhancements to existing coverage, the analysts said.

State Breach Notice Laws

Many companies' first brush with cybersecurity insurance was a coverage
extension added to another professional liability or commercial policy;
such riders evolved into some of the first stand-alone cybersecurity
insurance products in the late 1990s.

The market picked up in the U.S. when state data breach notice laws began
entering into force in the early 2000s. Then in 2012, high-profile breaches
involving millions of retail consumers and bank customers pushed the issue
into the offices of senior managers and corporate board rooms.

California enacted the first-in-the-nation statute in 2002. The law, which
took effect in 2003, requires companies possessing or controlling
personally identifiable information to notify individuals of a security
breach if the personal information was or was presumed to be accessed by an
unauthorized person. Companies started to seek insurance coverage from
costs associated with breach notice obligations under California law. As
other states followed California and enacted breach notice laws—47 states
and the District of Columbia have breach notice laws—the desire for
cybersecurity insurance coverage also grew.

Federal Obligations

In addition to the state laws, federal breach notice and security
requirements, such as those from the Health Insurance Portability and
Accountability Act, obligate covered entities to meet certain requirements
regarding the use and disclosure of individuals' health information.
Noncompliance can result in civil money penalties.

And financial institutions must comply with Gramm-Leach-Bliley Act rules,
which in part aim to protect nonpublic personal information of consumers
and their customers and former customers by requiring the institutions to
describe accurately how they collect, disclose and protect the information.
The Federal Trade Commission, other federal regulatory authorities and
state insurance authorities enforce the GLB Act.

The Securities and Exchange Commission has also become more invested in the
data security efforts of publicly traded companies.

Additionally, merchants and other entities that store or transmit payment
card data face obligations under the self-regulatory Payment Card Industry
Data Security Standard (PCI DSS) intended to ensure individuals' data are
protected at all times during a transaction.

Reputational Harm

An overarching theme regarding cybersecurity insurance buying decisions is
the real threat of a catastrophic impairment that could pose an existential
threat to even large businesses, analysts said. To a lesser extent,
companies are worried about harm to their reputation—especially if they are
victimized by a breach event but their competitors aren't, they said

Enhancing resilience and having a cybersecurity insurance provider help
design a comprehensive regime that includes strategic, tactical and
everyday practices to harden defenses, engage employees, employ technical
attack-prevention tools and be fully prepared in the event a cybersecurity
incident does occur is another theme, the analysts said.

Companies also must realize cybersecurity threats aren't going away and
they need to confront the threat sooner rather than later

There is also a push by some companies, particularly retailers, to require
their third-party vendors carry cybersecurity insurance, which in part
could in itself boost the cybersecurity insurance market.

And there's this: insurers themselves, because they hold sensitive client
information, may themselves be targets of hackers looking to monetize
stolen data.

Core, Ancillary Coverage

Generally, carriers now offer core coverage and then a suite of additional
products to complement that core, for an additional cost. The core of many
carrier products aims to protect against liability losses due to
unauthorized privacy disclosures and data breaches.

First-party costs can be covered, including paying for forensics to
determine the origins of an intrusion, required customer notifications,
legal fees and costs associated with crisis management: public relations,
investor relations, call centers to handle customer queries and credit
monitoring for affected individuals.

Other services offered include items such as social media liability
coverage, defence against lawsuits because of misused data and costs
associated with regulatory fines or penalties. Additional coverage may be
purchased to cover business interruption expenses, costs to restore or
recover data, deal with any attempted extortion of corporate data or data
systems and attempt to resolve the compromise of trade secrets or other
intellectual property.

Insurance companies beginning to operate more comfortably in the market are
now rolling out a more robust suite of ancillary services aimed in part at
assisting insured companies construct resilient defenses to help combat
cyber-attacks. Some firms, for instance, might advise customers on how to
harden their defenses.

Growth Potential

Future growth in the cybersecurity insurance market will be twofold: large
companies already possessing cybersecurity insurance will enhance their
coverage with additional complementary services and increase exposure
limits while small- and medium-sized firms that don't currently have
cybersecurity insurance will buy it.

Indeed, many specialists said they expect small business to play a central
role in the maintaining the rapid growth of cybersecurity insurance sales
in the coming years.

Small businesses read about large company breaches, Robert Hartwig,
Insurance Information Institute president, said. “The reality is that they
are increasingly going to become targets of opportunity as other larger
businesses harden their defenses and smaller businesses become targets,” he
said.

“You're seeing a lot of innovation in this area. The insurers are
developing products that are suitable for smaller- and medium-sized
businesses across the country,” Hartwig said. “The reality is that
irrespective of size, irrespective of your corporate structure, you're
likely to be vulnerable—well, you are vulnerable,” he said.

According to a recent Standard & Poor's report, “high-profile attacks on
household names might give the impression that cybersecurity attacks are
mainly a problem for large companies, but small and midsize businesses are
also in the firing line. And these companies are often the least secure and
most vulnerable, and may not report many attacks. We expect this awareness
to lead to increased cybersecurity insurance take-up rates for these
smaller companies.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.