Public, large-scale cyberattacks on private companies like the Target data breach, the ransomware attack on the San Francisco Municipal Transportation Agency, the Mossack Fonseca breach (think Panama Papers), or the 2017 Equifax breach have continued to shed light on the importance of data security and the constant potential future cyberattacks and hacks. The Equifax breach which only came to light for the general public in September 2017, though it was discovered by the company in July 2017, is estimated to have allowed around 145.5 million people’s private information to be accessed by hackers. Cyberattacks and data breaches not only put individual’s personal data in jeopardy and hinders businesses from normal operations, but they also cost a great deal of money. The 2016 Target data breach is currently projected to have cost around $450 million reaching potentially $1 billion in costs related to the attack by 2017 years-end. A New York Times article on November 9, 2017 has quoted the data breach to already have cost Equifax $87.5 million, not counting the loss in stock value for the company or the numerous costs that are projected in the future (like the many lawsuits brought or yet to be brought against the company by plaintiff attorneys). Statista estimates that, “the average cost of cyber crime amounted to 17.36 million U.S. dollars in 2016. The bottom line is that cyberattacks are costly for companies, and those costs undoubtedly are pushed onto consumers who may see increased costs due to companies dealing with data breaches and cybersecurity issues.

Cybersecurity insurance is a fairly new entity within the realm of insurance products. But, as cyberattacks and data breaches become a daily obstacle for companies, cybersecurity insurance is becoming more and more common. The United States Department of Homeland Security (DHS) encourages companies to obtain cybersecurity insurance so that in the face of future attacks, the companies’ costs are mitigated. The webpage for the DHS encourages the incorporation of cybersecurity insurance into the insurance coverage framework for companies.

But, cybersecurity insurance companies like all of their other insurance company counterparts are in the business to make money, and certain actions or activities, though related to cyberattacks or data breaches, could be excluded from coverage according to the plan picked by the company. One of the most common exclusions highlighted by the DHS is the fact that physical harm or damage to persons are often excluded from cybersecurity insurance coverage. Since traditional commercial liability and property insurance policies usually do not cover cyber related risks, hence the need for specific cybersecurity insurance, companies could be left in the middle trying to determine which policy applies in certain situations. For example, if instead of simply a ransomware attack, what if the San Francisco Municipal Transit Agency was confronted by a different cyberattack that took control of the trains causing massive damage and bodily injury. Under some cybersecurity policies, the physical collateral damages of the breach could not be covered. While it is likely that traditional commercial liability insurance policies would cover the damages, it is not certain, and one shrewd insurance agency may try to circumvent a potentially massive policy payout by claiming that the physical damage was caused by an uncovered cyberattack.

At a recent symposium for the Journal of Law and Cyber Warfare held at Cardoza Law School on November 9 in which military and private sector personnel were presenting, discussing, and questioning the current status of cyber security, another potential issue was raised related to cybersecurity insurance. Currently, under United States domestic and foreign policies, cyberattacks on private companies (or cyberattacks on government agencies) even when attacks could reasonably be placed on foreign state-backed actors, are mostly left up to the private companies to comply with policy and deal with the costs and ramifications related to the attack. The costs of cyberattacks continue to fall on private companies regardless if the attack came from private or potentially state-backed actors.

Another issue related to cybersecurity insurance that the courts may have to step into assist is the standard of care required for insurance coverage. In a hypothetical posed by an audience member at the symposium mentioned above, the audience member asked various cybersecurity insurance executives whether their respective companies would cover a cyberattack in which a company fails to timely download a software patch that had been out for weeks or even months, allowing a hacker to take advantage of the system’s vulnerabilities to cause massive financial or physical damage. Due potentially in part that cybersecurity insurance is still trying to prove itself as necessary to companies, the executives all expressed willingness to offer coverage under the policies even when the patch had been out for a few weeks or even a month or two. The executives did acknowledge that of course, there is generally a negligence exception in insurance policies that would require the insured company to maintain some standard of care in terms of cybersecurity. They as well as the audience seemed unsure where that standard lies. It may be that this standard stays murky until an insurance provider balks at the complete lack of cybersecurity maintenance on part of the insured and refuses coverage of a claim. Hopefully Equifax (for the company’s sake) is not the guinea pig for this issue, and while unfortunate for many of the third-party individuals whose private information was taken, it is unlikely that this will be anywhere near the last massive cyberattack and data breach that plagues companies and consumers.

Finally, even if companies obtain cybersecurity insurance as more and more companies are today, the amount of liability coverage acquired by the company is likely woefully in adequate to cover the actual costs of the attack or breach. Target had cybersecurity insurance that covered $100 million. The costs for Target’s data breach as stated above is currently around $450 million with costs estimated to reach $1 billion. Similarly, unnamed sources from Equifax assert that the company has cyber security insurance that covers between $100 million to $150 million. Only a few months into the public knowledge of the breach, the it has already cost Equifax around $87.5 million. As companies strive to protect themselves (and hopefully their consumers) from cyberattacks and data breaches, careful picking of cyber insurance plans with large coverage options (likely with a high premium attached) would be to the benefit to companies in the long-run due to the huge costs associated with data breaches and cyberattacks and the inevitability of further attacks and threats in the future. — Jenae D. Ward

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>