At the 2017 America’s Claims Event, a panel discussed the threat about cyber attacks and data breaches. The panel was:
- Jennifer Coughlin – Partner, Muller Coughlin
- Danielle Roth – Team Leader Cyber, XL Catlin
- Atari Soni – Senior Vice President Cyber Claims Advocacy Leader, Marsh USA Inc
Cyber policies are different from other coverage in that there is both first party and third party coverage. The first party coverage is for breach response. The carrier will work with the insured to determine what happened, whether it is ongoing, and to mitigate the threat. They will also work with the client to ensure they satisfy any regulatory requirements regarding notice of the data breach. The third party coverage is for any liability for the insured to third parties that arises from the third party breach.
Other coverages that may apply to a cyber breach include:
- Data interruption
- Data recovery and restoration
- Cyber extortion
- Crime policy
- Supply chain disruption
Most cyber based policies also include technology errors and omissions. They also include media liability which includes defamation, infringement, copyright violations, etc that result from the data breach. There has been a shift in the cyber market in that these products cover more than just electronic data breaches and they also cover physical loss of information. Total cyber protection requires a complex combination of a wide variety of policies that provide coverage for every potential loss that could happen under a cyber loss.
No matter how strong your cyber protection policies are, your weakest link is your people. It is important that you train repeatedly on efforts to prevent cyber breaches. Background checks are also important to uncover individuals who may have a criminal history of fraud. One company they referenced hired a payroll manager who had falsified their background. She stole millions from the company before it was uncovered (after she had been terminated). When they ran the person’s social security number later they found it to be false.
The time to develop your cyber response policy is before a breach. This includes decisions around which experts to retain including attorneys. You do not want to be spending time to vet attorneys and vendors during a cyber breach. Time is of the essence during a cyber breach. Minutes can make a huge difference in mitigating the loss.
Right now there is no movement in the carrier marketplace to standardize policies to all cover the same elements. Because of this you see lots of variation in the marketplace as carriers try to make their products “stand out”. Carriers are changing their policies constantly as new threats emerge. This variation also creates the challenge to make sure all the potential risks an insured would face are covered. Cyber related endorsements have become commonplace in other product lines.
Cyber claims are evolving. Ransomware claims have been around a few years but their frequency is increasing significantly. These types of claims involve someone having unauthorized access to your system and encrypting it so that you cannot access your files without paying “ransom” It used to be that in the past ransomware attacks were quick focused on securing the payment. Now they tend to involve months of intelligence gathering before the attack. The ransomware attack is done after they have obtained a significant amount of data from your system. The panel said 70% of the time the clients pay the ransomware attack as they lack sufficient backups to restore their system or the costs for restoration are well above the cost to try and clean that up.
It is important to do a forensic investigation into a ransomware attack to know how they got into your system. It is also important to revive the encryption key that the hackers send as those could contain additional malware that activates in the future.
Ransomware often goes unreported for many reasons. Sometimes the company may not want people to know they were hacked. At times the internal IT department may not disclose that they are paying off ransomware attacks as the payments fall within their budget and they don’t want senior management to know about it.
The financial loss of a ransomware attack is just the beginning of the challenge. There can be significant business interruption while you are unable to use your computers that have been locked down from a ransomware attack. Hospitals have been hacked causing them to essentially shut down for several days because they could not access their patient records and billing systems. This caused significant disruption in the lives of their patients who had treatments scheduled during the time the hospital’s systems were locked down.
Phishing emails are much more sophisticated these days as they often appear to be legitimate. It is important to hover over the email address to make sure the actual address matches the name and domain name of the sender. A very common target for these emails are people in HR that have access to employee W-2 information. The sender will appear to be a company executive that requests a PDF file of employee payroll records. This information is then used to file false tax returns. This stresses the importance of taking the time to review emails very carefully before sending anyone an email with personal identifiable information, even if the email initially appears legitimate.
If you handle credit cards there are certain universal standards that must be met in the event you have a cyber breach. There are other laws that apply to the healthcare industry. There are currently 48 states that have some form of cyber breach laws requiring reporting to both state and federal regulators, anyone impacted by the breach, credit monitoring agencies, the media, etc.
They have also found that some regulators are inconsistent in how they enforce their policies. Many of these cyber laws also include significant fines paid to regulatory agencies so some of them view this as a moneymaking opportunity.
An area where more claims are expected in the future is professional liability. For example if an law firm has their files breached they could be sued under professional liability for violating client confidentiality.