SAN FRANCISCO – Cyber insurance has been around for 25 years, but experts say AI, new privacy laws and rapidly evolving threat vectors are challenging insurers to rethink risk and how they advise their customers to play it safe.
At a panel discussion here at the RSA Conference titled “The Art of Cyber Insurance: What's New in Coverage and Claims,” panelist tackled recent trends impacting the underwriting process, coverage, claims, regulatory and legislative developments.
For more real-time RSAC coverage from SC Media please visit here.
Peter Hedberg, a senior underwriter with Corvus Insurance, cited several industry moving-targets, including a lack of standard policy terminology. He said each underwriter identifies new and evolving tech differently, such as AI and endpoint detection and response, with no standard industry definitions.
This dearth of common language, he said, can create unintended confusion when companies are comparing one cyber insurance policy to another.
"When your CFO is buying insurance, the general liability, the property, the auto, those are all standardized. ... Cyber insurance is not standardized. Every insurance company has their own wording,” said Monique Ferraro, panelist and council at HSB.
Similar to definitions, underwriting a policy to protect against new adversarial tactics that adopt AI and leverage novel malware techniques are equally hard to craft policies around. The challenge is how to assess risk based on events previously not considered or not yet well understood.
Regulatory challenges
Regulatory and legal issues are also creating new cyber insurance pain points, said Violet Sullivan, AVP cyber services with Crum and Foster.
One example cited is a North Carolina 2022 state law barring public entities, such as schools, municipalities, and water and power authorities, from paying a ransom to decrypt data. For some insurance companies, writing a policy protecting a North Carolina business from losses tied to an interruption of their business due to a ransomware attack is out of the question.
“Why would I want to write cyber coverage in [North Carolina] right now?” Hedberg said. A business interruption policy could cover a “never-ending loss until my limit gets cooked,” he said.
That’s forced insurers to be hyper vigilant about how regulations in different jurisdictions vary and affect policies. And that vigilance doesn’t stop there, Sullivan said. Not only do companies need to keep an eye on new rules, but old ones too.
Dusting off old laws for new litigation
"There's a lot of what I call 'zombie litigation,' where old laws are being used for things they were never intended for,” Sullivan said.
One example involves the use of technologies like Pixel tracking and web beacons by well-intentioned websites. Plaintiff litigation has successfully pursued violation of privacy rules HIPAA and PHI based on the use of Pixel tracking software. Lawyers argue that websites are illegally culling user data via Pixels, web beacons, cookies and IP addresses.
“You probably hired a marketing company to build a website, and the marketing company turned Pixel tracking on and you probably don't know it yet,” Hedberg said.
Lawsuits center around allegations that a company violated privacy regulations, such as GDPR or HIPAA. This includes fines, penalties, and legal costs associated with defending against such claims, often triggered by failures in data handling and protection. These lawsuits force companies to expend significant resources defending practices that are generally accepted.
Sullivan said that aggressive attorneys are "dusting off the books" of near obsolete laws, like the 1988 Video Privacy Protection Act, to bring cases against websites.
“This law, enacted decades ago, was not designed to address the complexities of digital data exchange and privacy concerns that exist today,” Sullivan said. “We don't have good rulings yet from judges saying, ‘Stop filing these stupid lawsuits’. Until we do this is going to continue.”
Cyber insurance takes an unexpected twist
While the top five cyber insurance claims are data breaches, ransomware attacks, business email compromises, system interruption, fraudulent fund transfers and privacy law violations, niche areas of cyber insurance are becoming more common. According to Feffaro those emerging cyber areas include:
- Personal cyber insurance: This covers personal devices and home systems, such as cars and smart home devices like garage doors and refrigerators. Increasingly, this type of personal cyber exposure is being viewed as corporate exposure.
- Cryptocurrency: Cyber insurance that covers cryptocurrency wallets and exchanges and the theft of digital currencies and breaches of exchanges.
- Cyber insurance for autos: Policies protect against data breaches that could affect automobiles, such as if a car's computer system is hacked or compromised.
- HVAC and refrigeration systems: Coverage that protects if a cyber event takes refrigeration systems offline (like in a large grocery store).
Advice from the pros
For companies reinsuring or considering policies, panelist suggest understanding exposure when it comes to first-party risk and third-party risk. First-party coverage typically includes direct losses to the company, such as data restoration and business interruption, while third-party coverage relates to liabilities towards other parties, such as data breach notifications and legal claims. Exposure can include you as the third and first party in a liability chain.
Not all cyber insurance policies are the same, and coverage can vary widely, the panel stressed repeatedly. For that reason, companies should carefully review potential policies to ensure they include coverage for the types of incidents and damages that are most relevant to their specific risk profile. This may include coverage for ransomware attacks, system failures and legal fees associated with data breaches.
Legal and marketing need to talk more, Sullivan said, to avoid exposure to Pixel and web beacon nuisance suites.
“Legal needs to know the information that's being collected. These systems can collect IP addresses paired with keystroke timing. It’s not like the person entering that information did not give consent. But that hasn’t stopped lawyers from filing huge lawsuits, even if there's no basis for it.”