Cyber Liability Industry Update
2014 was just the beginning!
- Varied reports indicate there were 4,400 reported attacks or data breaches worldwide in 2014, more than double that of 2013.
- Large retail and banking corporations were hit by major attacks: Target (110M records), JP Morgan Chase (83M records), Home Depot (56M records) and Staples (1.5M records).
- Attack on Sony highlights the growing exposure for intellectual property attacks and cyber espionage.
- Insurers expect that breaches will continue to rise; with a focus on retail, banking and healthcare industries from the middle market up to publicly-traded companies.
2014 saw activity double, even triple, among recordable metrics for cyber breaches. From number of records breached to frequency of attacks, the uptick surpassed the previous recorded year. As criminals become increasingly clever about how they use stolen data, and our reliance on an interconnected world grows, vulnerability and exposure will remain high for any company handling sensitive data. It is not “if” but “when” you will be subject to an attempted breach.
The information criminals find valuable has changed
- After the mega retail breaches of 2014, consumers and their respective banks have gotten more efficient at identifying payment card data that has been exposed. The result, payment account information (Automated Clearing House (ACH), debit and credit) is frozen or cancelled at the first notice of fraudulent activity. The window for thieves to use or sell the data is shrinking.
- Criminals are targeting more advanced data. Instead of using fraudulent payment data, the desire is to set up entire fraudulent accounts without the individual knowing. Suspicious activity is hard to detect on a credit card you did not know existed.
- Some things truly are priceless. Although the underground marketplace for account information and Protected Health Information (PHI) is well established, other criminals – and especially government-sponsored hacking groups (China, Russia and North Korea) – value trade secrets, designs and supply chain information. Information that is crucial to a company’s competitive advantage should be stringently protected.
As industries continue to evolve to protect their sensitive data so do the criminals who want it, and they are ahead of the curve. In 2015, a personal health file will fetch more than seven times what financial account information was going for in 2014. The types of attacks will evolve more quickly than the security software to stop them. It will be imperative that, to the best of a company’s ability, information is not only secured but isolated, as much as possible, both digitally and physically.
“Cloud” is not code for “I’m covered”
- The migration of companies, large and small, that host their network and data in the Cloud will continue in 2015. Competitive fees, guaranteed uptime and fewer hardware concerns continue to entice companies to move their operations to major Cloud providers (Google, Amazon and Microsoft).
- Although the Cloud provider’s security may trump your own, the responsibility of the actual data lies with the customer. Most providers, as outlined in contract details, push all responsibility for any lost data on the customer, including statutory requirements like breach notification.
- Companies who utilize the Cloud will be constant victims of password stealing attacks and scams. As criminals struggle to penetrate the security of Cloud providers, they will focus their attention on the passwords of the individuals who access the Cloud on the company level.
Utilizing Cloud providers is a way to “rent” improved security when the infrastructure is not available on the company level; however, it is not a way to shift exposure away from the company. Access to the information in the Cloud is still only a user name and password away. The responsibility to investigate, fund and settle any known breaches will rely solely on the shoulders of the company who owns the information.
Regulators will be more aggressive in 2015
- 2014 saw the first Federal Trade Commission (FTC) action involving enforcement of fines against companies that handle sensitive data and do not have proper security protocol. Investigations are not only brought forth on the company but on the individual officers of the company as well.
- The Federal Communications Commission (FCC) issued $2M in fines and penalties in 2014 stemming from a failure to implement appropriate protections. With new funding and a stronger initiative from the executive branch, the FCC is poised to increase their activity.
- The Department of Health and Human Services increased their security team twofold to investigate and fine companies of all sizes from claims resulting in the loss of PHI. A regional health plan was fined $250K for the loss of one laptop containing 148 records.
- Regulatory bodies have made it clear that ENCRYPTION is the standard. If you are not encrypting your information, especially on mobile devices, you could be negligent.
- Penalties imposed by Health Information Technology for Economic and Clinical Health (HITECH) Act are still prevalent for negligence associated with loss of PHI. Fines can range from $50K per record up to $1.5M total.
Our regulatory bodies have taken notice of cyber activity and the damage it wreaks on both financial markets and consumer confidence. Empowered by the President’s directive on cyber security in the State of the Union, the regulatory branches are utilizing all resources to investigate and penalize those not properly securing consumer data. Regulatory investigations are often overlooked on cyber liability policies, but it can cost companies in excess of six figures to investigate, discover and settle. Know which regulatory agency oversees your industry and ensure that proper coverage is in place to cover investigations.
Cyber Liability may be a Directors & Officers problem
- The first real Directors & Officers (D&O) claim related to a cyber breach was dismissed in 2014 (Wyndham Resorts). The claim was made that the directors and officers of the corporation failed to prioritize cyber security. Although dismissed, it opened the door for future litigation.
- Cyber activities, or acts related to the release of confidential information, can be excluded under D&O policies. Make sure to review forms and exclusions thoroughly, especially if you are in a vulnerable industry.
Shareholders have a vested interest in cyber security as well. Officers of a corporation have a responsibility to oversee and manage cyber risk. Despite there being no current precedent, claims may be brought forth against individual officers of corporations who neglect to take cyber security seriously or fail to budget for proper protection and protocols.
Just filling out your application does not impress your Underwriter
- Although the cyber marketplace for insurers continues to grow so have the losses. What is often not known is that the insurance coverage on large news-breaking losses typically is shared between carriers, with each one covering only a portion. The result is that all carriers suffer a loss on large $100M+ attacks. Carriers are becoming pickier about the security and controls in place for companies, especially those in a typically targeted industry (retail, financial and healthcare).
- Consider your Cyber Liability application as an audition for your underwriter. Provide any disaster recovery plans you have in place, explain all the security protocols you utilize, offer explanations when simple “yes/no” answers do not truly explain. If your company is uniquely complex, you should be conversing with your underwriter annually.
- Always submit the biographies of key people within your organization, especially those in the Information Technology department.
Insurance carriers continue to struggle with properly underwriting Cyber Liability coverage. The loss history to accurately model what to expect is not present and the attacks are ever evolving. With this much uncertainty, it is crucial that every step is taken to build familiarity and comfort with underwriters. Rates for Cyber Liability are not set it stone; coverage can be rated on records, revenues and/or employee count and the price is often times at your underwriter’s discretion. First impressions are critical; when submitting your application, make sure you are painting the best picture of your organization.