The subject of cybersecurity risks, which the National Association of Insurance Commissioners' Chief Security and Information Officer Frosty Mohn presented at NAIC's Insurance Summit in Kansas City, MO last week, has taken on greater significance as consumer financial and health information is increasingly being stored in electronic form. Cyber risks include identity theft or inadvertent disclosure; theft of digital assets, such as customer lists and trade secrets; business interruption from a network shutdown; introduction of malware; and damage to a business’s reputation. In response to these relatively new risks, insurance regulators have begun urging businesses to secure cyber-liability insurance and pressing insureds to shore up their defenses against cyber attacks.

In April 2015, the NAIC’s Cybersecurity (EX) Task Force adopted and issued 12 Principles for Effective Cybersecurity: Insurance Regulatory Guidance. The NAIC Guidance encouraged insurers and regulators to join forces in identifying risks and adopting practical solutions to protect the critical information entrusted to them.

The Task Force also developed the NAIC Roadmap for Cybersecurity Consumer Protections (Roadmap), which was adopted by the NAIC Executive (EX) Committee at the end of 2015. The NAIC Roadmap details what protections the NAIC believes consumers are entitled to expect from insurance companies, agents and other businesses following a data breach.

To gather financial performance information about insurers writing cyber-liability coverage, the Task Force also has worked with the NAIC's Property and Casualty Insurance (C) Committee and Financial Condition (E) Committee to develop a "Cybersecurity and Identify Theft Coverage Supplement" to be included with insurer financial statements.

The NAIC also recommends that businesses secure a cyber-liability policy, noting that most standard commercial policies do not cover many of the cyber risks noted above. But cyber risks remain difficult for underwriters to quantify. The lack of actuarial data requires that insurers qualitatively assess the business’s risk management procedures and culture, and insurers writing such coverage will want to know the business’s risk-management techniques for protecting its network and assets, its antivirus and anti-malware software, how its employees and others are able to access data systems, and its data breach response plan.

Because cyber risk policies are more customized than many other types of risk that insurers take on, they tend to be more costly. Such policies might include one or more of the following types of coverage: liability for security or privacy breaches; the costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers; and the costs associated with business interruption.

The NAIC, insurance companies and the world at large are becoming increasingly aware of the importance of cybersecurity issues. We will continue to stay at the forefront of these changes and publish updates as they arise.

ICYMI...

Noteworthy links from the past two weeks

General

  • An environmental advocacy group claimed the insurance industry is overly exposed to energy investments that may be negatively impacted by climate change [Bloomberg]
  • Federal Reserve Governor Turillo discussed upcoming risk based capital rules for Systemically Important Financial Institutions [Law360, Business Insurance, Reactions]

Property and Casualty

  • The Federal Emergency Management Agency announced changes to the National Flood Insurance Program in response to Sandy [Wall Street Journal]
  • The usage-based auto insurance business continued to grow [Insurance Journal]

Life and Health

  • Minnesota sued some life insurers over unclaimed benefits [CBS Minnesota]
  • The Supreme Court punted on its Affordable Care Act contraception case [The New York Times]