In our previous post, we started answering the question whether specialty cyber policies are likely to respond to two of the top five cyber threats for 2017 identified by Experian Data Breach Resolution in its industry forecast. In this one, we examine the remaining three.
Experian predicts that the health care sector will continue to be the most targeted sector, with more attacks on hospital networks, and more thefts of electronic health records. Ransomware will continue to be a top concern, with a shift in emphasis from blocking access to systems to stealing information to sell or leverage for identity theft. In addition, recent Office of Civil Rights guidance has noted that ransomware attacks may be classified as breaches requiring notification under HIPAA, adding significantly to the cost implications of such events.
Coverage for cyber extortion is often provided in cyber policies, but the extent of coverage varies widely. While some policies limit coverage to the actual ransom payment, others cover a broad range of related expenses, such as the costs of investigating the validity and severity of the threat, hiring independent negotiators, and protecting against further threats. Until recently, notification of affected individuals may not have been required for extortion events and therefore was not included in coverage. Health care systems in particular should ensure that they purchase the broadest extortion coverage possible in light of these new requirements.
Focus on Payment-Based Attacks
Experian believes that hackers will continue to focus on obtaining payment card information in 2017. Although EMV chip technology (named for its original developers Europay, MasterCard, and Visa) is available to prevent against point-of-sale (POS) fraud, adoption of the new technology has been uneven. U.S. retailers lag behind their overseas counterparts—this despite the fact that the major payment networks are shifting more liability for fraudulent transactions from the card issuers to merchants who do not use chip-enabled devices. Meanwhile, attackers continue to find new techniques to steal payment card data en masse using POS skimmers.
As noted previously, coverage is available for fines, penalties, and other assessments that must be paid to the payment card brands under card servicing agreements, but it is not automatically offered in a standard cyber policy. Policyholders who process credit card payments should obtain this specialized coverage. In addition, they should pay close attention to the specifics of the coverage. Some policy wording limits coverage to claims asserted by the card brands themselves, when in fact the direct obligation may be to the intermediate payment processor, who in turn is required to indemnify the card brand. Policyholders must also make sure that a standard policy exclusion for loss arising out of contractual assumption of liability or general breach of contract does not eviscerate the payment card liability coverage. Ideally, the coverage will include legal costs incurred in responding to payment card claims and the costs of any forensic investigation required by the card brands.
Big Headaches for Multinational Companies
The most damaging attacks are expected to be those involving the loss of international consumers’ data, in large part because the proliferation of new rules regarding response plans and notification standards. The EU’s General Data Protection Regulation (GDPR) and new regulations poised to take effect in Canada and Australia will complicate matters and increase costs for multinationals. International consumers who are not used to being notified of breaches may be more vocal, and may stop doing business with companies in the wake of a breach.
The costs of notifying consumers as required by law or regulation—domestic or foreign—are generally covered by cyber policies, but companies may want to revisit the adequacy of their policy limits. And while companies can purchase coverage for income lost during a suspension or interruption of operations due to a breach, coverage is not generally available for business that is permanently lost as a result of consumer lack of confidence.
While coverage for all of these eventualities may not be available today, more will be available tomorrow as the risks become better understood and better managed. More importantly, companies should be proactive in pushing their brokers and insurers to provide insurance products that meet the known threats head-on.