For most companies it is no longer a matter of ‘if’ they will become a victim of a data breach, it is a question of ‘when’. With the likes of Target and TalkTalk suffering significant data breaches in the past few years, it is no wonder that the market has turned its attention to cyber and its impact.
Impact on financial lines
Cyber attacks have now overtaken economic weakness as the main cause of concern for UK banks. Directors and officers are increasingly being pursued in relation to data breaches and cyber hacks as the pressure to protect consumers’ information increases, resulting in D&O and financial lines (FI) policies (that are not built to respond to such threats) becoming triggered.
A lack of regulation in Europe in relation to response to cyber breaches, compounded by a general lack of understanding of cyber risks, has meant that standalone cyber policies are not popular in the current UK market. This has left other forms of insurance more exposed to these large losses.
The landscape is changing, as the European Commission (EC) attempts to bring the European Union up to speed with the United States regulations on data breaches. On 15 December 2015 the EC reached agreement on the European Data Protection Regulations (EDPR), which are due to be adopted in spring 2016, coming into force in spring 2018.
Companies will be required to make mandatory notifications of a data breach to consumers and regulators on all cyber breaches (currently companies are only required to notify serious breaches). Listed companies must also notify the stock exchange.
The Information Commissioner’s Office can currently issue fines for breaches of information of up to £500,000. However with the EDPR in force, companies could face penalties of up to €2 million or 4% of the company’s turnover (whichever is the greater).
D&O and FI policies will typically respond to investigations and regulatory proceedings that may occur following a cyber breach. With increased scrutiny of cyber breach by regulators, could we see more claims of this type attaching to these policies? Further, could such activity be compounded by increases in fines and penalties, leading to large exposures in cover?
Policies may also include extensions to provide for public relations expenses, reputation protection expenses and pre-investigations costs. While these extensions are unlikely to cover expenses surrounding the new requirements of notifying consumers of any and all data breaches, significant losses could be incurred if these extensions are not sub-limited appropriately.
Third parties that are affected by a cyber attack are also likely to bring a recovery claim for any losses they have incurred in respect of a company’s data breach. A good example of this was in the Target data breach. Visa and Mastercard brought claims against Target in respect of Target credit cards that were issued by Visa and Mastercard. The third party loss was the cancellation and replacement of all the credit cards provided by Visa and Mastercard on behalf of Target.
However, it seems the biggest exposure is to shareholder actions and securities class actions from investors and shareholders holding the companies and/or their directors and officers accountable for misinformation about cyber breach policies, procedures, and notification when there is a breach. Ultimately, such exposure is likely to lead to losses resulting from a resulting fall in the share price or the value of that investment because of cyber attacks.
On the other side of the coin, the EDPR could see a rise in popularity of stand-alone cyber policies, in order to provide comprehensive cover for third party liability, breach response, remediation costs, business interruption and fines and penalties. Whilst there does not appear to be a trend in cyber exclusions within D&O and FI policies and cover remains fairly broad, we may see companies obtaining cyber policies in addition to these policies purely for the advice and expertise available from data breach coaches on how to respond when such incidents occur. This would leave the D&O and FI policies to do what they were intended to do.
Related item: EU data protection: regulation awakens