Even at Sony, cyber security was a hot topic before Kim Jong-un took an interest in Seth Rogen’s oeuvre. In 2011, hackers gained access to the personal and financial information Sony had collected on more than 100 million participants in its on-line gaming networks. The incident was the subject of more than 60 class actions, for which Sony announced a settlement last summer.
Sony’s plight illustrates one facet of the interrelationship between cyber risk and insurance. Sony sought coverage for the data breach under a traditional Commercial General Liability policy, contending that the class actions asserted claims for “personal and advertising injury.” Early last year, in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), a state court in New York ruled that the language of traditional policies isn’t broad enough to fit these new-fangled risks, because it covered claims for wrongful “publication” by the insured, not by unauthorized “hackers.” A Connecticut court had come to a similar conclusion in an unrelated case one month earlier. (The Zurich decision is currently on appeal.)
Since 2011, therefore, corporate America has demanded insurance products that address the risks of data breach and other “cyber” events. Insurers have seized the opportunity, collecting $2 billion in cyber-insurance premiums in 2014—up from only $600,000 as recently as 2010. But the products for which those premiums paid are still new, and some of the assumptions underlying them are still untested. Government efforts to strengthen those assumptions are just getting off the ground.
Cyber Risk as a Regulatory Issue
As businesses scramble to address this problem, it often goes unremarked that insurers themselves are doubly vulnerable. Like their business customers—but, in most cases, on a vastly larger scale—insurers store sensitive personal, medical and financial information about individual insureds and claimants. This makes insurers potential victims, either of hackers or of system malfunctions. At the same time, insurers are responding to explosive market demand by underwriting risks whose full dimensions remain untested, exposing them to losses based on attacks against their insureds.
For insurers, therefore, cyber risk is not just an underwriting issue; cyber risk is also a regulatory issue. Government officials charged with regulating the insurance industry are paying close attention to all of the ways in which cyber security problems can potentially impair an insurer’s solvency. As early as 2010, Connecticut’s Insurance Department issued a bulletin to all of its regulated entities, including insurers, agents, adjusters and others, spelling out the Department’s notification requirements for data breaches.
In November, 2014, the National Association of Insurance Commissioners (“NAIC”) created a “Cybersecurity Task Force” to address cybersecurity issues. The Committee, whose membership will soon be announced, was formed to:
- Monitor developments in the area of cybersecurity.
- Advise, report and make recommendations to the Executive Committee on cybersecurity issues.
- Coordinate activities with NAIC standing committees and their task forces and working groups regarding cybersecurity issues.
- Represent the NAIC and communicate with other entities and groups.
- Perform such other tasks as may be assigned by the Executive Committee.
PropertyCasualtyFocus recently sat down with the Connecticut Insurance Department’s Deputy Commissioner,Anne Melissa Dowling, and its Communications Director, Donna Tommelleo, to discuss the Department’s regulatory concerns with cybersecurity. Commissioner Dowling, who has a special interest in this topic, will serve as a member of the NAIC’s task force this year.
Commissioner Dowling observed that insurers face some unique challenges with respect to consumer data. Insurers do not just store more personal data than most other companies; they have also been doing so for far longer, with the result that much of the data is stored in a patchwork of legacy systems. Insurers are also receiving and collecting new kinds of information, such as data from telematics, which might be used or abused in unforeseen ways. And in many cases, insurers cannot reduce their risk by destroying old data, because they are required by law to maintain it over the life of a policy.
Connecticut’s Department has therefore taken a proactive approach in its oversight of cybersecurity. Periodic examinations of insurers by the Department’s Financial Analysis unit now routinely include analysis of each insurer’s cybersecurity protocols and procedures. Among other things, that analysis considers:
- Logical access controls – who has access to system resources, and how that access is managed
- Use and monitoring of security hardware, such as firewalls and intrusion detection systems.
- The use and monitoring of Virus, Malware, and Security patching software
- Incident reporting and escalation procedures
- Back-up and recovery
- Penetration testing
The Department is also moving toward efforts to ensure that regulated entities adopt stand-alone cybersecurity policies and procedures, rather than subsuming cybersecurity into a broader set of corporate security policies.
As cyber insurance grows in importance as a resource for protecting businesses against losses from data breaches and other incidents involving cyber security, the Connecticut Department is monitoring the increased solvency risk that issuing cyber insurance entails. Given both the rapid growth of these products and the potential enormity of the underlying exposures, the Department is seeking assurance that they do not push the boundaries of underwriting that was performed, and reserves that were set, long before the term “data breach” entered the lexicon.
In this context, the Department is exploring issues relating to particular insurers (such as levels of reinsurance), as well as broader issues—for example, whether the recently-renewed Terrorism Risk Insurance Act (“TRIA”), which provides coverage relating to acts of “war” that cause “physical damage,” will respond to losses caused by “cyber-terrorism” and other crimes committed by individuals, non-state organizations or (as in the case of Sony) rogue regimes.
These concerns are informing and deepening the Department’s traditional analyses of the financial health of regulated entities. They are also stimulating close scrutiny of new products designed to underwrite cybersecurity risks. Insurers that are developing these products should now be prepared to present regulators with detailed defenses of their underwriting assumptions.
Other regulators in other industries also offer further guidance and raise additional concerns. The New York Department of Financial Services released guidance for banking entities. The Chairwoman of the Federal Trade Commission recently addressed data privacy problems raised by the increasing use of connected devices, such as fitness trackers and “smart home” devices. The Department of Homeland Security has a dedicated division addressing cyber-security and providing guidance.
In sum, as electronic data storage has become ubiquitous, inadvertent or wrongful disclosure of personal data is creating an increasingly expensive sphere of risk and exposure. As in all affected industries, insurers and their regulators continue to work diligently to prepare for the multiplying threats posed by data breaches. Meanwhile, an unseen army of hackers is working just as diligently to find ways around new security protocols and procedures.