Tag Archives: Cyber liability insurance

New York Issues Cyber Insurance Framework

Early this month, New York’s Department of Financial Services, the regulator for banks and insurance companies, issued guidance on cybersecurity insurance.

Unfortunately, the guidance was not to insurance customers; it was for insurance companies.

The regulator is concerned that big breaches may cause insurance companies to go out of business.

DFS advised insurers against paying ransoms, in part because they may run afoul of new Treasury Department regulations that consider those payments aiding terrorists.

Insurance companies had to pay out almost $3 billion after the Not Petya attack for policies that didn’t say anything about cyber events.

DFS wants insurers to consider 7 specific practices. These practices are designed to help insurers understand risk, set prices and control payouts.

None of this helps clients.

Attacks like SolarWinds may cause insurers to exclude coverage to companies who bought insurance to get coverage.


All this means that it is even more important than ever to have an insurance agent who is specifically knowledgeable in cyberrisk insurance.

Credit: <a href="http://

” target=”_blank” rel=”noreferrer noopener”>CSO Online

What The Boardroom Thinks About Data Breach Liability

The New York Stock Exchange and Veracode surveyed 276 board directors or senior execs of publicly traded companies on the subject of data breach liability and I find the results interesting.

It is important to understand that these are very large companies and when it comes to cyber risk, they are likely at the top of the learning curve.  Still, what they think today is likely what the rest of the companies will think in a few years.

That said, here are some of the results:

  1. 90% believe that regulators should hold companies liable for breaches if they didn’t properly secure their data.  This answer really hinges on the definition of “properly”.  Still, these board members are not trying to get out of their responsibility, which I think is great.
  2. 90% also think that third party software providers should be held liable for vulnerabilities in their code.  While this sort of tracks with #1 above, if you are a software vendor and sell to big companies, I would worry about this.  If what this means is that they want you to fix the bug, that is not a big deal.  If what it means is that they want you to pay for the breach if the attackers got in due to a bug in your software, that is a BIG problem.
  3. 65% say that they either have already or are planning to include liability clauses in their contracts with software suppliers.  If you are a software vendor, this could dramatically affect your business and would likely change what cyber liability coverages you buy and at what amount and indirectly, your cost of doing business.
  4. When it comes to cyber insurance, 91% have some form of insurance including business interruption and data restoration.  54% have coverage for fines, breach notification and extortion.  35% say they want coverage for software coding and human error when it leads to a breach.  This last coverage is not well defined yet and could be expensive.
  5. 52% say they are buying employee or insider threat coverage.  This is smart because a goodly percentage of breaches are due to acts of omission or commission by insiders.

What is unclear at this point is what the regulators and insurance companies are going to demand.  Companies can wait for the regulators (like the very detailed proposed rules from the NYDFS) or companies can get ahead of the power curve.

What seems clear is that with insurance companies beginning to raise premiums and deductibles significantly (premiums in retail went up 32% in the first half of 2015;  Anthem had to accept a $25 million deductible when the renewed their insurance this year), what is next is insurance companies examining business practices much more closely before granting or renewing coverage – some carriers have already started doing this.

Businesses have two choices – wait and hope they can scramble fast enough when the regulators or insurance carriers call on them or get ahead of the power curve – the choice is a business decision that may impact the future of the company.  Big NYSE companies can afford to hire experts when this happens and pay them $50 million to get the tushes out of a crack.  For smaller companies, even if that bill scales down to $5 million, it might be a problem.  And, even if you spend the money, the inside resources that are needed to execute these plans will likely be significant.

Interesting food for thought.

Information for this post came from Dark Reading.

4 in 10 Businesses With Cyber Insurance Have Filed A Claim

A Wells Fargo survey of 100 large and mid market companies found that 85%  have purchased cyber insurance and more than 4 in 10 have already filed a cyber insurance claim.

While that survey didn’t ask how much the claims were for, a NetDiligence study says the average claim is about $5 million.

There are a lot of factors that affect the cost of cyber insurance, but a realistic guideline is $2,000 per million dollars of coverage, but that number can vary a lot depending on many factors.

As insurers pay more claims, they are also raising the premiums.  Insurance companies have raised premiums 32% in the first half of 2015 alone for high risk businesses such as retail.  Insurance companies are also increasing deductibles.  Anthem had to agree to a $25 million deductible to get their policy renewed.  Businesses that do make a claim may discover that their policy won’t be renewed at all or the price for a renewal is out of their budget.

All of the breach related lawsuits are not making insurance companies happy either.  They get to pay for the legal fees in addition to the damages and judgements.  For the bigger policies, legal fees are above and beyond the policy limits – a $10 million policy might have to pay out $10 million for remediation and recovery and maybe another $10 million for legal fees.

Another scary statistic – Lloyds of London modeled a breach that left 93 million people in the NY-DC corridor in the dark.  The cost of that ranged from $250 BILLION to $1 TRILLION.  That is based on a hack which causes an extended outage.  If generation and distribution facilities are damaged to the extent that they have to be replaced, it could take as long as a year, or more, to order and install new equipment since most of it is custom built, you have to wait in line and almost none of it is built in the U.S.

Admiral Mike Rogers, head of the NSA, said that there are several countries that already have the ability to shut down the computers that manage the U.S. power grid.  Depending on how much damage is done, it could take months to even a few years to repair all the damage.

In the early 2000s, the Idaho National Labs demonstrated the ability to cause a generator to set itself on fire by hacking it.  The video is available on YouTube.

Unfortunately, this is only going to get worse before it gets better.

Information for this post came from NBC.

First Party vs. Third Party Cyber Liability Insurance

For those of us who are not insurance experts, the distinction may not be obvious.  As explained in more detail here, the difference is in who experiences the loss.

First party coverage covers damage to your business such as costs of notifying customers, purchasing credit monitoring services, repairing reputational damage or paying a cyber extortionist.

Third party coverage covers things like costs related to the theft, misuse or disclosure of other people’s information (customers, for example) that is stored on your network or infringement of the right to privacy, among others.  Third party coverage is more common.

This article discusses some of the myths surrounding first party coverage.

Another article, “Sizing Up Cyber Risks After The Sony Breach” says that DHS reported, after a late 2012 cyber security insurance workshop, that first party coverage is “expensive, rare and largely unattractive”.

Some people thought that their general commercial liability coverage (GCL) included cyber risks.  Some used to years ago, but very few do today as many breach victims have discovered after the fact.

The important point here is that cyber liability policies do not have standard state mandated language, so it is important, as part of your business risk analysis process to document what risks you want to be covered for and then validate that the coverage you currently have or are planning to buy provides you with the coverage you need.  To do this effectively you need to estimate your costs from a cyber breach in each and every category so that you can figure out what you can and are willing to absorb internally vs. getting help from your insurance carrier to cover.  Unfortunately, this is neither a simple nor exact process.

Parting thought — you cannot do this review after you are the victim of a cyber breach.  Even though everyone hopes it is going to happen to the other guy, that is not always the case.  Although Target, Home Depot and Sony get the press coverage, the breach that hit the Jimmy Johns sandwich chain this year, for example, also hit hundreds of mom and pop pizza and sub shops.