As summer comes to a close, road repair crews across the country are identifying the street repairs and potholes that must be filled before the cold weather approaches. Now is also a good time for policyholders to identify some of the “potholes” that may accompany their claims-made insurance policies and get them filled before it is too late.
Every single industry or business in this day and age has either been the victim of a cyber attack or is concerned they will be next. A few examples from the last couple of months show how widespread the problem is. In June, a global ransomeware attack quickly spread across 64 countries, impacting organizations from law firms, banks and governments to food producers and hospitals. The attackers demanded $300 in Bitcoin—approximately $977,000 U.S. dollars in total—from each victim to unlock their data. At the annual DefCon computer security conference in late July, hackers took less than 90 minutes to hack voter-ballot machines and at least one hacker even broke into the system wirelessly, suggesting that U.S. computer-ballot boxes may be susceptible to attack.
The costs and penalties associated with a cyber attack or data breach should not be underestimated. For example, NPR recently calculated the average cost of a health care breach at more than $2.2 million, “not to mention the reputation damage.” And the FCC recently ordered AT&T to pay $25 million in connection with the exposure of more than 250,000 U.S. customers’ information.
Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
On May 12, 2017, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. Colleagues Jamie Bobotek and Peri Mahaley opined about this recent attack and stress the necessity to take the time now to review and confirm your cyber-privacy insurance in a Pillsbury client alert.
Cyber sages tell us the question is not whether your business will suffer a data breach, but when. To prepare for the inevitable, businesses want to know what is the next threat on the horizon. In the past few months, experts have offered many views on the top cyber trends for 2017, and plenty of advice about security measures companies should take in light of these predictions. But if some loss is a given, businesses also want to know if there will be insurance to cover that loss. We look at some of the forecasts and try to answer that question.
In its Fourth Annual Data Breach Industry Forecast, Experian Data Breach Resolution, a vendor of data breach response and protection services with a track record of handling high-profile incidents, issued and identified five top data breach trends for 2017. We’ll address the first two of those trends in this post.
The vaults of the world’s financial capital are getting stronger locks. On March 1, 2017, new “first-in-the-nation” cybersecurity regulations of the New York Department of Financial Services (DFS) went into effect to protect consumers and the financial system from cyber attacks. While the regulations apply to covered finance and insurance companies, their influence is likely to be felt beyond the companies targeted initially. For this reason, it’s important that all companies with cybersecurity risks understand how the new DFS regulations work, and the insurance coverage issues they may raise.
Out of the blue one morning, a destination hotel’s operator receives an email informing it that the hotel’s computer and electronic key systems have been infiltrated, leaving the hotel locked out of its own computer system and, even more distressing, preventing hotel guests from utilizing their key cards to gain entry to their rooms and other hotel amenities. The email demands payment in the amount of 2 Bitcoin (approximately $1,900) to restore computer and key card functionality, which will double if not paid by the end of the day. The email provides details to access a Bitcoin wallet to make the payment, and then ends by stating, “Have a nice day!”
While our brains may feel like they are fused with the computers, smart phones, and other devices we use on a constant basis, a direct connection between these machines and our brains is still (mostly) a thing of the future. So, even as companies continue to strengthen and refine their network security systems against cybercrime, the human brain can remain a weak link for criminals to exploit. Unfortunately for some policyholders, this time-honored tactic of targeting the human element involved with a technology may actually fall right into a gap in companies’ insurance coverage, as highlighted in the Fifth Circuit’s decision this month in Apache Corporation v. Great American Insurance Company.
Insurance is not only a risk transfer tool, but also a valuable asset. Certain coverages, however, are not purchased or pursued by multinational companies transacting business in the United States because there are nuanced differences between international and U.S. insurance programs and law. These companies, often with global offices, will be best served by having counsel experienced in such nuances conduct a diagnostic review of their insurance policies. Not only may potential coverage gaps be identified, but a company will be better able to plan ahead and negotiate more favorable coverage terms before a loss arises.