Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
On May 12, 2017, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. Colleagues Jamie Bobotek and Peri Mahaley opined about this recent attack and stress the necessity to take the time now to review and confirm your cyber-privacy insurance in a Pillsbury client alert.
Cyber sages tell us the question is not whether your business will suffer a data breach, but when. To prepare for the inevitable, businesses want to know what is the next threat on the horizon. In the past few months, experts have offered many views on the top cyber trends for 2017, and plenty of advice about security measures companies should take in light of these predictions. But if some loss is a given, businesses also want to know if there will be insurance to cover that loss. We look at some of the forecasts and try to answer that question.
In its Fourth Annual Data Breach Industry Forecast, Experian Data Breach Resolution, a vendor of data breach response and protection services with a track record of handling high-profile incidents, issued and identified five top data breach trends for 2017. We’ll address the first two of those trends in this post.
The vaults of the world’s financial capital are getting stronger locks. On March 1, 2017, new “first-in-the-nation” cybersecurity regulations of the New York Department of Financial Services (DFS) went into effect to protect consumers and the financial system from cyber attacks. While the regulations apply to covered finance and insurance companies, their influence is likely to be felt beyond the companies targeted initially. For this reason, it’s important that all companies with cybersecurity risks understand how the new DFS regulations work, and the insurance coverage issues they may raise.
Out of the blue one morning, a destination hotel’s operator receives an email informing it that the hotel’s computer and electronic key systems have been infiltrated, leaving the hotel locked out of its own computer system and, even more distressing, preventing hotel guests from utilizing their key cards to gain entry to their rooms and other hotel amenities. The email demands payment in the amount of 2 Bitcoin (approximately $1,900) to restore computer and key card functionality, which will double if not paid by the end of the day. The email provides details to access a Bitcoin wallet to make the payment, and then ends by stating, “Have a nice day!”
While our brains may feel like they are fused with the computers, smart phones, and other devices we use on a constant basis, a direct connection between these machines and our brains is still (mostly) a thing of the future. So, even as companies continue to strengthen and refine their network security systems against cybercrime, the human brain can remain a weak link for criminals to exploit. Unfortunately for some policyholders, this time-honored tactic of targeting the human element involved with a technology may actually fall right into a gap in companies’ insurance coverage, as highlighted in the Fifth Circuit’s decision this month in Apache Corporation v. Great American Insurance Company.
Insurance is not only a risk transfer tool, but also a valuable asset. Certain coverages, however, are not purchased or pursued by multinational companies transacting business in the United States because there are nuanced differences between international and U.S. insurance programs and law. These companies, often with global offices, will be best served by having counsel experienced in such nuances conduct a diagnostic review of their insurance policies. Not only may potential coverage gaps be identified, but a company will be better able to plan ahead and negotiate more favorable coverage terms before a loss arises.
Phishing is a criminal hacker’s favorite sport, and for good reason. It’s a tried and true way to land the big one, over and over again. Whether using a spoofed bank website and stolen email addresses to trick customers into divulging account information, sending email messages purporting to be from a senior company official to deceive employees into providing personal health records, or posing as a trusted vendor and transmitting wire transfer instructions to fraudulently divert funds, hackers are reeling in the catch and making it look easy.
But a well-managed company should have sophisticated safeguards in place. And if these fail, there is insurance coverage, right? The prudent policyholder buys all kinds of insurance: It has up-to-the minute “Cyber” coverage. It has Crime and Fidelity coverage with Computer Fraud riders. It has Professional Liability coverage. And of course it has regular old Commercial General Liability and Property coverage. Surely it’s covered for this type of fraud. Or is it?
While seeming to offer products that respond to the latest risks, insurers often provide limited coverage and seek to exclude the most obvious and inevitable losses. A series of recent cases highlight some of the biggest holes in the insurance safety net.
Just as the famous 1897 New York Sun editorial playfully reassured the skeptical eight-year-old Virginia, so too a recent Fourth Circuit decision should reassure policyholders in Virginia (and nationwide). Despite insurers’ skepticism, general liability insurance may in fact cover cyber events.