Working for a cyber liability insurer, I get to interact directly with people who experience cyber-related events at their companies, and people who are considering purchasing cyber insurance to address the risks that cyber events present.
I also have frequent contact with the vendors—such as breach coach attorneys and forensics investigators—who respond to cyber events, do breach-preparedness work, and frequently deal with insureds and prospective insureds. Thus, I have the opportunity to gain some insights into how people outside the insurance world view cyber exposures.
In my experience, the insureds and prospective insureds of today have a much better understanding of the cyber risks that they face—and how to protect themselves from those risks—than they did just five years ago. Yet, there are still some myths that seem to persist regarding cyber exposures.
Perhaps it is best to first address what cyber risks really are. Merriam Webster defines “cyber” as “of, relating to, or involving computers or computer networks (such as the internet).” This definition of “cyber” may lead to some of the inaccurate beliefs that persist among insureds and prospective insureds. The risks companies face that are generally characterized as “cyber” are broader than those that just involve computers or computer networks. They also include risks related to data security, whether that data is electronic or not, as evidenced by the various breach notification laws in U.S. states and the European Union’s General Data Protection Regulation (GDPR). These laws contain requirements for what entities must do when they fail to protect or properly handle data, and they apply to all kinds of data; not just data that is found on computer networks.
Thus, with the definition of “cyber” being what it is, some companies may feel that they do not face exposure because the records they maintain or keep are not electronic or stored on computers. But a substantial number of data breaches do not involve electronic records. A study published in The American Journal of Managed Care reported that, of the health care data breaches reported to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights from 2009 to 2016 (breaches that affected 500 or more patients), hospitals comprised about one-third of the breaches. Sixty-five percent of those hospital breaches were of paper and film-based records, rather than electronic records.
A similar common misbelief is that a company does not have much, if any, cyber exposure if it possesses little or no personal data, electronic or otherwise. Of course, there are still many events that could occur involving the exposure of personal data. Earlier this year, the Federal Emergency Management Agency (FEMA) announced it had inadvertently shared the personal addresses and banking information of more than two million U.S. disaster survivors. In addition, the University of Washington Medical Center announced it had inadvertently exposed the personal information of close to one million patients. And, in late 2018, Marriott announced that a whopping 383 million records, including five million unencrypted passport numbers, had been accessed in a data breach.
There are also numerous events that do not concern the exposure of data, but involve things like ransomware, social engineering, business interruption, and reputational harm—risks that exist regardless of whether any data was exposed. Ransomware attacks, for instance, are perhaps more prevalent than ever, and we need only look at the Not-Petya attack from 2017 to see the substantial exposure presented. Hundreds of companies—such as FedEx, Merck, and Maersk—were impacted by this attack. The losses that occurred were separate and aside from any data exposure. Maersk, for instance, estimated its losses at $300 million, much of it from the extra expense needed to try and keep its business up and running after its network went down. As part of its recovery efforts, Maersk needed to replace 4,000 servers, 45,000 personal computers, and 2,500 applications that had been rendered useless following the Not-Petya event.
Ransomware attacks, of course, are not limited to large companies like the ones mentioned above (another myth). According to a 2017 Ponemon Institute report, 42 percent of small- to medium-sized businesses surveyed reported having experienced a ransomware attack in the past 12 months.
Social-engineering attacks also remain common, and though they are frequently unreported because they may not trigger any reporting obligations (no data exposed or disruption of operations), they occasionally make the news and remind us of the risks they present. In 2017, employees of MacEwan University in Edmonton, Alberta, were tricked into paying $11.8 million to fraudsters posing as one of the university’s major suppliers. Although over $10.9 million was subsequently recovered, the university still suffered a loss of almost $900,000, not to mention the cost of its efforts to recover the funds.
Another common misperception is that if a company maintains state-of-the-art cybersecurity, then it will be able to avoid cyber exposures. If only it were that easy. Companies can install the best endpoint protection for their networks but still have their data exposed because of the wrongdoing of their own employees. Anthem, for example (aside from the massive data breach it suffered in 2014-2015), learned in April 2017 that one of its employees had been stealing and misusing Medicaid member data since as early as July 2016. In April 2018, Suntrust Bank announced that an insider had accessed the names, addresses, phone numbers, and account balances of 1.5 million customers with the apparent intent of sharing that data with a criminal party outside the organization.
These are just examples of when insiders intentionally take data. Honest employees who click on a link or get fooled by imposters into making payments also present exposures that the best of firewalls cannot prevent. At the end of the day, the cybersecurity of a company is only as good as its employees.
Some companies may feel that they are protected because they outsource data storage to a cloud provider, and that if anything happens to that data, the cloud provider will take care of it. But a company will likely still bear the legal responsibility for the data that it holds or owns. Additionally, most companies will not have the bargaining power to contractually require a behemoth cloud provider to indemnify them should something happen to that data.
These examples represent some of the mistaken beliefs that companies hold when they have overestimated their ability to limit or eliminate the cyber risks they face. There are also misconceptions that companies may have where they underestimate the effectiveness of something they can do to limit their cyber risk. It is still not uncommon, for example, to hear entities express that it is not worth getting cyber insurance.
Some of the reasons were previously covered, such as the entities believe they do not have cyber exposure because they do not possess data, they keep paper records, or they have great security. Cyber insurance, however, can provide coverage for risks that exist even when companies possess limited electronic data or have strong security—risks like ransomware, social engineering, business interruption, and reputational harm.
More specifically, most cyber policies provide coverage for exposure of confidential or personal data, whether it is electronic data or paper data. So if companies limit their exposure by not possessing electronic data, they can still protect themselves with insurance that covers any paper data they may possess.
For those companies that decide to not hold any data, there is cyber coverage available to protect them if they are victims of ransomware attacks, social-engineering scams, or if they suffer business interruption due to a cyber event. For companies that store data in the cloud, there are cyber policies that will consider the cloud part of the company’s computer system, and will provide coverage to respond to the exposure of data stored in the cloud.
There is another reason companies give for not purchasing cyber insurance: They feel that the insurance coverage they already have will cover them for the cyber exposures they face. While some aspects of those exposures may be covered by general or professional liability policies, or even property or crime policies, many cyber risks will only be covered by a cyber policy. General or professional liability policies may provide coverage for third-party claims arising from cyber events, but they do not cover first-party breach response expenses like forensics and notification costs. Additionally, as the cyber insurance market has grown, many non-cyber policies are ceding cyber risks to that market by adding cyber exclusions.
There are many risks that entities are underestimating due to common misconceptions. The good news, however, is that they also appear to be underestimating their ability to protect themselves from those exposures through the purchase of cyber liability insurance.