[BreachExchange] The Value and Limits of Cyber Insurance

[Audrey McNeil]

https://er.educause.edu/articles/2018/4/the-value-and-
limits-of-cyber-insurance

Individuals managing institutions of higher education have many challenges,
including the need to understand how the institution could be harmed by
cyber threats. To address this need, in late 2017, the University Risk
Management and Insurance Association(URMIA) and EDUCAUSE published a Cyber
Insurance FAQ to describe some of the perils and pitfalls of cyber
insurance. A collaborative effort, written by both risk management and
information security professionals, the FAQ document is designed to assist
institutions that are considering purchasing cyber insurance by explaining
some of the features of this type of insurance. The FAQ sought to provide
clarity around a number of questions:

What is cyber insurance?
What data are covered by cyber liability insurance?
What losses are not covered?
What is the process for buying cyber insurance?
What are the implications of cyber insurance for an institution's computing
systems and processes?
What do institutions need to know about the claim process?

The Role and Limitations of Cyber Insurance

The interest in cyber-risk insurance has increased in response to
high-profile data breaches making headlines. Not only do high-profile
breaches force individuals to take action (examining financial statements,
looking into credit freezes, etc.), they also force the organization
experiencing the breach to take a long, hard look at its business and
information security practices. Organizations might purchase cyber
insurance to help cover some of the costs associated with a data breach,
yet the market for cyber insurance is still evolving. The terms and
conditions of these policies are complex and require thorough analysis
prior to purchase.

Cyber-risk insurance represents an important but limited tool to navigate
issues surrounding privacy violations and data breaches. The National
Association of Insurance Commissioners (NAIC) found that in 2015 that more
than 500 insurers were providing businesses and individuals with
cybersecurity insurance, with the vast majority of the coverages being
written as endorsements to existing commercial or personal insurance
policies.1 Although cyber insurance can be a safety net for an institution
that experiences a cybersecurity or privacy related loss, an institution
should not rely solely on such insurance when an incident occurs. At best,
cyber insurance is a complement to sound information security policies and
practices. Cyber insurance does not cover a number of different events and
actions, and an institution should implement a comprehensive information
security program in order to "mind the gaps" and fully reap the benefits of
cyber insurance. Several of those gaps are discussed below.

1. Non-Standard Forms

Cyber insurance emerged in the late 1990s as a response to Y2K concerns.
Estimates suggest that the cyber insurance market reached US$2 billion in
premiums in 2014 and US$2.75 billion in 2015. As noted, in 2015 more than
500 insurers were providing cyber insurance in some form. Unlike other
types of insurance, such as homeowners property insurance, there does not
appear to be any standard cyber risk coverage form, and the terms and
language vary from insurer to insurer and policy to policy.2 Depending on
the policy year or carrier, an insured may gain or lose certain coverages
and/or policy limits. While this may allow individualized insurance
offerings for an institution, it may also result in policies that cannot
keep up with evolving cybersecurity changes and emerging threats.3

2. Sources of Coverage

In addition to a cyber-liability policy, coverage for data breach or cyber
risk may exist outside a cyber-liability insurance policy. Insureds have
sought coverage under many types of policies, such as property or
commercial general liability (CGL) policies. Litigation has been extensive
over when and in what circumstances a CGL policy covers a data-breach
claim.4 Furthermore, beginning in 2001, CGL policies began excluding
"electronic data" from coverage.5 In 2014, additional exclusions emerged in
CGL policies that were designed to eliminate coverage for cyber-related
damages.6

3. Limitations on Coverage

Careful review of an insurance contract is imperative. In the absence of
standard coverage language, the terms and coverage provided in
cyber-liability insurance policies may vary widely. In many cases, there
will be separate grants of coverage for first-party claims, such as
coverage for data-breach response, and third-party claims. Further,
cyber-liability insurance may have specific policy limits, sublimits, or
deductibles for each type of coverage.7 These gaps may directly impact the
value of the policy to an institution. One question to consider, for
example, is whether the policy covers fines and penalties levied by a
regulatory body. In addition to individuals, potential plaintiffs in a
cybersecurity breach include the United States Securities and Exchange
Commission, Department of Justice, the Consumer Financial Protection
Bureau, the Federal Communications Commissions, the Federal Trade
Commission, and state attorneys general.8 Also, care should be taken to
determine whether costs or penalties are included in the definition of
"loss" or "damage."9 It is foreseeable that a regulatory fine or penalty
would not be covered under cyber-liability insurance. Another pitfall may
arise due to separate policy limits applicable to damages, claims expenses,
or costs. Social-engineering claims will also likely fall outside
cyber-liability insurance policies based on similar exclusions.10

At first glance, coverage may appear broad, but a close reading of the
insurance language reveals that the coverage is quickly narrowed and
limited by endorsement or exclusion. Most, if not all, insurance policies
contain numerous exclusions. In the context of cyber-liability insurance,
care should be taken to evaluate all exclusions, in particular "Conduct
Exclusions" that deny coverage for a loss arising from dishonest,
fraudulent, criminal, or malicious conduct or an intentional violation of
the law. For example, this type of exclusion could be implicated in a claim
alleging an intentional distributed denial of service (DDoS) attack
perpetrated against a claimant using the insured's computer systems when
under the control of the third-party operator.11

4. Exclusions for Criminal or Intentional Acts

Insurance frequently excludes losses or claims attributable to
intentionally dishonest or criminal acts, breach of contract, theft of
trade secrets, unfair trade practices, and employment practices. Events not
covered could include:

Deliberate acts of an IT staff member to delete files (both a malicious
employee act and potentially a criminal act)
Failure of an institution to meet Gramm Leach Bliley Act (GLBA) security
rule requirements for student financial aid data protection and a
subsequent breach of those data (potentially a breach of contract and
potentially a claim brought by a government regulator, which could be
excluded in some policies)
Failure of a third-party and/or cloud vendor to protect any data entrusted
to it (potentially a breach of contract)

Policies may only respond to negligent acts, and a determination that a
loss arose out of an intentional act might eliminate coverage. Indeed, one
district court held, for example, that allegations that a data vendor
intentionally withheld requested information pursuant to the sale of a
business did not trigger insurer's duty to defend under its CyberFirst
policy because there was no allegation that the insured's failure to
provide the data was negligent.12

5. Importance of Security Program/Policy

The case of FTC v. Wyndham Worldwide Corporation serves as a warning
regarding the failure to implement and enforce adequate cybersecurity
measures and the inapplicability of cyber-risk insurance to all claims. In
this case, hackers gained access on three occasions over a two-year period.
The hackers acquired sensitive personal information stored on Wyndham's
computers. The stolen data were used to make fraudulent credit card
charges. The FTC sued Wyndham, contending that it failed to maintain a
reasonably appropriate data security system for consumers' sensitive
personal information in violation of Section 5(a)'s prohibition of unfair
or deceptive trade practices. FTC sought to compel Wyndham to improve
security measures. The court, in finding against Wyndham, found that the
company failed to act equitably when it published a privacy policy to
attract customers who are concerned about data privacy, failed to make good
on that promise by investing inadequate resources in cybersecurity, exposed
unsuspecting customers to financial injury, and then retained the profits.13

Other consent decrees involving the FTC detail various "unfair" security
practices, including the failure to set up robust log in protocols, protect
against commonly known or foreseeable attacks from third parties, encrypt
data, or provide cybersecurity training.14An institution's main defense in
these situations would be its policies, practices, and procedures because
it is likely that cyber-liability policies would exclude such losses from
coverage.

6. Failure to Maintain Adequate Internal Controls

An enterprise should not consider its obligation to protect its data fully
implemented with only the purchase of cyber-liability insurance. In one
instance, an insurer sought to deny coverage and alleged that its insured
failed to take even the most basic steps to protect its data, including
failing to change default settings, failing to properly configure network
devices, and being negligent in its processes to maintain security.15

A gap may exist, therefore, not only in the insurance coverage but also in
how an institution implements measures and protocols to guard against loss
of data. A carrier looking to deny coverage based on exclusions similar to
the "Failure to Follow Minimum Required Practices" exclusion may look to
the existence of objective and external standards, such as the ISO/IEC 2700
family of standards, as well as other standards set forth by NIST, and
determine that the institution failed to take the necessary and prudent
steps to safeguard its data.16

Cybersecurity Recommendations

Often underwriters will ask for risk assessments or other information
related to an institutions' existing information security policies and
practices. Additionally, strong internal practices will integrate with
typical cyber-liability policy coverages and minimize the gaps where
coverage may not be available. Typically, recommendations include the
following:

Have written policies and procedures
Update risk assessments as new threats and incidents arise, and conduct a
risk assessment at least annually
Assign an accountable individual to oversee cybersecurity
Implement workforce security measures, including procedures to limit access
to the minimum necessary private information related to job duties
Provide security training for all employees, including student employees
Ensure that contracts with third parties that have access to confidential
information obligate them to comply with the standards that bind the
college or university
Monitor training and contract compliance
Adopt a breach-response policy17

Conclusion

While important, cyber-risk insurance policies should be considered a last
resort and are not a stand-alone remedy to address data-security issues.
Cyber-liability insurance policies vary widely among carriers, have
individualized coverage provisions, and may contain numerous exclusions
limiting their utility to an institution. However, with careful reading,
such policies provide a valuable adjunct to strong internal controls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180424/5ceac8c1/attachment.html>