Cybercrime continues to raise risks for insurers and theircustomers, and the dangers are evolving and becoming more global innature.

At the recent PLRB conference in Anaheim, Calif., ChristinaTerplan of Clyde & Co. said that a breach last year in SouthKorea impacted 70% of that country's population. She explained thatlosses in the U.S. are usually larger than in other countriesbecause of the information accessed, but she cautioned thatcybercrime involves a lot more than just losing customer data. Somehackers now have records going to duplicate sites so nothing seemsamiss, and others are just deleting information to damage acompany's reputation.

Mark Voronin with Zurich North America said that while certainproperty policies will cover some of these breaches, they arelimited in scope. Cyber policies are usually triggered when thebreach is discovered since the actual event could have taken placemuch earlier. With more breaches involving monetary losses, thenumber of cybercrime policies insurers are offering is growingexponentially. From 2013 to 2014, the amount spent on policiesdoubled from $1 billion to $2 billion. And new specializedcoverages are available to address the regulatory issues andprivacy concerns which may be involved in a breach.

Dixon Drier of Matson, Driscoll and Damico said businesses canbe impacted in different ways. He cited the example of an onlineretailer who is hacked. This event could shut down the company'swebsite and cause customers not to shop there anymore, resulting inadditional marketing costs to reclaim those customers as well asnew ones. Then there are the investigative costs and the extraexpenses for bringing in experts, possible litigation, andaddressing any regulatory issues.

Terplan stressed the importance of trying to get a sense of whatthe breach event encompasses. "The first goal is to stop the breachfrom happening, but you don't want to erase the data because youneed it to find out what occurred," she explained. In their effortto stop a breach, companies may inadvertently erase the data thatcould show how the system was compromised and the scale of thebreach.

Troy Bates of Werlinger & Assoc. said that companies shouldalso be aware that "if you've been breached, your backup includesthe virus and you're just putting it back onto your system unlessyou mitigate it."

He said it is important to conduct the investigation – identifywhat caused the breach and remove the virus or issue, but hecautioned against erasing the hard drive unless there is a backupor some other preventative measure in place. Recreating informationon the hard drive can be extremely expensive, sometimes costingmillions of dollars.

Data analytics can be used to identify what information isinvolved in a breach. For example, if Server A was the only serverbreached, it may only contain information on customers in aspecific geographic area, as opposed to impacting all of acompany's customers. Analytics can also determine what informationwas affected such as passwords, birthdates or emails, whichdetermines whether or not customers are notified.

(Photo: Shutterstock)

Notification – it's complicated

A breach of birth date information may require notification inone state but not in another. Terplan explained that there are 47different state breach notification laws and none of them are thesame, which makes determining who needs to be notified of a breachand when a challenge. Notification is triggered by the residency ofthe state where the affected individual resides. She said the Obamaadministration is pushing for a national notification law, whichwould simplify the process. "What is a breach in California may notbe a breach in Texas," she said, "and frequently companies knowthat they have been attacked, but they don't know whathappened."

She said that notification laws in the U.S. are based on firstidentifiable information such as Social Security numbers, emails,passwords, and drivers' licenses. "You have to notify eachindividual about the breach," she said, and the company is expectedto offer some sort of identity monitoring for all of thoseaffected. Depending on the type of breach, regulators will need tobe notified and possibly the Attorney General's offices in multiplestates. Notifying the Attorney General will depend on the number ofpeople impacted. A company may also have to advise its shareholdersand the Securities and Exchange Commission of the breachif the company is publicly held because losses could becatastrophic after regulators are notified.

Cyber laws also vary from country to country. Canada has breachnotification laws, while Europe and Asia do not. When there is abreach in Europe, a company notifies the regulators, who determinewhat the next steps will be. And the rules for what constitutes abreach in these countries may not be considered a breach in theU.S., so there are a number of issues to consider. And hackers arewell aware that these differences work in their favor.

While these issues won't be addressed in the immediate future,the questions will continue to evolve as the attacks become evenmore sophisticated. As experts see a greater variety of breaches,cyber insurance policies will become even more nuanced in order toaddress the various scenarios arising from cyberattacks.