2015 will be remembered as the year the Cyber insurance market began to really take shape. The market remains robust and continues to present for insurers opportunities for unprecedented growth. However, the market conditions for large and small to medium-size enterprises differs greatly. That is because, in part, insurers are targeting small and mid-size enterprises as highly profitable. 2015 will also be remembered as the year data breach coverage disputes under stand-alone cyberinsurance policies began to leak into the courts. This article will address these trends of continued, albeit segmented, market growth and cyber-coverage litigation and whether we can expect them to continue in 2016.
An insatiable demand for Cyber insurance
We have continued to see in 2015 once-in-a-lifetime growth in the insurance market, driven almost exclusively by Cyber insurance. And, growth trends are showing no signs of slowing. According to a survey conducted by RIMS, 74 percent of those without Cyber insurance are planning on buying it within the next one to two years. Likewise, total annual premiums for stand-alone Cyber insurance are projected to grow to $20 billion by 2025. This growth stems, in part, from increased awareness of the importance of first-party Cyber coverage and business interruption risks from data breaches.
What is holding back an even greater increase in premiums collected is the general lack of capacity in the market. Some carriers are responding by adding capacity. For example, ACE recently announced it will offer Cyber insurance policies with a $100 million limit. Further, despite a reduction in capacity by some carriers, according to Neeraj Sahni of Willis, large policyholders can still obtain maximum limits of between $350 million and $400 million, although doing so may require self-insurance at one or more layers of the tower of coverage.
A related trend that continued in 2015 is carriers retreating from the market. It appears today that fewer than 10 domestic carriers, plus the London market, remain willing to write primary stand-alone Cyber insurance (other carriers write only excess coverage). This trend is likely due to: (1) carriers being snake-bitten by Cyber insurance losses and the potential for devastating aggregated losses, (2) carriers not having a comfort level with the required qualitative assessments of their policyholders’ cyber security defenses (as opposed to quantitative assessments historically used to underwrite property and casualty risks), and (3) the lack of individuals with substantial expertise in both insurance underwriting and cyber security. This talent gap is especially problematic given that the underwriting of cyber-risks necessitates technical dialogues with the board, including the CISO/CIO/CTO, of highly sophisticated multinational conglomerates.
A final trend from 2015 is the spike in cost of Cyber insurance renewals for point-of-sale retailers and large health care companies. Some carriers are imposing 150 percent premium increases. Companies in those industries, or other industries plagued by data breaches, must thus be prepared to purchase very expensive, albeit necessary, Cyber insurance coverage.
The emergence of Cyber insurance litigation
It was only a matter of time before courts began to see coverage litigation under stand-alone Cyber insurance policies. These policies have been sold for years, and data breaches are ubiquitous. Moreover, anti-policyholder rulings by Connecticut and New York courts in prominent coverage litigation under commercial general liability (CGL) policies, in addition to the promulgation by ISO of specific data breach loss exclusions, left Cyber insurance policies as the last place for policyholders to turn to in the aftermath of a data breach. Coverage disputes under Cyber insurance policies thus were inevitable.
Two recent cases should inform the Cyber insurance marketplace in 2016 and beyond. First, in Travelers Property Casualty Co. of America v. Federal Recovery Services Inc., a Utah federal court found the insurer had no duty to defend its policyholders in the underlying lawsuit. The most significant aspect of the decision is that the parties were disputing coverage under the Network and Information Security Liability and Technology Errors and Omissions Liability parts of a CyberFirst Policy. This was the first coverage decision with respect to a standalone Cyber insurance policy.
Notably, the case did not involve a data breach or other like cyber security loss, but rather a classic intent to injure versus negligent conduct dispute. Nonetheless, it is important to recognize that the court interpreted the terms of the Cyber insurance policy under the same framework it would use for a traditional CGL or Errors & Omissions liability policy. This approach should reassure those concerned that judicial interpretations of Cyber insurance policies might be totally unpredictable (because of their novel terminology). Instead, the district court’s opinion suggests that Cyber insurance disputes will not be decided against a blank canvas.
Second, in Continental Casualty Co. v. Cottage Health Systems, Columbia Casualty Company (CCC) filed a declaratory judgment action in federal court in California, seeking a declaration that it is not obligated to cover Cottage Health System (CHS) and that it is entitled to full reimbursement from CHS of defense costs and settlement payments paid on behalf of CHS. The litigation concerns a NetProtect360 policy, containing Privacy Injury Claims and Privacy Regulation Proceedings coverage parts.
The claim giving rise to the coverage litigation involved a data breach that resulted in the release of private healthcare patient information. This spurred a class action lawsuit, which settled for $4.125 million. CCC paid the settlement, but unilaterally reserved its right to seek reimbursement of attorney’s fees and settlement payments attributable to uncovered claims.
The subject policy contained a Failure to Follow Minimum Required Practices Exclusion, which stated that CCC was not liable to pay any loss based upon CHS’ failure to “continuously implement the procedures and risk controls” identified during the underwriting process. CCC contends that CHS failed to adhere to certain basic security practices, and that its failure to do so was the cause of the data breach and subsequent loss. These alleged failures include deficiencies in CHS’ file transfer protocol settings on its internet servers, maintaining security patches, assessing information security exposure, and detecting network intrusions.
This case was dismissed so the parties could pursue alternative dispute resolution. Nonetheless, this litigation serves as a cautionary tale to policyholders to negotiate for the removal of these and other broad exclusions from their Cyber insurance policies. Policyholders do not want to be like CHS and think they are covered for data breach losses, only to find out post-breach that because they did not carefully read the policy, the deficiencies in their cyber security apparatus left them exposed not only to data breaches, but also may leave them uninsured.
In sum, 2015 was a year of robust overall Cyber insurance market growth, although large accounts and certain industries began to find that Cyber insurance may not be as viable (read: affordable) an option as it once was. There are no signs of this trend abating in 2016, especially as market consolidation, the talent gap, and an inability to devise effective data breach modeling persist. Additionally, 2015 saw coverage litigation in its nascent stages. There can be no doubt this trend will continue, too, as policyholders and insurance carriers utilize the courts to find common ground as to the meaning of non-standardized policy terms. Ultimately, Cyber insurance for data breaches was in 2015, and will certainly continue to be in 2016, the most important issue to the insurance marketplace.
Republished from Legaltech News.
You’re invited to join us on Facebook!