Cybercrime continues to raise risks for insurers and their customers, and the dangers are evolving and becoming more global in nature.
At the recent PLRB conference in Anaheim, Calif., Christina Terplan of Clyde & Co. said that a breach last year in South Korea impacted 70% of that country’s population. She explained that losses in the U.S. are usually larger than in other countries because of the information accessed, but she cautioned that cybercrime involves a lot more than just losing customer data. Some hackers now have records going to duplicate sites so nothing seems amiss, and others are just deleting information to damage a company’s reputation.
Mark Voronin with Zurich North America said that while certain property policies will cover some of these breaches, they are limited in scope. Cyber policies are usually triggered when the breach is discovered since the actual event could have taken place much earlier. With more breaches involving monetary losses, the number of cybercrime policies insurers are offering is growing exponentially. From 2013 to 2014, the amount spent on policies doubled from $1 billion to $2 billion. And new specialized coverages are available to address the regulatory issues and privacy concerns which may be involved in a breach.
Dixon Drier of Matson, Driscoll and Damico said businesses can be impacted in different ways. He cited the example of an online retailer who is hacked. This event could shut down the company’s website and cause customers not to shop there anymore, resulting in additional marketing costs to reclaim those customers as well as new ones. Then there are the investigative costs and the extra expenses for bringing in experts, possible litigation, and addressing any regulatory issues.
Terplan stressed the importance of trying to get a sense of what the breach event encompasses. “The first goal is to stop the breach from happening, but you don’t want to erase the data because you need it to find out what occurred,” she explained. In their effort to stop a breach, companies may inadvertently erase the data that could show how the system was compromised and the scale of the breach.
Troy Bates of Werlinger & Assoc. said that companies should also be aware that “if you’ve been breached, your backup includes the virus and you’re just putting it back onto your system unless you mitigate it.”
He said it is important to conduct the investigation – identify what caused the breach and remove the virus or issue, but he cautioned against erasing the hard drive unless there is a backup or some other preventative measure in place. Recreating information on the hard drive can be extremely expensive, sometimes costing millions of dollars.
Data analytics can be used to identify what information is involved in a breach. For example, if Server A was the only server breached, it may only contain information on customers in a specific geographic area, as opposed to impacting all of a company’s customers. Analytics can also determine what information was affected such as passwords, birthdates or emails, which determines whether or not customers are notified.
Notification – it’s complicated
A breach of birth date information may require notification in one state but not in another. Terplan explained that there are 47 different state breach notification laws and none of them are the same, which makes determining who needs to be notified of a breach and when a challenge. Notification is triggered by the residency of the state where the affected individual resides. She said the Obama administration is pushing for a national notification law, which would simplify the process. “What is a breach in California may not be a breach in Texas,” she said, “and frequently companies know that they have been attacked, but they don’t know what happened.”
She said that notification laws in the U.S. are based on first identifiable information such as Social Security numbers, emails, passwords, and drivers’ licenses. “You have to notify each individual about the breach,” she said, and the company is expected to offer some sort of identity monitoring for all of those affected. Depending on the type of breach, regulators will need to be notified and possibly the Attorney General’s offices in multiple states. Notifying the Attorney General will depend on the number of people impacted. A company may also have to advise its shareholders and the Securities and Exchange Commission of the breach if the company is publicly held because losses could be catastrophic after regulators are notified.
Cyber laws also vary from country to country. Canada has breach notification laws, while Europe and Asia do not. When there is a breach in Europe, a company notifies the regulators, who determine what the next steps will be. And the rules for what constitutes a breach in these countries may not be considered a breach in the U.S., so there are a number of issues to consider. And hackers are well aware that these differences work in their favor.
While these issues won’t be addressed in the immediate future, the questions will continue to evolve as the attacks become even more sophisticated. As experts see a greater variety of breaches, cyber insurance policies will become even more nuanced in order to address the various scenarios arising from cyberattacks.