The National Association of Insurance Commissioners' (NAIC) "Principles for Effective Cyber Security Insurance Regulatory Guidance" adopted on April 16, 2015, by the Cyber Security Task Force highlight an industry under cyberattack.
The Anthem and Premera breaches, which exposed personally identifiable information of nearly 100 million people and the likelihood (perhaps certainty) of additional attacks on the industry, highlight the fact that: Those in the insurance industry who are not proactively managing the threat of cyber incursion are likely to suffer severe adverse consequences. Indeed, Anthem is suffering over 50 class action lawsuits and intense regulatory and law enforcement scrutiny.
The NAIC's guiding principles help lay a foundation to prevent the disclosure of personally identifiable information and best position those in the insurance industry should a breach occur and if an action is taken against them. The best prepared companies will be those which are able to state that they have used reasonable efforts to: (1) prevent a cyberattack; and (2) protect personally identifiable and trade secret information . . . and have evidence to prove that! These efforts will lead to the measure of damages, if any, being significantly less. This can effectively be done through careful preparation of a written information security plan (WISP) and a data breach response plan (DBRP) including appropriate IT technical and legal analyses and incorporating the NAIC guiding principles:
- Insurers must have systems in place to alert consumers in a timely manner in the event of a cyber breach.
- Personally identifiable information held by insurance producers and third-parties as well as insurers must be reasonably protected.
- An essential component of any plan is preparing for an incident suffered by an insurer, insurance producer and other third-parties (a data breach response plan).
- Third-parties and producers should be audited to determine if controls are in place to protect personally identifiable information.
- Cyber security should be a part of an insurer's or a producer's Enterprise Risk Management (ERM).
- Cyber security audits and written information security plans containing data breach response plans should be reviewed by the Board regularly.
- Periodic employee training and assessment is also an essential part of any plan.
(Photo: Shutterstock.com)
Industry opportunities
Swiss Re Group Chief Executive, Michel Liès estimates that within 10 years "cybercoverage will be in every retail, commercial and industrial insurance policy." Michel Liès, How Do You Insure Against Cybercrime? The Wall Street Journal (Apr. 21, 2015).
Given the emerging breadth of cyber coverage, the insurance industry can be a catalyst for change and good governance. This is an opportunity for the insurance industry to "nudge" the corporate world into best cyber security practices according to Peter D. Hancock, President and CEO of AIG. Rachael King, Companies, Seeking Common Ground on Cyber Security, Turn to Insurers, The Wall Street Journal Online (Apr. 13, 2015).
[Related: Cybercrime risks continue to plague insurers]
Much like what the insurance industry did in connection with D&O coverage and good corporate practices many years ago, it can influence positive change through the use of lower premium and broader coverage for the best risks and the converse for bad (poorly managed) risks (i.e., those who have taken no or minimal efforts to prevent a breach or organize a thoughtful response plan).
Another example is professional liability insurance: To qualify for membership in Attorneys' Liability Assurance Society, Inc. (ALAS), a law firm industry captive insurer, certain protocols must be followed and loss prevention techniques must be disseminated regularly. Cyber insurance coverage calls for a similar approach to combat a fast-moving risk environment.
Besides "nudging" the corporate world toward better cyber practices, another industry opportunity exists in providing adequate capacity for the corporate world. Anecdotally, we understand that the largest policy limit offered to date is approximately $400 million, with many commercial coverages limited to the range of $100 to 200 million. Rachael King, Companies, Seeking Common Ground on Cyber Security, Turn to Insurers, The Wall Street Journal Online (Apr. 13, 2015).
Given the liquidity in the insurance marketplace (including alternative capital vehicles such as hedge and private equity funds) and the need for additional cyber capacity, some insurance executives have suggested additional investment by hedge and private equity funds to help cover cyber risks rather than chase an over-crowded field of insurance-linked securities or reinsurance dollars. The clear need is for additional capacity to cover cyber risks.
Government partnership
While meeting these challenges, it is also an opportunity for insurers, insurance producers and other third-parties to work in partnership with regulators, law makers and law enforcement because we all tend to be on the same side of this war against cybercrime.
James Woods is co-leader of Mayer Brown's global Insurance Industry Group.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.