Reports of data breaches and similar incidents are becoming ubiquitous. Those events have historically involved entities that possess vast amounts of personal data, especially health and financial information. Hospitals, retailers and even the federal government have been the victims of headline-grabbing breaches.
Executive SummaryAttorneys Robert Shapiro and Joseph Swanson offer practical advice for insurers dealing with cybersecurity challenges like loss of personally identifiable information, ransomware attacks and catastrophic claims exposure.
In the insurance industry, much of the focus has been on health and life insurers, particularly in the wake of the February 2015 Anthem breach. As with other industries, however, property/casualty insurers are finding that they must focus on their cybersecurity, lest they become the next victim. In fact, P/C insurers—by virtue of their business and the policies they underwrite—face significant challenges when it comes to cybersecurity. This article identifies the most pressing of those challenges and offers practical advice for addressing them.
Cyber Risks for P/C Insurers
• Loss of Personally Identifiable Information. While P/C insurers may not possess as much personally identifiable information as health and life insurers, the risk of loss or compromise of that information should not be overlooked. In fact, P/C insurers possess myriad information about their policyholders, such as credit card information that may be used to pay premiums and then stored until the next premium is due.
Depending on the nature of the insurance being underwritten, P/C insurers may possess other sensitive financial information about applicants and policyholders. For example, P/C insurers writing surety bonds or a specialty coverage, such as insurance on trade receivables, depend for their underwriting to a large extent on the obligor’s financial wherewithal. This requires the underwriting company to obtain sensitive and, in many cases, nonpublic information. If nothing else, P/C insurers possess sensitive personal information regarding their employees.
All of this information could be ripe for hackers or rogue employees, particularly if there is a perception among those bad actors that P/C insurers are not as careful with their data as companies in other industries that have been the historical focus of data breaches.
• Business Interruption. In addition to the risks attendant to holding personally identifiable information, P/C insurers, like almost any other business today, face the prospect of a ransomware or similar attack. Ransomware is a form of malware that locks up a system until the victim company pays a fee to the perpetrators, leaving the victim unable to run its business. In this way, ransomware can be used against a company in almost any industry. In other words, to be a victim, a company need not possess significant amounts of personal data.
A ransomware attack on a P/C insurer could render that company unable to process applications, claims and so forth. This is a significant risk, particularly in light of the growing desire among policyholders and other third parties to conduct business electronically.
• Claims Exposure. P/C insurers must consider the potentially catastrophic claims exposure they face when it comes to cyber incidents. For example, Lloyd’s of London and the University of Cambridge released a study in 2015 that estimated simultaneous malware attacks on 50 generators in the northeastern United States could cut power to as many as 93 million people, which would result in at least $243 billion in economic damage and $21-$71 billion in insurance claims for property damage, business interruption and other losses.
Driverless cars pose an additional challenge to P/C insurers from an underwriting and claims perspective. On the one hand, these vehicles—with the ability to “talk” to each other—may reduce accidents by as much as 76 percent, according to the Department of Transportation. On the other hand, what happens if these systems are hacked? This is far from a hypothetical concern, as evidenced by Chrysler’s recall of 1.4 million vehicles in 2015 because a software vulnerability allowed hackers to take over critical functions, including steering, transmission and brakes.
This claims exposure is on top of the exposure inherent in the various forms of cyber insurance presently underwritten by P/C insurers. Insurers are rushing to capitalize on this booming market, but they are doing so without the benefit of significant actuarial data. In many ways, issuers of cyber insurance face potential claims not unlike those seen from earthquake or hurricane coverage. Moreover, the court decisions regarding cyber insurance coverage issues are few, leaving P/C insurers to operate in relatively uncharted waters.
Because of the aggregate exposure faced by P/C insurers from cyber attacks due to their exposure from breaches as well as from cyber insurance provided on the hacked business—all of which is on top of the exposure for claims made on other lines as a result of a cyber incident—considerable concern has been expressed about risks to the P/C insurance industry. A.M. Best has stated that although it considers natural catastrophes to be the top threat to the financial strength and credit quality of P/C insurers, “the increasing frequency and severity of cyber attacks, and difficulty in measuring the risk, pose a substantial threat to the insurance industry.”
Mitigation of Risks for P/C Insurers
The foregoing risks for P/C insurers are significant, but there are a number of steps that can be taken to mitigate those risks.
• Identify and Protect the Data and Systems. Like other companies, P/C insurers need to protect themselves by first identifying the data they possess, where it resides, and whether it contains personally identifiable or other sensitive information. Insurers also need to understand their systems and any vulnerabilities. They can address those vulnerabilities by installing and keeping up to date the latest anti-virus and anti-malware solutions and regularly backing up the company’s data and systems.
P/C insurers must implement written policies and procedures designed to safeguard those data and systems. Those policies and procedures should be designed with an eye toward the nature of the company’s data and systems, as well as any applicable legal or regulatory requirements. When the policies and procedures are in place, the insurer’s employees need to receive regular training on them.
• Evaluate Vendor Relationships. Vendors pose significant vulnerabilities for any company. Some of the most significant data breaches, such as the one at Target, were the result of vendor relationships. With that in mind, P/C insurers need to closely review vendor contracts, particularly reps and warranties for vendor systems, rights to audit those systems, and indemnification provisions. When vendor relationships end, system access should be terminated.
• Obtain Coverage. P/C insurers should consider obtaining coverage for a data breach or business interruption. Any such policy should kick in quickly in the wake of any incident. Similarly, with directors and officers (D&O) increasingly the focus of the plaintiffs’ bar, P/C insurers would be wise to confirm that any D&O policy they purchased provides coverage for breach-related litigation.
• Prepare for the Worst. An insurer should have a written incident response plan (IRP) that serves as a “playbook” in the event of a breach. The IRP will identify the insurer’s key personnel who will be called upon in the wake of a breach, as well as other stakeholders to be notified within the organization, depending on the severity of the event. Further, the IRP should identify third parties to contact in a crisis, such as forensic firms, consultants and outside counsel. In addition, the IRP must outline whether and when to contact regulators and law enforcement, depending on the nature of the insurer’s business and the scope of the incident. Ideally, the insurer has developed a relationship with law enforcement ahead of time, which can help facilitate communication in the event of a breach.
After the IRP is in place, it can be periodically tested by conducting mock breaches. Lessons learned from such “table-top” exercises could be incorporated in a revised IRP.
• Keep Claims Exposure in Check. The tips above are focused on protection of personally identifiable information and other sensitive data, as well as critical systems. As noted above, P/C insurers should also seek to mitigate their claims exposure when it comes to cybersecurity. This can be accomplished through robust underwriting standards, awareness of regulatory requirements, monitoring of important legal developments on the coverage front and careful review of actuarial data when that data becomes available. Insurers ought to, among other things, ask questions of the potential insured about whether their systems have been hacked and how they have responded to those incidents. This inquiry can be made not just for the initial application but at every renewal.
In the end, P/C insurers face many of the same cybersecurity challenges as do their counterparts in the health and life insurance industry. By implementing the steps outlined in this article, however, those challenges will become less daunting.