Cyber sages tell us the question is not whether your business will suffer a data breach, but when. To prepare for the inevitable, businesses want to know what is the next threat on the horizon. In the past few months, experts have offered many views on the top cyber trends for 2017, and plenty of advice about security measures companies should take in light of these predictions. But if some loss is a given, businesses also want to know if there will be insurance to cover that loss. We look at some of the forecasts and try to answer that question.
In its Fourth Annual Data Breach Industry Forecast, Experian Data Breach Resolution, a vendor of data breach response and protection services with a track record of handling high-profile incidents, issued and identified five top data breach trends for 2017. We’ll address the first two of those trends in this post.
Aftershock Password Breaches
Experian predicts that companies will increasingly experience the impacts of previous data breaches as username and password information obtained in earlier attacks are sold and resold on the dark web. Companies affected could include not only those who were the victims of the original attack, but unrelated businesses in cases where consumers have used the same usernames and passwords for multiple accounts. Massive breaches like the hack of one billion Yahoo user accounts heighten this risk exponentially.
Specialized cyber risk insurance policies are the principal source of coverage for these kinds of events. Both the cost of defense and damages arising from third-party claims alleging the unauthorized access to or disclosure of personally identifiable information (PII), including protected health information (PHI), fall within the core coverage of these policies. The costs of responding to a breach—notification costs, call center costs, crisis management expenses and credit monitoring—also typically are covered. Coverage for fines and penalties payable to the payment card brands such as Visa and Mastercard is available but usually for an additional premium. Coverage for lost income due to a network or business interruption caused by the breach may also be purchased.
But the aftershock scenario presents special problems. With respect to the victim of the original attack, the insurer is likely to take the position that any claims or losses attributable to a breach that happened years ago relate back to the original incident and are not covered under a current policy. Although the company may look to the policy that was in place when claims were first asserted, the limits of that policy may already have been exhausted or released by prior settlement. A company that did not experience a breach directly but suffers loss or claims because of fraudulent use of credentials previously stolen from a different company faces an even greater challenge. Its coverage may be triggered only by a security failure affecting its own network, or the unauthorized access of information within its own custody or control. And finally, there is no coverage for long-term effects on the business of breach victims, like the negative impact on the Yahoo-Verizon deal.
Nation-State Attacks – Transition from Espionage to War
Experian forecasts an escalation of cyber conflicts between countries, evolving from espionage to open conflict and perhaps even war. In Experian’s view, collateral damage for consumers and businesses is inevitable, while industries responsible for critical infrastructure are particularly vulnerable.
Two areas of concern emerge on the coverage front. The first is the fact that most cyber policies contain some form of exclusion for loss arising out of acts of war by foreign states, military action, insurrection, revolution, and the like. But thus far, where foreign state actors were known or suspected to be responsible for cyber-attacks, the incidents have not risen to the level of war or military action. In addition, many such exclusions have cyber-terrorism exceptions, which have served to preserve coverage for the scenarios to date. If Experian’s prediction is correct, however, insurers likely will deny coverage more frequently on the basis of the war exclusion.
The second concern is that coverage for loss due to cyber-attacks on critical infrastructure may not be covered under standard cyber policies. Most policies provide coverage for loss arising out of the failure of the security of the policyholder’s computer system to prevent unauthorized access or use, but “computer system” often is not clearly defined to include operational or industrial controls. Many infrastructure attacks to date have targeted precisely these types of systems (e.g., the 2015 attack on two Ukraine power distribution companies and the takeover of the control system of a German steel mill in 2014), and can be expected to do so in the future. Coverage is available in the marketplace for these types of events and should be explored, especially by companies whose continued operations are essential to public safety.
(Tune in Thursday for Part II of this post, in which we look at cyber threats related to health care, payment-based systems and multinational companies.)