The second annual C5 conference was co-chaired by Ben Beeson of Lockton and Laurie Kamaiko of Edwards Wildman. The initial focus addressed the controversial questions of whether the cyber insurance market was failing to offer a meaningful solution to current day cyber risk, the struggle to remain relevant in the current business market, and whether the UK market would evolve the same as the US market, in light of the impending focus on data breaches with the upcoming European Commission’s Draft Regulation on Data Protection that is likely to impose notice requirements.
Panelists discussed that cyber risk in 2012 has expanded beyond breaches of statutorily defined personal information to cyber attacks of infrastructures and theft of intellectual property. Moreover, claims have expanded to include broader privacy claims directed at the collection and usage of information about individuals. Both insurance and forensic specialists discussed the increasing sophistication of cyber attacks, and the exposures presented by the increasing reliance of businesses on cloud providers and other service providers, who in turn subcontract with other vendors whose networks may be the subject of network failures or cyber attacks. Thus, the challenge for the insurance market to remain relevant is to develop products that address these risks, and the concern of businesses that their business interruption losses be addressed by insurance.
Risk managers and other buyers of insurance who spoke at the conference emphasized the insureds’ desire for assurance and confidence that their insurers would pay their claims and address their losses when an event happens. One risk manager also expressed frustration about the lack of coverage for insureds’ mitigation efforts, e.g. if an insured pays or offers services to its clients who may have lost business or suffered a disruption as a result of a breach of the insured’s network in an effort by the insured to avoid the likelihood of a third party claim that, if asserted, would be covered.
Several panelists, particularly technical experts, discussed the advantages of inquiring and testing of insureds’ security practices before accepting a risk. However, one consultant noted that insurers expect policyholders to provide details that insurance companies as entities at risk themselves don’t have.
While some questioned whether breach response insurance was as necessary or helpful in the UK and other countries in the EU, particularly in light of the general uninsurability of fines and penalties and the general lack of class actions, others pointed out that there are still significant legal fees for responding to regulatory investigations and audits, and forensic costs, which can be covered by insurance. While the EU is more focused on fines and penalties than consumer remediation, Jonathan Bamford, Head of Strategic Liaison for the UK Information Commissioner’s Office, who was also a speaker, noted the importance of fines and penalties as incentives for businesses to “get it right.”
Others also questioned whether public disclosure and notice to individuals was a good thing or whether there is developing in the US “notice fatigue.” One panelist pointed out that public disclosure is still a good thing in that it exposes what is already happening and the potential harm to reputation can be an incentive to upgrade security. One controversial speaker pointed out that one of the most secure industries is the online pornography industry since the industry members know the importance of protecting their customers’ information and privacy, and they make the protection of it a priority.
Panelists discussing the European Commission’s proposed regulation, which has a component that would require notice notice to affected individuals, noted that the Regulation and its requirements would likely not take effect until 2016. The European Parliament and Member States have another year and a half to approve the Regulation, and then it would be another two years before it would be implemented. Panelists noted that the proposed new scheme, in imposing uniformity across the EU, would also likely operate to restrict the flexibility and pragmatic approach that is currently usually the approach of the ICO.
A panel addressing reinsurers’ perspectives raised the issue of whether the current terminology in reinsurance agreements really is appropriate for cyber risks, e.g. references to an “event,” and noted that there are some risks that may essentially be uninsurable due to the extent of their accumulated exposure, such as global outages of the internet. Earlier, other panels had raised the issue of whether cyber attacks from government-sponsored hackers, and political hacktivists, as well as aggregated losses that could occur if there were a major cloud provider failure, meant that the time was approaching for consideration of government backstops to encourage insurance of such risks, similar as to what has been developed in many countries for insurance of more traditional terrorist risks.
Overall, the conference focused on identifying the expansion of cyber risks and the challenges to the insurance industry of how to address them, and price them, in order to remain a viable and relevant insurance market in this area.