Speakers at the Spring NAIC Meeting in Orlando on the topic of insuring cyber liability risk offered commentary on risks and damages associated with cyber attacks in the United States, as well as how the insurance market has (and has not) developed to help mitigate risk. Representatives included district attorneys, practicing intellectual property lawyers, federal agents as well as state regulators.
Introductory comments focused on the increasing cybersecurity threats that entities continue to encounter, including attacks from nation-states, terrorists, activists, criminals, external-opportunists, as well as disgruntled company-insiders. Extra attention was given to the “Bring Your Own Device” policies that are increasingly adopted by companies, whereby the security systems currently installed on personal smartphones are not always adequate to handle threats that they may encounter in a professional environment. Aside from the literal costs of stolen and corrupted data, many in the industry fear that if steps are not taken to curtail cyber breaches, consumers will lose faith in the confidentiality and integrity of the institutions they utilize.
Kenn Kern of the New York District Attorneys’ Office (the “NYDAO”) proceeded to give remarks on the dangers of cyber-attacks and provided statistical data to illustrate the gravity of the issue. According to Mr. Kern, 37% of all NYDAO cases involve cybercrime or identify theft charges. Mr. Kern noted that there are 1.29 distributed denial of service attacks every 2 minutes, whereby an attacker attempts to render a company’s service unavailable to customers. In his closing remarks, Mr. Kern described the increasingly-popular monetization strategy utilized by criminals whereby hackers use stolen personal information to file fraudulent tax returns, thereby receiving instant refunds.
Tom Finan of the Department of Homeland Security’s National Protection and Programs Directorate offered commentary on the insurance market as it relates to cybersecurity. In particular, Mr. Finan discussed how there is an active market for 3rd-party cyber insurance – insurance triggered by a claim by a customer against a business – however there is less of a market for 1st-party cyber insurance, or insurance to cover a company’s loss of profits, intellectual property, etc. Mr. Finan’s view is that, at this time, premiums for 1st-party cyber insurance are too high to be desired by companies. These premiums remain costly, in part, because companies tend to avoid disclosing their damages and vulnerabilities to regulators, insurers and the public when not statutorily required. This lack of available information, as well as general inertia by companies to install “best practices” policies to combat cyber attacks, have left insurers hesitant to offer more attractive policies. Mr. Finan believes the adoption of recent executive orders on the issue as well as new enterprise risk management policies and reports will hopefully result in the dissemination of more information to allow insurers to more accurately predict risk.
Other general comments from participants included the need for companies to make cybersecurity a high priority and to strive to understand the financial and reputation risks that a cyber attack can pose, as well as the hope that the newly-published National Institute of Standards and Technology Cybersecurity Framework will help increase awareness and uniformity in combating cyber-attacks, potentially leading to a more robust insurance market.