Gaps in Traditional Insurance Coverage
Until recently the monetary harm that companies anticipated through computers arose from physical harm of the systems themselves. This assumption compelled companies to cover their computer assets under First Party Property (FPP) insurance which covers repair of damaged property. Companies also covered the loss of business which damage to computer systems precipitated with Business Interruption (BI) insurance, a subset of FPP which covers the loss of income from a business interruption and/or the expenses taken to continue business operations after the interruption.72 Therefore FPP and BI insurance potentially exclude data breach damages. For example, if a virus interrupts business operations, a claim under FPP or BI insurance faces failure, as most viruses inflict no tangible damage on computers.73 Media
insurance covers harm to the policyholder if they published defaming statements or anything that infringes a person’s right to privacy. This insurance often fails to cover data breach litigation damages, because the courts often determine that clients lack standing, and therefore no privacy claim arises.
As personal information becomes increasingly valuable, and litigation from data breaches more prevalent, the importance of FPP insurance has faded and third party liability (TPL)
insurance, which covers the expenses of any litigation against the policy holder, has become
72 Thomas J. Shaw et al., Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists 176-177 (Thomas J. Shaw., 1st ed. 2012).
73 America Online Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003) (concluding that although viruses altered a computers logic they failed to cause tangible damage because they left the computer’s physical media unharmed).
incredibly important. TPL covers possible damages from a breach better than FPP; however, it still falls short of complete coverage. If a hacker steals personal information, and holds it for years before “publishing” it, the claims immediately following data breaches face denial of standing, without evidence of harmful publication. Commercial general liability (CGL) is a type of TPL insurance under which the insured obtains coverage for a fixed period after the injury occurred, or for a fixed period after filing the claim.74 CGL policies provide coverage on claims made basis and this makes acquiring coverage difficult, because unless the insured filed their claim after the hacker published the information, the breach falls short of harmful publication under current law.75 Cyber-liability insurance developed to fill the gaps left by traditional insurance.
Cyber Liability Insurance Explained
Cyber liability insurance covers “customer-notification expenses; credit monitoring and identity theft monitoring; privacy and security liability; business interruption; cyber extortion;
hacker damage costs; privacy regulatory defense and penalties; computer forensics investigation;
and a privacy attorney”.76 Despite cyber liability insurance’s novelty the National Association of Insurance Commissioners (NAIC) identified it as a top priority for the insurance industry in 2015. NAIC noted that although cyber-liability insurance is expensive, it possesses great growth
74 Lorelie S. Masters, Insurance Protection for Security Breaches, in Data Breach and Encryption Handbook 271, 272-273(Lucy Thomson ed., 2011).
75 Although definitions of publication differ, some insurers designate that publication is “the
‘communication (as of news or information) to the public,’” (Recall Total Information
Management Inc. v. Federal Ins. Co., 147 Conn. App. 450, 463 (Conn. App. Ct. 2014)). Thus theft of personal information does not necessarily imply publication, because the thief might not reveal the information publically.
76 Matthew Sturdevant, Covering Online Terrorism: Sony, Target Cases Cloud Decisions; Cyber Insurance, Hartford Courant, Jan. 26, 2015 at A1.
potential as businesses realize that their current policies preclude coverage for most damages from data breaches.77 This growth in the customer base possesses the potential to alleviate some of the problems the cyber insurance market suffers from its lack of cyber risk information.
Issues with the Cyber Liability Insurance Market
The cyber-liability insurance industry faces a variety of market issues arising from a lack of cyber threat information. All insurance companies set their premiums and coverage limits through statistical formulas which calculate the risk of the insured suffering from an injury.
Insurers of traditional risks such as fire or automobile, easily set premiums and coverage limits reflecting the client’s actual risk, through the analysis of readily available historical data. The cyber-liability insurance industry lacks the ability to project cyber-risk’s probability, due to the dearth of documented cyber risk information. Unfortunately, few incentives exist for companies to document and share this information with cyber insurers, thus slowing the accrual of cyber risk information.78 Uninsured companies are wary of sharing cyber-risk data with government bodies, as it may cause them negative publicity, or be used against them by rival companies.
Companies with cyber-liability coverage primarily make claims after catastrophic incidents, biasing the risk data towards extreme cyber events.79
Insurers also utilize potentially inaccurate information as this scarcity of data enhances three fallacies inherent in the insurance business. The first, adverse selection occurs when
77 Nat’l Ass’n of Ins. Comm’r(s) & The Ctr. for Ins. Policy and Research,
http://www.naic.org/cipr_topics/topic_cyber_risk.htm (last visited Feb. 22, 2016).
78 Christian Biener, Martin Eling, Jan Wirfs, Insurability of Cyber Risk: An Empirical Analysis, 40 Geneva Papers on Risk and Insurance: Issues and Practice 1, 9-12 (2015) (analyzes issues with the cyber-risk market in the U.S empirically).
79 Rainer Bửhme, & Galina Schwartz. Modeling Cyber-Insurance: Towards A Unifying Framework, 1, 17 (Workshop on the Economics of Information Security, Working Paper no.
June: 1–36).
insurers lack accurate metrics to measure the risk level of prospective clients. This leads to premiums which fail to reflect the increased risk that insuring the client poses to the insurer, an inaccuracy which threatens insurers’ financial solvency in the event of repeated or catastrophic claims.80 Although similar to the moral hazard fallacy adverse selection emphasizes the insurers’
inability to determine the truthfulness of a client’s self-reported risk level. Ordinarily insurers verify the client’s veracity, via statistical analysis.81 The lack of historical data in a cyber-risk environment forces, insurance companies to rely on the word of their policyholders. This incentivizes policyholders to misrepresent their risk level to attain lower but inaccurate
premiums which spell disaster for the insurers’ bottom line after repeated or monumental claims.
Insurers engage in the practice of re-insurance to hedge themselves against this risk. In a market with widely available information, re-insurance enables endurance of the proverbial perfect storm. Unfortunately, the information scarcity in a cyber-risk environment makes this practice all but impossible because adverse selection and moral hazards greatly increase the likelihood of frequent claims from cyber-liability insurers.82 Reinsurers shirk from insuring any cyber-liability insurance companies, thus further increasing the financial risk to the cyber-liability insurers.
80 Id. at 17.
81 Id. at 19-20.
82 Id. at 17.
Chapter 5