Elizabeth S. Fitch and Theodore M. Schaer / Spring "Women in the Law" Business Edition 2016

According to the 2015 McAfee Security Paradox Report, 63 percent of midsize U.S. companies have experienced a data breach.

WHY?

Lack of proper cyber education makes them easy targets for hackers. According to the 2015 NetDiligence Study, the average payout was $1.2 million with average legal costs of $434,000 and crisis services cost of $539,000.

THE TAKEAWAY?

All businesses are targets. When it comes to a cyber breach, it’s not “if;” rather, it’s “when.”

WHAT IS THE GREATEST CYBER THREAT?

Ignorance. When thinking of cyber exposures, what comes to mind are systems failures, and the human element is often overlooked, but according to the Poneman Institute, 35 percent of cyber breaches are due to human failings. Eighty-five percent of office workers, for example, have been duped by social engineering. 

Employee ignorance is one risk factor, but ignorance at the executive level is even more disconcerting. Most executives are under the misimpression that cyber risk is an IT problem. Yet, system glitches account for only 29 percent of data breaches, so relegating the responsibility of mitigating cyber risk to the IT department fails to address 70 percent of a company’s vulnerabilities.

“DATA SECURITY IS AT THE FOREFRONT OF FEDERAL ENFORCEMENT ACTIONS."

Executives and insurance brokers alike have assumed that traditional insurance policies, such as comprehensive general liability policies (CGL), provide protection for damages flowing from a cyber breach. This is not necessarily true. For instance, in Zurich American Insurance Company v. Sony Corporation of America, Sony sought coverage under its Zurich’s CGL policy for theft of customer personal information by online hackers. Zurich filed a declaratory relief action requesting a ruling that the data breach did not qualify as bodily injury or property damage. Sony countered that the breach fell within the purview of the personal and advertising injury provision of the policy. The New York Supreme Court rejected Sony’s position and found that coverage was not afforded. Despite court rulings favoring insurance companies, the insurance industry has responded to cyber breach claims with sweeping policy exclusions that limit or eliminate coverage under traditional policies. The lesson learned is that executives and insurance brokers need to better understand the cyber threats, company vulnerabilities, and insurance 
coverages available.

Although the insurance industry has developed new cyber products, market confusion over the scope of coverage exists. Standalone cyber insurance policies are a complex hybrid of first- and third-party coverage. Because risk is ever-evolving, there are gaps in coverage. This is further complicated by statutes and regulations, inconsistent case law, and procedural peculiarities throughout the United States. Business executives, insurance brokers, underwriters, and claims professionals need to understand technology and the risks it presents, need to know coverage forms and how to analyze cyber applications, and know how regulatory actions and third-party claims trigger coverages.

WHY IS THE LEARNING CURVE SO STEEP?

Technology is rapidly changing, hackers are becoming more sophisticated, and the laws are constantly evolving. Every day hundreds of new apps hit the market. The pending technology patent applications alone evidence the ongoing technology revolution. Real-time client/customer data compounds the problem. While most executives and risk managers profess to understand technological basics, most acknowledge that they have no understanding of the complex security controls used to protect information security systems. 

Conversely, hackers have embraced the technology revolution and continue to develop more sophisticated tactics to prey upon people’s trusting nature. Spoofed emails lead users to visit infected websites designed to appear legitimate. Secretly installed spyware then tricks users into divulging personal information such as credit card numbers, passwords, and social security numbers. Hackers are leveraging social media to learn personal details about targeted individuals and then carefully crafting emails to trick employees to turn over valuable data and give access to bank accounts.

Federal and state governments have enacted privacy laws to protect personal information. Congress has passed privacy legislation that governs virtually every industry, from health care to education to the financial sector, but they are complex and difficult to understand. Similarly, federal agencies that have regulatory authority over particular business sectors have promulgated rules and regulations and have increased their regulatory enforcement, seeking fines and penalties. The Federal Trade Commission has been emboldened by a recent Third Circuit opinion in FTC v. Wyndham World Wide Corporation, in which the FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. The Third Circuit held that the FTC has the authority to regulate cybersecurity, opening the floodgates to regulatory actions. For example, on February 3, 2016, an administrative law judge ruled in favor of the Office of Civil Rights and levied $239,800 in sanctions against a health care provider for HIPAA violations, showing that data security is at the forefront of federal enforcement actions.

Currently, 47 states have enacted breach notification laws and all 47 mandate notification to individuals whose personal information may be compromised—but key differences do exist. Fifteen states require notification to governmental agencies and 27 states require notification to national credit reporting agencies. Couple this with complex third party litigation, and executives, risk managers, and claims professionals are experiencing information overload.

RIGOROUS TRAINING AND EDUCATION IS MISSION CRITICAL TO MITIGATING THE COST OF CYBER BREACHES.

Cyber risk mitigation poses unique challenges, from adopting best practices in proactive defense against breaches to maintaining appropriate cyber insurance and the management of cyber breach claims. Cyber risk education has typically been segmented and general. What is missing in the cyber education arena is an integrated program.

The Claims and Litigation Management Alliance’s School of Cyber Claims is the first of its kind in that the three-year program has a rigorous curriculum integrating technical, legal, and insurance courses with real world scenarios. The school was specifically designed to provide participants with technical and practical knowledge to proactively and effectively manage cyber claims arising under traditional insurance policies and stand-alone cyber insurance policies. The program will cover the unique security risks associated with mobile computing, teleworking, and cloud and website technologies. Students will learn about authentication, intrusion, detection, and prevention techniques such as biometric encoding, security socket layers, firewalls, virus protection, and cryptography. With this solid technical foundation, the program provides an in-depth analysis of costs and damages arising out of first-party claims and third-party claims, coverage litigation of insurance policies, and the practical implications for cyber claims handling and coverage analysis.

The school’s faculty comprises cyber insurance and risk management industry leaders, whose experience and innovative curriculum arm the students with the tools necessary to evaluate, interpret, and apply traditional insurance policies, cyber insurance policies to claim scenarios, along with the skills to proactively and cost-effectively manage those claims.