The Insurability of Cyber Risks: Scope, Limits and Prospective Regulation

By: Asaf Lubin

It seems as if not a week goes by without some breaking news about a data breach. On 5 April 2018, Bernadette Beekman filed a class action lawsuit at the District Court for the District of Delaware against the oldest department store in the United States, Lord & Taylor. The class was submitted on behalf of all customers who used a payment card at the retailer during the breach period of March 2017 through March 2018. According to some estimates, roughly five million credit and debit card records were stolen and sold on the dark web as part of the breach. In her lawsuit, Beekman stated that Lord & Taylor had “failed to comply with security standards and allowed its customers’ financial information and other private information to be compromised by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”[1]

Four days after Beekman’s filing, the popular food chain Panera Bread was hit with its own class action lawsuit. The plaintiffs were residents of Illinois, Tennessee, and Minnesota who claimed that their personally identifying information (PII) used in conjunction with their MyPanera and Panera Rewards accounts was exposed in a breach that the company had attempted to conceal and downplay. According to some estimates the breach affected over 37 million customers. Not only did Panera place its consumer information at risk, by failing to take appropriate action to protect the data, but the company was also put on notice as security experts had warned it months in advance of the risk of a potential breach.[2]

Most recently, on 28 September 2018, Facebook was hit with a class action lawsuit at the District Court for the Northern District of California on behalf of the 50 million users whose personal information, including “names, email addresses, recovery email accounts, telephone numbers, birthdates, passwords, and security question answers,” were exposed. The complaint claims that the security breach “allowed hackers and other nefarious users to take over user accounts and siphon off personal information for unsavory and illegal purposes.”[3]

The list goes on and on: Target, Home Depot, Whole Foods, Equifax, Wyndham Hotels, Applebee’ s, Chili’ s, Orbitz, and MyHeritage all suffered massive data breaches in the last two years and all were the subject of class action suits for millions of dollars from disgruntled consumers.[4] According to a PwC report, the global economy incurs losses of more than $400 billion annually because of data breaches and cyber crimes, and the costs are only likely to continue to mount.[5]

The rise in economic risk from cyber attacks and data breaches has resulted in a market shift towards cyber insurance as a primary mode for risk prevention and management. The number of U.S. firms reporting they have no cyber liability insurance fell from 50% in 2017 to only 24% in 2018.[6] PWC estimates that “annual gross written premiums of cyber insurance will reach $7.5 billion by 2020”.[7] These types of policies cover varied costs associated with the perils of operating a business in the digital age. These include limiting exposure from potential hacking of Internet-of-Things devices; notification costs, credit monitoring services, and legal fees associated with privacy class actions for data breaches; network shutdowns of third-party suppliers or cloud-service providers; and even the indemnification of statutory fines for failures to comply with data protection regulation.

Corporate actors are not the only ones jumping on the insurance bandwagon. A recent trend has seen government acquiring cyber insurance policies. More than a dozen US states now have such programs in place, with the first being Montana in 2011. Georgia has the largest cyber coverage, paying $1.8-million-a-year premium for a $100 million in coverage and $250,000 deductible per cyber-related incident. Cities, too, are turning to insurance. Houston City Council, for example, paid $471,000 this past August for cyber coverage. Houston’ s cyber insurance policy offers coverage for up to $30 million in expenses related to security breaches in the city’ s computer networks.[8] In fact, most of the 25 largest U.S. cities have, or are now in the process of acquiring, cyber insurance, according to a September reporting from the Wall Street Journal.[9] These insurers play a growing role in regulating local government’ s cyber posture and policies. The Alaskan City of Valdez, for example, turned to its insurers to receive authorization of payment to hackers, in the sum of $26,000, for a ransomware that paralyzed the city’ s computer infrastructure in June of last year.[10]

This article will offer a broad assessment of the contemporary market for cyber insurance in both the private sector and in government, particularly the effects that invert governance through private insurance has had on the development of effective cyber policies within the executive branch. This work will benefit from primary sources including in-depth study of insurance policies and interviews with insurance industry brokers and regulators, municipal and state attorneys, representatives from insurance tech startup companies, and risk assessment experts from consultancy and compliance firms.[11]

The paper will aim to show how lack of sufficient technologies, historical data, risk models, consumer awareness, and uniform market regulation are triggering information failures and principal-agent problems that prevent the insurance ecosystem from sufficiently capitalizing on its unique role in enhancing cyber hygiene in both the government and the private sector. The research will further seek to analyze how existing insurance doctrines and economic theories apply to cyber underwriting, in particular as it relates to the need to mitigate moral hazards and increase predictability around silent cyber exposure, coverage exemptions, and reinsurance options. The paper will further seek to examine the complex question of the insurability of certain types of cyber risks, in line with those theoretical models, including the insurability of state-sponsored and war-like attacks, the insurability of ransomware payments, the insurability of fines from violations of data protection regulation, the insurability of cyber-terrorist attacks, and the insurability of physical damages and bodily injuries resulting from cyber risk.

[1] Beekman v. Lord and Taylor, LLC, Del. Super., C.A. No. 1:18-00521, available at https://www.classaction.org/media/beekman-v-lord-and-taylor-llc.pdf

[2] Brian Krebs, Panerabread.com Leaks Millions of Customer Records, KrebsOnSecurity Blog (2 April 2018), available at https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-cu... Robert Hackett, How Panera Bread Fumbled Its Data Leak—And What to Learn From Its Mistakes, Fortune (4 April 2018), available at http://fortune.com/2018/04/04/panera-bread-data-leak-lessons/.

[3] Michelle Kaminsky, Facebook Faces Class Action Over Security Breach That Affected 50 Million Users, Forbes (30 September 2018) available at https://www.forbes.com/sites/michellefabio/2018/09/30/facebook-faces-cla....

[4] Jim Loughlin, Why Cyber Insurance is No Longer Optional for Restaurants, FSR Magazine (May 2018), available at https://www.foodnewsfeed.com/fsr/expert-insights/why-cyber-insurance-no-....

[5] Three Cyber Insurance Stocks in Focus Post Facebook Breach, Zacks Equity Research (1 October 2018), available at https://www.msn.com/en-us/money/topstocks/3-cyber-insurance-stocks-in-fo....

[6] FICO Survey: Most US Firms Have Cybersecurity Insurance – But Only 1 in 3 Say It Is Full Coverage, Cision Newswire, available at https://www.prnewswire.com/news-releases/fico-survey-most-us-firms-have-....

[7] Zacks Equity Research, supra note 5.

[8] Jenni Bergal, Worried About Hackers, States Turn to Cyber Insurance, Insurance Journal (13 November 2017), available at https://www.insurancejournal.com/news/national/2017/11/13/470991.htm.

[9] Scott Calvert and Jon Kamp, WoMore U.S. Cities Brace for ‘Inevitable’ Hackers, The Wall Street Journal (4 September 2018), available at https://www.wsj.com/articles/more-cities-brace-for-inevitable-cyberattac....

[10] Catalin Cimpanu, City of Valdez, Alaska admits to paying off ransomware infection, ZDNet (4 September 2018), available at https://www.zdnet.com/article/city-of-valdez-alaska-admits-to-paying-off....

[11] The work will be modeled in part around John Rappaport, How Private Insurers Regulate Public Police, 130 Harvard L. Rev. 1539 (2017). I seek to apply both Rappaport’s methodology of research and theoretical models to the cyber insurance domains.