Cybersecurity has emerged over the past several years as one of, if not the greatest threat to the insurance industry, with multiple high-profile data breaches of insurance companies and other entities demonstrating the potential scope of the threat. According to former New York City Mayor Rudolph Giuliani, who serves as Chair of Greenberg Traurig’s Cybersecurity, Privacy and Crisis Management Practice, “Cybersecurity threats continue to evolve rapidly. Companies must closely monitor information security developments and prepare for breaches in advance to prevent the worst-case scenario.”
The growing threat has prompted both industry and regulators to devote additional resources to cybersecurity preparedness. Regulators are stepping up their evaluations of insurers’ cybersecurity measures, and are issuing additional guidance and creating new requirements that insurance entities must comply with.
The New York Department of Financial Services (NYDFS) has been particularly active in this regard, and on February 16, 2017, it promulgated a final regulation on Cybersecurity Requirements for Financial Services Companies. The rule, which took effect March 1, 2017, applies to insurance companies, banks, and other financial services companies regulated by NYDFS, and requires these entities to adhere to new standards to protect consumers from cyber threats. This rule is the first such regulation to be adopted by a state, and it has already had a significant impact.
According to NYDFS Superintendent Maria Vullo, the key goal was to adopt flexible standards to permit companies to assess their risks and adopt an appropriate cybersecurity programme. This risk-based approach is favoured by industry over a more rigid standards-based approach. There are also some fixed standards, such as regular reporting requirements and a requirement that cybersecurity personnel regularly attend training sessions. With some exceptions, entities covered by the regulation must periodically conduct and document a risk assessment, and certify each year to the Superintendent that they are in compliance with the regulation, with the first certification due by February of 2018.
The National Association of Insurance Commissioners (NAIC) has also been developing an Insurance Data Security Model Law (Model Law) for over a year. The Cybersecurity Working Group (Working Group) released the first draft of the Model Law in March of 2016, which generated many comments and criticisms, much of it regarding the Model Law’s notice requirements and apparent conflicts with existing state data breach notification requirements. Several additional drafts were subsequently released, each resulting with a number of new or recurring criticisms.
Faced with a lack of traction in developing an acceptable model law, the Working Group released a fourth version in April, 2017, which resembled in many ways the recently adopted New York regulation. After exposing two more versions of the Model Law and receiving more comments from industry and other stakeholders, the Working Group and the Innovation and Technology Task Force approved the sixth version of the Model Law on August 7, 2017. The NAIC Executive Committee will consider final adoption at the Fall National Meeting in December.
Congress has also been active in the cybersecurity arena. Most notable is the Cybersecurity Act of 2015, which was passed in December, 2015 as part of the omnibus appropriations act. Upon satisfying certain requirements, it authorises private sector entities to share cyber threat information with each other and with the Department of Homeland Security. Governmental and private entities are authorised to use the data they collect to address cyber threats, but the law does not create new duties for companies. Shared data is made exempt from federal Freedom of Information act requests and any comparable state freedom of information laws.
Another significant federal bill that was considered by Congress is the Data Security Act of 2015. Introduced in May of 2015, this bill would have provided for certain federal data security standards, including standards to prevent breaches and post-breach notification requirements. The bill would have essentially preempted the states’ cybersecurity laws, although state insurance regulators would have retained authority to oversee insurers’ compliance with the federal standards. The NAIC opposed the Data Security Act of 2015 because the bill was seen as ignoring the state-based system of insurance regulation. Although the bill was passed out of committee in December, 2016, it must be reintroduced in order to move forward. While Congress has many other issues of more immediate import, the proposal may still be viable in the future.
Cyber Liability Insurance Market
Not surprisingly, the demand for cyber liability insurance has skyrocketed over the past several years. Total annual cyber insurance premiums have increased from an estimated $1bn in 2012 to $3.25bn in 2016, and growth is expected to continue into the foreseeable future. Cyber liability insurance is already heavily concentrated in the retail, healthcare, technology, and telecom sectors, where roughly 75% to 80% of larger companies have cyber liability insurance. Additionally, premium rates, which were already relatively high, have further increased mainly because of a lack of competition in the market, with additional spikes attributable to high profile breaches. Much of the growth in demand is a result of small and mid-sized businesses, although large retailers have seen a decrease in insurance capacity because they are perceived to be a greater risk.
Most commercial general liability policies do not cover cyber risks, or only cover some of the risks posed by data breaches. Unfortunately, many executives do not realise that they are inadequately covered. To ensure that data and cyber risks are insured, companies need to purchase policies that specifically cover these risks.
However, purchasing this coverage is not always easy. A major hurdle is the difficulty of underwriting and pricing these risks. There have been some advances in actuarial analysis over the past several years, but loss data is still fairly limited and underwriters cannot easily predict a company’s potential exposure. Instead, insurers need to conduct an in-depth analysis of a company’s risk profile, including potential losses, which can be very high, the company’s risk management protocols, and overall risk management culture. This is a difficult and expensive process, and requires a significant judgment call on the part of the underwriters, although there is also a benefit in that the underwriting difficulty creates an incentive for companies to take action to proactively protect themselves from cyber events.
The number of carriers that offer cyber liability coverage is relatively small and, for the above described reasons, the policies offered by these carriers tend to differ markedly. What is covered, and how it is covered, differs considerably from policy to policy. The cost of providing notices to affected consumers, paying for legal costs resulting from breaches, and similar costs are more traditional cyber coverages.
However, areas like reputational risk are more nebulous and therefore more difficult to cover. Deductibles and retentions also vary, so it is extremely important to understand what is in the policy. The triggers on these policies can also be unclear because they usually offer first party coverage, but policyholders often expect them to work more like third party D&O or E&O coverages. Thus, it may be unclear when coverage is triggered, and time must be spent making this determination if there is an incident.
Florida AOB Update
Assignment of benefits (“AOB”) remains a major issue for the Florida homeowners insurance market. AOB refers to the practice where a policyholder signs over his or her rights to policy benefits to a contractor prior to the contractor making repairs. The contractor may then submit an inflated invoice to the insurance company for payment. According to the Florida Office of Insurance Regulation (Office), claims with AOBs have increased by 28% since 2010, and the frequency of AOB claims have increased by 46% over this same period. Florida Governor Rick Scott worked closely with stakeholders on a reform during the 2017 Legislative session, and both the Florida House and Senate advanced proposals, but the two chambers could not agree on treatment of attorney’s fees in connection with AOB, and neither proposal passed.
However, efforts to curb AOB abuse will continue. The Office recently approved changes to the policy forms of Florida’s residual homeowners insurer, Citizens Property Insurance Corporation, and Commissioner David Altmaier has stated that securing passage of AOB reform is the Office’s top priority for the 2018 Legislative Session. In the meantime, the Office and industry are taking steps to educate consumers about AOB abuse to limit its effects.
Fred E. Karlinsky, Shareholder and Co-Chair, Insurance Regulatory and Transactions Practice; Rich J. Fidei, Shareholder; Benjamin J. Zellner; Practice Group Attorney