A Call for Action and Education on a Sound Cyber Liability Policy

Jesse Lyon This is a guest blog post by Jesse Lyon, Associate Broker with AmWINS Insurance Brokerage of California. Jesse Lyon, who grew to maturity in northern California, was educated at Saint Mary’s College of California, Moraga where he took a double major in history and English.  Presently he lives in Reno, Nevada where he has worked in financial fields which involved retail banking, residential property valuation, and professional insurance.

Let us be clear on this point: the Internet is never going away.  The Internet is only going to reach more broadly and deeply into all of our lives.  What needs to happen today is for insurance brokers and underwriters to realize that what clients need is a Cyber Liability policy that remembers the past fifteen years and looks thoughtfully towards the future, because we already know what damage can be done with the Internet.  A Cyber Liability policy that provides clients with protective coverage while remaining affordable for them and profitable for insurance carriers is urgently required by businesses in general.

Concerns for the creation of an effective Cyber Liability insurance policy, however, must face the currently accepted international definitions of war and terrorism.  Any cyber attack that is nation-state initiated or sanctioned must be excluded.  In the 20th century there were helpful definitions for war and an Act of war in the Law of Armed Conflict (LOAC), but none of those definitions provide enough clarity in the 21st century when it comes to potential damage done in the cyber realm.  As an example of out dated language, the current wording in a Hiscox Cyber Liability policy for excluding war reads, in part: “based upon or arising out of any actual or alleged armed struggle, civil unrest or conflict.”  A cyber attack is not presently considered an armed struggle in LOAC, it is not civil unrest, nor is it considered a conflict, which means that every nation-state sanctioned attack must be covered.  A nation-state collecting e-mails, usernames, passwords, and using a company server as a command and control server can create financial havoc.  Such acts by a nation-state encounters the current wording in Cyber Liability policies which is focused on kinetic attacks only.  This must not be so.

The lack of clarity in current Cyber Liability policies also extends to a terrorist attack or terrorism.  The following is the current wording that Hiscox uses regarding terrorism: “based upon or arising out of any actual or alleged act or threatened act of terrorism, including but not limited to the use of force or violence.”  Stealing passwords, using a company server as a command and control server, and so forth fall outside of the Hiscox definition of terrorism, since violence and stealing passwords are in no way similar.  Moreover, the conditional phrase of “not limited to” does not reasonably stretch to passwords or command and control servers.  But Hiscox is simply an example as there are others, such as CFC, that either have out dated wording or are silent on war and terrorism.

Compensation for restoring an insured’s reputation after a cyber attack is a feature that more carriers are adopting today, but it is a feature that must be excluded from a Cyber Liability policy.  Cyber attacks will continue to occur with greater frequency and ever greater destructiveness.  Such organizations as Target, Anthem, JP Morgan, and numerous other companies will likely be attacked time and again.  To give an insured company millions of dollars each time to help restore their reputation is not practical nor sustainable for insurers.  If Cyber Liability insurers pay out tens of millions of dollars every five years just for repeated reputational claims alone, no insurer will financially survive the 21st century.  With cyber attacks becoming more and more common the attacks will shortly disappear from most, if not all, news publications, especially attacks against the same company.  As they fade from the news headlines so, too, will the consumer backlash against hacked companies diminish.  Therefore, reputational compensation provides no real value to the insurer or the insured company.

Insurers also need to become drivers of Cyber security instead of being unwitting passengers when it comes to such security.  In the 20th century insurers were encouraged to be passengers because they depended on the legal system in developed countries for determining how a policy was written and how a claim was best handled.  However, that is no longer enough to justify the focused actions of insurers in the 21st century.  Going forward there are three areas wherein insurers must concentrate their attention in order to best serve their clients and, ultimately, society at large.

First, if a person views the contributors to a publication like the “2015 Data Breach Investigations Report” from Verizon, there is only one insurer listed as a contributor to that report.  However, such a fact is not unique, as all other cyber security publications from organizations like McAfee, Symantec, FireEye, and so forth also reflect the same limited contribution from insurers, and insurers are not producing their own comprehensive reports to make up for that deficit.

Additionally, Cyber Liability insurers need to become more proactive on the computer hardware and software side.  First Cyber Liability insurers need to establish a baseline that the insured corporations need to meet.  On-site inspections need to be conducted to ensure that an insured company has a current and fully up-to-date anti-virus software, a POS system (if the insured is accepting credit or debit payments), a fully patched current computer OS, and such inspections would be wise to insist that the insured has an efficient backup plan already in place in case of a cyber attack.  Presently there is no industry-wide baseline that insured companies need to meet, which ultimately harms both the insured and the insurer.

Lastly, as technology companies implement new versions of software, or create new protocols, insurers need to proactively work with software technology companies so as to provide better defensive capabilities to the insured.  There are many organizations right now, not least of all institutions like MIT, the NSA, Lockheed Martin, or even a small company like SRI International, that are working on next generation computer encryption software.  RSA, and encryption algorithms based on RSA, such as OpenPGP, are on the cusp of being rendered largely useless by the coming quantum computing revolution, and this year there have been a number of serious discussions regarding quantum computing and the impact it will have on encryption.  But these discussions have taken place without the involvement of insurers.  However, given the immense amount of Internet traffic that depends on encryption protocols, insurers cannot afford to be left out of the discussion of which techniques are used in the future to secure Internet communications.  If insurers continue to ignore the issue of encryption, it will only increase the difficulty of helping to protect companies as well as offering financially sound Cyber Liability policies.  Insurers need to work along with technology companies to ensure that the best and most useful hardware is created for use on the Internet.  For instance, on the mobile side Apple, Qualcomm, and Samsung have their own finger print hardware scanners.  Yet, of the three Apple’s is presently considered the best.  But with no consensus among technology companies and no involvement from Cyber Liability insurers, there is no reason for Qualcomm or Samsung to work with Apple and thereby increase the likely hood adoption of Apple’s finger print scanner hardware, or to work on a more robust finger print scanner, like the one from Next Biometrics.

Presently insurers are unwisely leaving security standards up to others who are unable to appreciate the nuances involved with insurance and who do not have the same responsibility to clients and society that insurers do.  Too many professional insurance brokers and Cyber Liability underwriters are unfamiliar with terms like APT, public key, or RATs.  Going forward insurers need to be passionately involved in the creation of hardware and software security standards, since it will be those standards that will help insurers educate and better equip insured organizations against cyber attacks.

The passive mindset of cyber insurers is not only hurting clients in the aforementioned areas, but it is also hurting them in much more mundane ways.  PCI fines are an area where insurers and credit organizations need to come together.  It is helpful for a Cyber Liability policy to cover PCI fines, but presently those fines can vary widely from one credit organization to the next.  How PCI fines are applied can vary significantly as well.  And, perhaps worst of all, it is far too easy for a business to fall out of PCI compliance.  Unless Cyber Liability insurers work proactively and thoughtfully with credit organizations, Cyber Liability insurers will only be able to offer a feature that, at best, helps a firm to avoid bankruptcy and, at worst, only enriches credit organizations.

This present day attitude of the passive and unwitting insurance passenger must stop!  Cyber Liability insurers must be the drivers of computer hardware and software security standards, comprehensive cyber security reports and must ultimately become deeply involved in the monitoring of the cyber realm.  In the 20th century insurers appeared after a mess was created, and they helped to make the insured company whole, again.  In the 21st century insurers should focus on preventing damage done to insured clients through the Internet.  The 21st century needs insurers to be powerful advocates both for the insured and a safe cyber realm as a whole.

In the near future Cyber Liability policies must be sharply designed to help an insured company to mitigate the aftermath of a cyber attack by criminals, rogue or disgruntled employees (including former employees), and unintentional mistakes by any form of employee.  And the word “mitigate” is the correct word since Cyber Liability insurance, for the most part, does not follow the principle of indemnity.  (After all, how can anyone ever truly know the cost of a data breach, and therefore, how can an insurance company make an insured whole, again, when the cost of the damage is unknown?)  For such a policy to cover the damages of war or terrorism, to repair damaged business reputations, or to hedge against poorly applied standards or fines, like the current PCI fine, will result in unsustainable losses for insurers, losses that will forever negatively affect all Cyber Liability insurance companies for years to come.

Laurie Kamaiko discusses emerging cyber risks

Laurie Kamaiko, partner at Locke Lord in New York and panelist for the #PLUScyber session “Emerging Cyber Risks: Terrorism, Crime & Ransomware” joins us in the Media Zone to discuss emerging risks and whether or not current cyber policy language is up to the task of covering these risks.

JLT’s Sarah Stephens on the Cyber Market and Brian Krebs

Sarah Stephens had a busy morning at #PLUScyber, moderating our discussion with Brian Krebs, participating in our Hot Topics panel, then visiting the PLUS Media Zone to answer a few questions. She even managed to tweet a few times (give her a follow @sarahmstep).

Here she discusses what she meant when she said the cyber market is like a teenager, whether she thinks the market is sustainable, and what her key takeaways from her chat with Brian Krebs.