Understanding Cyber-Related Claims
As businesses increasingly connect with customers via the Internet, the likelihood of a cyber breach increases. Just a few weeks ago, Adobe Systems said that hackers accessed data belonging to more than 2.9 million customers along with the source code to its software. And a survey by the Ponemon Institute revealed that close to a third of small businesses nationwide experienced a cyber-attack the previous year.
Timothy Francis, a second vice president for Hartford, Conn.-based Travelers, who serves as enterprise lead for Cyber Insurance, said adjusters can expect to see more cyber claims.
Francis, who also serves as co-chair of the 2013 NetDiligence Conference, said that cyber-related claims can trigger a number of policies.
“There are the policies that, in the industry, we would refer to as the cyber risk policies, although they may have slightly different names in the industry. Those are policies that are really dedicated to cover a variety of different events and exposures associated with the cyber world, principally around the expenses and the costs and the liabilities associated with private and confidential information being compromised, but there are some additional coverages as well,” Francis said.
There can be periphery losses like business interruption where a commercial entity’s computer systems are down. Francis said the business may be unable to sell products or services and may have a business income loss as a result.
“That often is part of the challenge in this dynamic is making sure that both agents and brokers, claims professionals, and certainly customers…are aware of the differences between coverage, the difference between products and what the products are really meant to do,” said Francis.
“There’s a host of exposures that come if that information gets compromised,” said Francis. “The types of claims that we’re seeing are claims dealing with what are the damages that a company may suffer because their information that they’ve taken in and been entrusted with have suffered. Oftentimes, because of different state regulations, when a data breach happens, the customer will begin to incur expenses, even really before there’s a claim,” he said.
A business will normally have to conduct an investigation to determine the scope of the breach. Questions that need to be answered include:
- What information was compromised?
- How was it compromised?
- Was it a hack and are the hackers still in the system?
- Was it simply an employee who lost some software or hardware and is it retrievable?
- How many victims or individual records are at risk?
The Travelers’ cyber expert said that claims handlers need to make sense of the initial situation and determine whether there’s coverage under the policy as well as help guide the insured towards remedying the situation.
Cyber policies will cover many of the expenses associated with completing a forensic investigation.
“Typically, depending on the complexity of the data breach, outside vendors, technology specialists, will be brought in and try to work on‑site with the insured to work within their computer systems and fix the breach,” said Francis.
If a data breach is confirmed, Francis said the next likely step is to obtain legal advice because 47 states have laws governing notification of victims. In general, those states require that once an organization or a business is aware that a breach has occurred, the firm must notify the victims.
“There’s a whole myriad of different state law. Often, legal advice will be needed, and the insurance policies will pay for that advice as well, typically,” Francis said. “Following notification, if it’s a large breach, there may be the need to set up a call center so that now victims who are notified that their data’s been compromised can call in and get some basic advice. It may be on the claim handler to help the insured set up or at least pay for that call center.”
Adjusters may also be called to help provide credit monitoring or additional services to potentially affected victims.
“That whole area is what we would refer to as the first‑party cost to deal with a data breach. Even if that’s done very well, there still can be liability claims brought against the entity, brought by the victims, alleging that they’ve suffered real damages as a result of the data breach. A claim handler may be dealing with a first‑party loss, they may be dealing with a third‑party liability claim ‑‑ all covered under the same policy,” Francis said.
If there was a failure to notify or a delay in notification, the more likely a liability claim, civil suit and/or a regulatory action will be filed against a business.
“In some cases, failure to notify within a matter of days has been attributed as a deficient response and companies have been fined as a result,” Francis said.
Assessing and calculating damages in a cyber breach claim can be complicated.
“The practical application is it’s sometimes hard for those victims to really say what tangible losses they’ve suffered. Because even though the data may have been compromised, and even if you know that it’s been taken by a criminal hacking organization and sold on the black market, which is often the case. While it’s presumed, perhaps, those victims are more likely to suffer some identify fraud, until that identity fraud actually may occur ‑‑ in other words, the people taking that Social Security number and actually perpetrating a fraud ‑‑ it’s difficult for them to actually quantify the loss. In many cases, they won’t suffer a loss, or they won’t suffer a loss for some period of time,” Francis explained.
Cases involving data breaches are especially tantalizing to plaintiffs’ class‑action attorneys, Francis said.
“Certainly, when you have numbers that are over a million, let alone approaching hundreds of millions, that often is very compelling to plaintiffs’ class‑action attorneys, who sees a set class of people that have suffered a similar event and potentially similar damages,” he said.
Because litigation relating to cyber losses is so new, case law is evolving rapidly.
“There’s less data out there on trial verdicts with cases, but it’s often very, very expensive to defend these matters,” said Francis.
Studies have estimated the average cost of a cyber-claim.
“There are a number of different industry studies, and they range pretty significantly, depending on the groups of companies being surveyed,” Francis said.
He said a statistic cited is by the Ponemon Institute has the average cost of a data breach at $194 per record.
“Other statistics will say that the average cost of a breach, in total dollars, is somewhere in the neighborhood of $5 million. I think one of the takeaways is, even for small and mid‑size companies, where you might think, ‘Well, they don’t have a lot of data. They’re never going to have a breach of 100 million records because they don’t have 100 million records in the first place.’ Those companies, actually, the smaller they are, they may not suffer from the largest breaches or the most expensive breaches, but sometimes those forensic investigation costs can be pretty expensive, because they don’t have the internal people to really help. At $194 a record, if you’ve even got a breach of 1,000 records, that gets really, really expensive for even a small company,” Francis said.
According to Francis, mostcyber claims that are in litigation are settled before they go to trial, but there can be a considerable amount of defense expense.
Since cyber-related losses are relatively new, adjusters may not be familiar with coverage applicability.
“A lot of claim handlers that have handled traditional claims really haven’t had the experience with cyber‑related claims that they have with the traditional claims that come from the normal perils. Often, a cyber claim, a true data breach claim, may not be covered under a certain policy, but certain elements, depending on nuances, could,” said Francis.
He emphasized the importance of reviewing policy language and any endorsements.
“Oftentimes, depending on the complexity of the matter or the technical nuances of how a particular event took place, those claims handlers may need to reach out to other experts within their company who are more used to or more expert in the vernacular of cyber and the way things occur in that space,” said Francis.
As cyber-related losses become the norm, adjuster training in the area is growing.
“Even if they’re not necessarily dedicated to handling cyber claims under a cyber policy, there’s a growing trend that those claim handlers have some degree of proficiency and, if not expertise, knowledge, of what a cyber policy would cover, so that when they’re handling the claims, they know whether those certain exposures might be covered elsewhere, under other policies,” said Francis.