Data Breach and Due Diligence: Why Boards Need to Get Involved with Cyber Insurance

According to Forrester Research, 88 percent of the S&P 500 market value consists of goodwill and intangible assets such as reputation, brand, and customer experience. Data breaches can seriously damage those intangible assets that boards of directors have a fiduciary responsibility to protect. In fact, a recent study by the New York Stock Exchange (NYSE) Governance Services and application security company Veracode concluded: “…[T]he extent of the brand damage caused by breaches is often linked to boards’ level of preparedness. It is, therefore, a board’s fiduciary duty to ask the right questions to ensure due care has been followed.” Due care may include overseeing the organization’s cyber security readiness, regularly reviewing critical assets and risks, and ensuring that the organization has a working incident response process in place. It may also include ensuring that the organization has appropriate cyber liability insurance in place. Not only can cyber liability insurance help defray the costs of a data breach, it can also improve overall organization preparedness and potentially also mitigate liability for the directors and officers from possible shareholder lawsuits.

Data Breaches May Put Boards at Risk

Shareholders and regulatory agencies are increasingly holding organizations and their boards accountable for data breaches. In December 2015, Wyndham Hotels and Resorts agreed to a settlement in a suit by the Federal Trade Commission (FTC) charging that Wyndham’s security practices exposed the payment card information of consumers in data breaches, constituting unfair trade or business practices under the FTC Act. A proposed federal court order would require that for the next 20 years, Wyndham would need to obtain annual audits of its information security program to confirm that it complies with the Payment Card Industry Data Security Standard. Boards are also increasingly facing shareholder lawsuits. In 2014, directors and officers of Target were sued in four shareholder derivative lawsuits that are still pending. Lawsuits against the Wyndham directors were only dismissed after the settlement in the FTC case.

The Securities and Exchange Commission (SEC) is also taking a more active role in cyber security issues. SEC Commissioner Luis Aguilar, speaking at a recent cyber security conference, stated: “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cyber security measures needs to be a critical part of a board of director’s risk oversight responsibilities.”

Why Cyber Liability Insurance “Now” not “Later”

Cyber liability insurance can help mitigate the financial risks of a data breach, and by helping organizations prepare, it can also help with mitigating legal liability down the road. The first step is to conduct a thorough organization-wide risk assessment and risk analysis, in preparation for having a more informed discussion with the cyber insurance carrier about the type and amount of cyber coverage needed for your organization. As noted in the March 2016 Advisen report Mitigating The Inevitable: How Organizations Manage Data Breach Exposures, (“the Advisen Report”) “…more and more organizations rely on cyber liability insurance to help mitigate this risk. But while cyber liability insurance has proven effective in covering certain cyber-related losses, other types of losses may be excluded under the policy. Additionally, many breaches fall beneath the minimum number of records required to trigger coverage.”

An organization can make a rough estimate of how much first-party cyber coverage the organization needs based on how many PII (personally identifiable information) and/or PHI (protected health information) records that the organization holds, either for itself or for an outside third party. “The industry reports vary, but average total breach costs can range from $145 to $204 per record (depending on industry sector), with notification costs (mandated by state breach notification statutes) comprising a significant amount of the total. Based on those averages, a breach of as few as 2,200 records, the average in the Advisen Report, could easily run to more than $330,000 in notification costs alone, and breaches involving multiple millions of records have become increasingly common, running to the hundreds of millions for just notification costs.

With the evolving landscape of other, more traditional insurance coverages being asked to respond to the increasing frequency of cyber claims in the market beware of assuming that your commercial general liability (CGL) policy will cover data breach costs. While a recent U.S. Court of Appeals ruling affirmed that an organization’s CGL coverage was obligated to defend a class-action on behalf of the organization following a data breach event, some CGL insurance carriers may look to rewrite their policies to explicitly exclude defense costs stemming from data breach lawsuits going forward. Traditional insurance products are simply not constituted, in the underwriting or the premium obtained for the risk, to absorb unintended cyber claims on their policies. Hence, a major issue for the insurance industry to grapple with at present.

Now for some good news: Cyber liability insurance can deliver big benefits beyond covering breach costs. Insurers have every incentive to help organizations seek to prevent and to mitigate the impact from data breaches. Accordingly, most carriers will review an organization’s cyber readiness before issuing a policy, and many provide resources to help organizations improve their privacy and security risk profiles. These resources may include risk assessment tools to help identify and address vulnerabilities, templates for creating and practicing an incident response plan, guidance in creating privacy and security policies and employee security training programs, and updates on the latest cyber threats. According to the Advisen Report, 70 percent of respondents said that their cyber insurance policy offered free tools to help manage their cybersecurity risks, and 44 percent had used them. In the event of litigation following a data breach event, these measures may be used to demonstrate that the organization acted responsibly and with due diligence to try to prevent and to mitigate the impact of a data breach.

Cyber Insurance Coverage Dissected: First Party vs. Third Party – What’s the Difference?

Having enough of the right type of cyber liability coverage is critical, but it’s also critical to understand why other types of insurance policies already in place may or may not address other potential types of costs stemming from a data breach event. Boards need to consider the following standard components of cyber liability coverage, in addition to remembering that other insurance policies may not serve as “back-up” coverage depending on the facts and circumstances of the event:

• First party cyber insurance is designed to address the policyholder’s direct costs stemming from a covered data breach event, which typically includes: legal, forensic and public relations/crisis management costs; sometimes business interruption costs and ransom costs stemming from a cyber threat/extortion; but always, and frequently, the biggest ticket item in the first party costs bucket—notification costs mandated by state and/or federal law, if applicable. These often-substantial costs are the costs of notifying individuals affected by the data breach, whose PII and/or PHI was compromised. Many carriers’ first party cyber coverage also covers the cost of a specified amount of time for some form of identity protection services. You can’t count on your GCL policy covering these first party cyber costs, and added sublimits to these types of traditional, non-cyber polices are often inadequate, making a dedicated, stand-alone cyber liability policy essential.
• Third party cyber liability is designed to address defense costs and potential settlements stemming from alleged harm to outside third parties. (Note: some insurance carriers may include costs of providing credit monitoring and/or identity protection services as part of the policy’s third party liability limits, so read your policy carefully to understand how the limits will apply to different breach event scenarios.)
• Director and Officer (D&O) liability insurance is the traditional coverage designed to indemnify not only the organization’s directors and officers for covered “Wrongful Acts” committed or allegedly committed in their capacity as such for the organization, but almost always offers full policy limits for entity/organization coverage as well. In July 2015, the Seventh Circuit court of appeals ruled in a class action suit against Neiman Marcus that the plaintiffs (data breach victims) did not have to wait to become actual victims of identity theft or fraud before they could be considered to have standing, a legal requirement that must be satisfied in order for the plaintiffs to proceed with their lawsuit. It is uncertain whether this ruling could open the door to even more shareholder lawsuits against directors and officers in the wake of data breaches – only time will tell.

While it is important to have cyber insurance to cover as much of the potential cost of a data breach as possible, many organizations that have already purchased a policy may still be inadequately insured. The NYSE/Veracode survey found that 91 percent of respondents had coverage for business interruption and data protection, but only 54 percent had policies that cover notification and remediation costs, and regulatory fines, penalties. The NYSE/Veracode survey also pointed out that having a cyber policy doesn’t necessarily guarantee that the policy will respond at the point of your claim. The survey noted that after Massachusetts Bay Insurance Company rejected a $1.8 million claim from BitPay, more organizations are now recognizing that no cyber protection program is perfect—52 percent of organizations responding to the survey stated they are seeking specific employee/insider threat liability coverage, and 35 percent are reportedly seeking coverage against loss of sensitive data caused by software coding and human errors. These coverages are not standard in all cyber liability policies in the market today.

Cheap at the Price

Governance may be seen as the art of stewardship while creating the greatest good with finite resources. Balancing spending between business development and organization-protective measures such as purchasing cyber liability insurance is one of the many challenges that boards today face. According to Inga Beale, CEO of Lloyd’s of London, the $2.5 billion that the insurance industry binds in cyber liability coverage is a small fraction of the $400 billion a year that organizations are losing to cyber attacks. Beale also noted that the organizations typically best prepared for cyber attacks are also generally the ones that also buy cyber insurance. (Fortune, January 2015).

According to a Reuters article, Pricewaterhouse Coopers predicts that the cyber insurance market will triple to about $7.5 billion by 2020. (Reuters, September 2015).

If there remains any doubt about the value of and the need for cyber insurance, think about how you protect your own life and family. Tooth decay and burglary aren’t inevitable events, but you brush your teeth every day and lock your door when you leave home. Auto accidents, house fires, and natural disasters aren’t inevitable events either, but if you’re a car owner or homeowner, you would never consider going without auto or homeowner’s insurance.

In today’s fast-evolving cyber risk landscape, the sad fact is that data breaches are almost inevitable. As the Advisen report notes, “Every organization—in every industry and of every size—that collects and stores sensitive data is exposed to cybercrime and is at risk for data breach…The reality is that most organizations have already experienced a data breach whether or not they know it.” If you know that loss is a matter of “when”, not “if,” it clearly reflects due care and due diligence to secure the appropriate insurance coverage for your organization.

This discussion is intended for educational purposes only and should not be construed as legal advice or opinion with respect to any specific set of facts or circumstances. Consult a designated privacy counsel for advice or opinion regarding a specific set of facts or circumstances.