On Sept. 8, 2022, Suffolk County, New York, learned a professional hacking group known as BlackCat had gained unauthorized access to over 20 agencies with the county. Everybody from the police forces, to social services, to emergency dispatchers were forced to figure out a way to continue providing services to the county without their computers, data, email or internet.[1]
For almost a month, the county could not even perform a title search, which halted real estate transactions. Shortly after the hack, nonpublic information accessed by the attackers turned up on the Dark Web, including everything from sheriff’s records, to county contracts, to personal information on
county residents.
Prior to the attack, Suffolk County had invested in cybersecurity and conducted simulations specifically to prepare for such an event. Yet, the county’s systems lacked safeguards—such as multi-factor authentication that have rapidly become standard for security purposes—and it remained exposed to an attack.
Cyber liability insurance policies will never fully protect a business from a cyberattack or cover all the subsequent costs of maintaining business operations. Yet in a rapidly changing area, they offer comprehensive risk management by proactively forcing businesses to rethink their security systems on a regular basis in ways that can reduce the potential damage of an attack drastically and allow for continued business operations. Thinking about a cyber liability policy as a more comprehensive tool to protect a business could show an organization how to prepare to keep operating and minimize the damage done by a security breach.
The application as a risk manager
In the last decade, multi-factor authentication has gone from a rarity to a standard business practice. Cyber liability applications and policies reflect this shift. Applications reflect cyber security measures that range from expected practices to newer measures designed to protect against current attacks. Questions also involve system designs and data storage to reflect how these structures and decisions may impact the severity of a cyberattack and the aftermath. Beyond a cyberattack, these also may help with business recovery after a natural disaster (think off-site backups).
Cyber liability policies and the accompanying applications are living documents, updated frequently to reflect the rapid changes in the risks. As a result, the questions asked about a cyber security program and system design give strong indicators regarding what measures businesses should consider adopting. In a review of cyber liability policies, the RAND Corp. found that the questions may vary, but fall into four general categories: 1. organization; 2. technical; 3. policies and procedures; and 4. legal compliance.
These categories reflect the factors of a comprehensive data security system. Simply installing a firewall and requiring a password does not protect a computer system. Increasingly, human behavior leaves businesses susceptible to security breaches through phishing emails. Plus, it provides ways for a hacker to access an organization’s entire data system. Simply limiting access to critical systems may not prevent an attack, but it can reduce the damage done by containing it.
Unlike regulatory requirements, cyber liability applications are regularly updated to reflect recent attacks and changes to the recommended best practices. Understanding the application questions and their purpose can help an insured complete the forms and emphasizes why certain policies may be required. While many measures included on an application may not be required by the cyber liability carrier for that policy, that also could change rapidly as well.
Understand the limits
In a study of over 100 CFOs and senior financial executives, FM Global found that 45% of those surveyed executives thought their cyber liability policy would cover most of the related losses from a cyber security event, while 26% of respondents expected all losses to be covered.[2] Yet, with the high cost of cyberattacks, insurers write policies to reduce and contain their own exposure. The coverage should be evaluated based on what’s covered, what’s excluded, and the applicable sublimits to ensure proper understanding of the policy and potential exposure following a loss.
Generally, coverage for first-party covered losses breaks coverage into four categories: 1. data compromise response; 2. identity recovery; 3. computer attack; and 4. cyber extortion.[3] When it comes to third-party coverage, the sublimits get broken down into compromised data, network security, and electronic media. While the lack of standardization makes it important to review each policy’s specific coverage terms, the evaluation of policies by the RAND Corp., found that there was not substantive variation in policy coverages.
The variations came from the policy exclusions, which could create problems for policyholders. Cyber liability policies may exclude criminal, fraudulent, or dishonest acts. Physical harm also may be excluded despite also being a potential data breach. As cyberattacks become more complex, the exclusions may reflect the changes as insurers attempt to reduce their own exposures to increasingly expensive breaches.
The costs of a cyberattack
Beyond the challenge of understanding cyber liability policies is the cost. Underwriting cyberliability proves far more challenging for carriers due to the rapidly changing nature of the losses and lack of historical data. The costs of data breaches have been increasing, especially with the rise of ransomware attacks. From 2020 to 2021, the average cost of a security breach has risen 10% with those costs almost certain to increase in 2022.[4] IBM Security estimates each piece of personal identifiable information stolen in a cyber security breach costs $180 alone.[5] While insurance could cover some of the expenses, other costs associated with a security breach would be excluded or not covered by the standard policy. Some of the costs, especially those associated with lost business and reputational damage, may be difficult to quantify much less try to make up with an insurance policy.
This article originally appeared in the February 2023 issue of PIA Magazine.
[1] The New York Times, 2022 (nyti.ms/3hxunQ5)
[2] FM Global, 2019 (bit.ly/3HCbGWj)
[3] Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones. “Content analysis of cyber insurance policies: how do carriers price cyber risk?” Journal of Cybersecurity. Volume 5, Issue 1. February 2019
[4] IBM Security, 2021 (ibm.co/3WgjHUP)
[5] Ibid.
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
