The Value and Limits of Cyber Insurance

Individuals managing institutions of higher education have many challenges, including the need to understand how the institution could be harmed by cyber threats. To address this need, in late 2017, the University Risk Management and Insurance Association (URMIA) and EDUCAUSE published a Cyber Insurance FAQ to describe some of the perils and pitfalls of cyber insurance. A collaborative effort, written by both risk management and information security professionals, the FAQ document is designed to assist institutions that are considering purchasing cyber insurance by explaining some of the features of this type of insurance. The FAQ sought to provide clarity around a number of questions:

• What is cyber insurance?
• What data are covered by cyber liability insurance?
• What losses are not covered?
• What is the process for buying cyber insurance?
• What are the implications of cyber insurance for an institution's computing systems and processes?
• What do institutions need to know about the claim process?

The Role and Limitations of Cyber Insurance

The interest in cyber-risk insurance has increased in response to high-profile data breaches making headlines. Not only do high-profile breaches force individuals to take action (examining financial statements, looking into credit freezes, etc.), they also force the organization experiencing the breach to take a long, hard look at its business and information security practices. Organizations might purchase cyber insurance to help cover some of the costs associated with a data breach, yet the market for cyber insurance is still evolving. The terms and conditions of these policies are complex and require thorough analysis prior to purchase.

Cyber-risk insurance represents an important but limited tool to navigate issues surrounding privacy violations and data breaches. The National Association of Insurance Commissioners (NAIC) found that in 2015 that more than 500 insurers were providing businesses and individuals with cybersecurity insurance, with the vast majority of the coverages being written as endorsements to existing commercial or personal insurance policies.¹ Although cyber insurance can be a safety net for an institution that experiences a cybersecurity or privacy related loss, an institution should not rely solely on such insurance when an incident occurs. At best, cyber insurance is a complement to sound information security policies and practices. Cyber insurance does not cover a number of different events and actions, and an institution should implement a comprehensive information security program in order to "mind the gaps" and fully reap the benefits of cyber insurance. Several of those gaps are discussed below.

1. Non-Standard Forms

Cyber insurance emerged in the late 1990s as a response to Y2K concerns. Estimates suggest that the cyber insurance market reached US$2 billion in premiums in 2014 and US$2.75 billion in 2015. As noted, in 2015 more than 500 insurers were providing cyber insurance in some form. Unlike other types of insurance, such as homeowners property insurance, there does not appear to be any standard cyber risk coverage form, and the terms and language vary from insurer to insurer and policy to policy.² Depending on the policy year or carrier, an insured may gain or lose certain coverages and/or policy limits. While this may allow individualized insurance offerings for an institution, it may also result in policies that cannot keep up with evolving cybersecurity changes and emerging threats.³

2. Sources of Coverage

In addition to a cyber-liability policy, coverage for data breach or cyber risk may exist outside a cyber-liability insurance policy. Insureds have sought coverage under many types of policies, such as property or commercial general liability (CGL) policies. Litigation has been extensive over when and in what circumstances a CGL policy covers a data-breach claim.⁴ Furthermore, beginning in 2001, CGL policies began excluding "electronic data" from coverage.⁵ In 2014, additional exclusions emerged in CGL policies that were designed to eliminate coverage for cyber-related damages.⁶

3. Limitations on Coverage

Careful review of an insurance contract is imperative. In the absence of standard coverage language, the terms and coverage provided in cyber-liability insurance policies may vary widely. In many cases, there will be separate grants of coverage for first-party claims, such as coverage for data-breach response, and third-party claims. Further, cyber-liability insurance may have specific policy limits, sublimits, or deductibles for each type of coverage.⁷ These gaps may directly impact the value of the policy to an institution. One question to consider, for example, is whether the policy covers fines and penalties levied by a regulatory body. In addition to individuals, potential plaintiffs in a cybersecurity breach include the United States Securities and Exchange Commission, Department of Justice, the Consumer Financial Protection Bureau, the Federal Communications Commissions, the Federal Trade Commission, and state attorneys general.⁸ Also, care should be taken to determine whether costs or penalties are included in the definition of "loss" or "damage."⁹ It is foreseeable that a regulatory fine or penalty would not be covered under cyber-liability insurance. Another pitfall may arise due to separate policy limits applicable to damages, claims expenses, or costs. Social-engineering claims will also likely fall outside cyber-liability insurance policies based on similar exclusions.¹⁰

At first glance, coverage may appear broad, but a close reading of the insurance language reveals that the coverage is quickly narrowed and limited by endorsement or exclusion. Most, if not all, insurance policies contain numerous exclusions. In the context of cyber-liability insurance, care should be taken to evaluate all exclusions, in particular "Conduct Exclusions" that deny coverage for a loss arising from dishonest, fraudulent, criminal, or malicious conduct or an intentional violation of the law. For example, this type of exclusion could be implicated in a claim alleging an intentional distributed denial of service (DDoS) attack perpetrated against a claimant using the insured's computer systems when under the control of the third-party operator.¹¹

4. Exclusions for Criminal or Intentional Acts

Insurance frequently excludes losses or claims attributable to intentionally dishonest or criminal acts, breach of contract, theft of trade secrets, unfair trade practices, and employment practices. Events not covered could include:

• Deliberate acts of an IT staff member to delete files (both a malicious employee act and potentially a criminal act)
• Failure of an institution to meet Gramm Leach Bliley Act (GLBA) security rule requirements for student financial aid data protection and a subsequent breach of those data (potentially a breach of contract and potentially a claim brought by a government regulator, which could be excluded in some policies)
• Failure of a third-party and/or cloud vendor to protect any data entrusted to it (potentially a breach of contract)

Policies may only respond to negligent acts, and a determination that a loss arose out of an intentional act might eliminate coverage. Indeed, one district court held, for example, that allegations that a data vendor intentionally withheld requested information pursuant to the sale of a business did not trigger insurer's duty to defend under its CyberFirst policy because there was no allegation that the insured's failure to provide the data was negligent.¹²

5. Importance of Security Program/Policy

The case of FTC v. Wyndham Worldwide Corporation serves as a warning regarding the failure to implement and enforce adequate cybersecurity measures and the inapplicability of cyber-risk insurance to all claims. In this case, hackers gained access on three occasions over a two-year period. The hackers acquired sensitive personal information stored on Wyndham's computers. The stolen data were used to make fraudulent credit card charges. The FTC sued Wyndham, contending that it failed to maintain a reasonably appropriate data security system for consumers' sensitive personal information in violation of Section 5(a)'s prohibition of unfair or deceptive trade practices. FTC sought to compel Wyndham to improve security measures. The court, in finding against Wyndham, found that the company failed to act equitably when it published a privacy policy to attract customers who are concerned about data privacy, failed to make good on that promise by investing inadequate resources in cybersecurity, exposed unsuspecting customers to financial injury, and then retained the profits.¹³

Other consent decrees involving the FTC detail various "unfair" security practices, including the failure to set up robust log in protocols, protect against commonly known or foreseeable attacks from third parties, encrypt data, or provide cybersecurity training.¹⁴ An institution's main defense in these situations would be its policies, practices, and procedures because it is likely that cyber-liability policies would exclude such losses from coverage.

6. Failure to Maintain Adequate Internal Controls

An enterprise should not consider its obligation to protect its data fully implemented with only the purchase of cyber-liability insurance. In one instance, an insurer sought to deny coverage and alleged that its insured failed to take even the most basic steps to protect its data, including failing to change default settings, failing to properly configure network devices, and being negligent in its processes to maintain security.¹⁵

A gap may exist, therefore, not only in the insurance coverage but also in how an institution implements measures and protocols to guard against loss of data. A carrier looking to deny coverage based on exclusions similar to the "Failure to Follow Minimum Required Practices" exclusion may look to the existence of objective and external standards, such as the ISO/IEC 2700 family of standards, as well as other standards set forth by NIST, and determine that the institution failed to take the necessary and prudent steps to safeguard its data.¹⁶

Cybersecurity Recommendations

Often underwriters will ask for risk assessments or other information related to an institutions' existing information security policies and practices. Additionally, strong internal practices will integrate with typical cyber-liability policy coverages and minimize the gaps where coverage may not be available. Typically, recommendations include the following:

• Have written policies and procedures
• Update risk assessments as new threats and incidents arise, and conduct a risk assessment at least annually
• Assign an accountable individual to oversee cybersecurity
• Implement workforce security measures, including procedures to limit access to the minimum necessary private information related to job duties
• Provide security training for all employees, including student employees
• Ensure that contracts with third parties that have access to confidential information obligate them to comply with the standards that bind the college or university
• Monitor training and contract compliance
• Adopt a breach-response policy¹⁷

Conclusion

While important, cyber-risk insurance policies should be considered a last resort and are not a stand-alone remedy to address data-security issues. Cyber-liability insurance policies vary widely among carriers, have individualized coverage provisions, and may contain numerous exclusions limiting their utility to an institution. However, with careful reading, such policies provide a valuable adjunct to strong internal controls.

Notes

1. "Report on the Cybersecurity Insurance Coverage Supplement," National Association of Insurance Commissioners, August 27, 2016. ↩
2. Scott Seaman and Jason Schulze, Allocation of Losses in Complex Insurance Claims (Thompson Reuters, December 2017). See Section 17.4 Cyber Risk Insurance Policies and Endorsements. ↩
3. Russell Cohen and Alison Roffi, "Cyber Insurance: An Overview of an Evolving Coverage," California Business Law Practitioner (Fall 2015): 111. ↩
4. Seaman and Schulze, Allocation of Losses in Complex Insurance Claims. ↩
5. Ibid. ↩
6. Ibid. ↩
7. Ibid. ↩
8. Danielle Gilmore and David Armillei, "The Future is Now: the First Wave of Cyber Insurance Litigation Commences, and the Groundwork is Laid for the Coming Storm," Insurance Law 2016 (February 2016): 10. ↩
9. Micah E. Skidmore, "Negotiating Coverage & Pursuing Claims under Cyber-Security & Privacy Insurance," Journal of Texas Insurance Law 13 (Winter 2015): 29. ↩
10. "Many cyberliability policies exclude 'voluntary parting' or 'voluntary payments,' that is, losses flowing from the insured's voluntary transfer of money to a third party." See Ken Kronstadt, "Insurance Coverage for Social Engineering Fraud," Westlaw Journal Insurance Coverage, January 26, 2018. ↩
11. Skidmore, "Negotiating Coverage & Pursuing Claims." ↩
12. Travelers Property Casualty Company of America v. Federal Recovery Services, 103 F. Supp. 3d 1297 (2015); Seaman and Schulze, Allocation of Losses in Complex Insurance Claims. ↩
13. Gilmore and Armillei, "The Future is Now," 11. ↩
14. Ibid. ↩
15. Ibid. ↩
16. Ibid., 5. ↩
17. Trace E. Miller, "Cybersecurity in Higher Education: Through the Regulatory Maze to an Integrated Approach" (presentation at the NACUA CLE Workshop, "College and University Compliance Programs: Succeeding in an Era of Change," Washington, DC, November 15–17, 2017). ↩

---

Todd Beekley is Senior Associate Director of Risk Management for Academic Affairs at the University of Cincinnati.