If Mike McGavick is right, the business world will soon be carrying the equivalent of a massive data base in a cell phone. Technology has moved so rapidly that not only the insurance industry, but also business in general, is now facing a sea change in the way all types of data, including personal and corporate information, is collected and stored. How well re/insurers deal with this new reality could well determine the industry’s future course.
Attorneys are on the front lines in seeking to define and master the challenges posed by the cyber revolution. Jeffrey Kingsley, an attorney with the law firm of Goldberg Segalla, is one who specializes in the arcane world of cyber risks. He explained what’s involved in an interview with the IJ at the recently concluded Reinsurance Rendezvous in Monte Carlo.
“One of the challenges that I think the insurance industry has in dealing with their perceptions of their modeling is taking a physical, tangible loss and transitioning how they can quantify that market and set premiums for that to an intangible loss,” he said.
The problem occurs ever more frequently “when you’re dealing with cyber risks, internet exposures, when you’re dealing with electronically stored information or ESI,” he continued. From his discussions with a number of insurance professionals he’s learned how to go about educating “the insurance industry from underwriters upward on an effective way that they can handle and appreciate those losses-” how can they market products designed to address those concerns “without taking substantial losses?”
The transition from tangible to intangible losses creates uncertainty, especially for the insurance industry, Kingsley explained that when faced with such a situation it experiences a condition he described as “paralysis by analysis.” It causes people to “analyze things too much, so that they can’t come up with a recognizable and cohesive model” to enable them to determine premiums.
It isn’t that re/insurers don’t use models. They basically “ask preliminary questions in terms of what the cyber risk is, what their internet exposure is and what data they have in terms of electronically stored information, protocols and procedures.” These are basic formulaic questions. The difficulty starts with the responses as to how you make the tangible/intangible transition.
As an example Kingsley posited the following situation: “Someone hacks into someone’s computer system and takes all of their data, and then asks that company for ransom to get their data back.” The loss to the insured company is “essentially the time it takes to hire a third party to ascertain, or try to quantify, the amount of data that was lost, as well as, after the information is put back, the amount of information and cost of having some type of credit monitoring to assure some type of security for those people whose data was breached.”
From an insurer’s point of view the above is analogous to a kidnap and ransom policy. It’s just happens to be intangible. “That is maybe the first step in gaining an understanding of the situation, so that there isn’t so much apprehension in the market as to the transition, as we all go into the digital age, where paper and tangible information is now stored on BlackBerrys, on servers, on backup servers all across the world,” Kingsley said.
Increasingly the “insurable interest aspect of a particular policy is less of an issue if you can make that analogy to something that people are familiar with. Then they can effectively transition their models to the intangible product.”
Kingsley explained that “while theft and breach is always the primary issue, you’re also dealing with privacy and confidentiality, especially in the U.S. market. As Facebook and all these people gain data and information – personal information and other information – with respect to various sources, the issue then becomes how does an insured then protect the confidentiality” of the various parties involved, and has that been communicated to them. There are risks of both an “intentional leak” and/or an “accidental disclosure of potentially confidential privacy information.”
Most insureds who handle that kind of data now “modify and enhance their protocols on their privacy protected products.” The risk of a breach is perhaps greater for accidental disclosures, which are then wrongfully used to cause harm to someone, than the intentional misappropriation of private information. This gives rise “to allegations posing breach of confidentiality issues,” as well as those arising from an intentional theft.
How does an insurer, in issuing an insurance policy “ascertain those potential liability exposures for both the first party and the third party,” then becomes the question facing the industry. As with K&R, an intrinsic part of the policy is an undertaking to make sure the insured puts in place adequate security to prevent data breaches and theft from occurring.
“Especially in cyber, they [policies) are to gain up front protection, because it is a fluid situation; it's changing daily," Kingsley said. "How electronically stored information occurred last year is probably not the way that electronically stored information is occurring now." It will again change by a year from now. Therefore, getting that up front security is "the real challenge to the insurance industry, because the fluidity with which the intangible market is changing causes problems as to how to ascertain and quantify the amount to adequately address the premium situation."
How fast does the situation change? "Two or three years ago the way in which we stored electronic information was on back-up servers, now we're using cloud information, where it's 'off-site,' and that makes it easier to obtain information on a wireless network, as opposed to being tied in more on the land-line, broadband scenario," Kingsley said.
The fast pace of change contributes to the uncertainty surrounding cyber coverage. "You're changing into privacy information in other areas," and this raises the question for the insurers as to how they price policies, even for a short time, "in those fluid markets, which in a twelve month period of time could have a sea of changes."
He's not exaggerating. It took many years for businesses to changeover from mainframes to personal computers. It's taken less than 10 years to go to laptops, to BlackBerrys, to i-Pads and smart phones. Trying to keep pace with a market that keeps running away from you is a difficult, perhaps impossible, task.
As an example Kingsley said: "A year from now [maybe even sooner] we’re no longer going to exchange business cards; we’re going to use our phones to provide information about ourselves.” Doing so will immediately disclose all of that information; it will bring it back into the servers, and to third parties.
“How you quantify that between now and twelve months from now is going to be a challenge for the [insurance] industry.” It’s no longer a “physical loss,” it’s a loss of information. As a result security becomes even more important. As soon as a policy is issued, the first thing the policyholder is looking for is security. But the insurers have trouble placing such policies, largely due to the uncertainty. “Things change, protocols change,” Kingsley explained. How information is protected and transmitted, how firewalls are employed, all of it “will change within 12 months.”
When there is a security breach, Kingsley said the primary risk covered is for business interruption. Then they assess the need for protection to third parties, who have provided the information. As an example he cited the recent theft suffered by LinkedIn, where data, information and passwords were stolen. The company undertook to provide “monitoring to the customers to give them some kind of security. That cost, and potential cost, could be anywhere between $80 and $100 per customer; as you’re talking about thousands, even millions, of customers, you’re talking about that kind of a loss.”
Again the question of security becomes paramount, as, when going from tangible to intangible information, an insurer has to be assured that the insured company “has the necessary protocols and procedures on the privacy side to insure that that information is secure.” Both the company and the insurance company are under a duty to “provide security to that individual, not only for the initial breach, but also to maintain and repair that relationship; so that the company can continue to provide and disclose information of a personal nature.”
Difficult as it may be to assess the risks of insuring intangible property, it also presents a whole new set of opportunities for re/insurers. They are perforce going to have to come to terms with it. Kingsley said: ” I think the one thing is to embrace change, because change is going to occur; understand that electronically stored information , communications, how companies deal with things, is going to embrace and rely even more heavily on third parties electronically stored information. So the insurance industry needs to embrace that change, not be fearful of it.”
As each year passes “we get more and more data as to the losses, as to the risks, so that we can come up – even if we’re not comfortable using my [tangible property] analogy- with ways of insuring how they [insurers] handle it.” Eventually the additional information will enable the industry to learn more about cyber risk, and to construct models for those risks. However, part of that process requires an awareness that over a period of as little as 12 months – i.e. between placement and renewal – the situation, the risks and the protocols will change.
That has to be a factor, which is taken into account. “You have to build in uncertainty,” Kingsley stressed. “You have to try to keep ahead of the game, and it’s imperative for the insurance companies to provide that level of security up front, because that’s what people are looking for.
“Cyber risks, cyber liabilities – the intentional or unintentional breach of personal information – is becoming extremely important, especially in the U.S market,” as regulators are becoming increasingly concerned about “confidentiality controls, and, if the business world doesn’t take action, you can be assured that the U.S. government and regulators will.”