Attorney Jeff Kingsley on ‘Post Event’ Regulatory Changes, Cyber Liability

Jeff Kingsley, a partner in the law firm of Goldberg Segalla, specializes in the emerging and highly complex field of cyber liability and security, which requires explaining the difficult process of applying the long held givens of tangible property, i.e. bricks and mortar, to the Internet, which exists only in an electronic format.

We began the interview, however, with a discussion of the implications of natural disasters, specifically Superstorm Sandy. “The issue with Superstorm Sandy, along with a lot of other environmental catastrophes, particularly in the states, from what we’ve seen from being involved with the National Coverage Council for a number of carriers, is the injection of regulatory oversight that was unpredicted. It was not able to be seen, or foreseen, before you placed it.”

Carriers rely on certain norms and regulations being in place in areas such as lower Manhattan or New Jersey or Staten Island, but, Kingsley said, “what Superstorm Sandy has shown us, and it’s not atypical, but it’s a reflection and an education for the insurance industry on a going forward basis, given that these climate related or climate changing large scale environmental catastrophes are occurring on a more frequent basis, which the modeling for the insurance industry is changing and is catching up to it.”

As a result “we need to understand that work on a different set of parameters. Sometimes they inject or change the processes in which an insurance carrier handles these claims.” Sandy is a perfect example, as it caused “large scale damage,” but wasn’t classified as a hurricane.” Insurers in the states Sandy hit were required, before any denial of coverage “to enter into a mediation process.”

As there were literally hundreds of thousands of claims, the adjusters, who were required to attend the mediation meetings, were overwhelmed; therefore in many cases the carriers simply agreed to settle the claims, even if there were damages that “fell outside the scope of coverage.”

While the carriers mainly acted out of necessity and to avoid excessive claims handling costs, the reinsurers might well assert that, as these were “gratuitous payments,” there is no reinsurance coverage, “which puts the ceding insurer in a very difficult position.”

The implications for the insurance industry are significant. It seems likely that following high profile, major loss events, regulators will apply the same strictures. Kingsley noted that they’ve done so in the past, and with the possibility of more powerful storms and greater losses, they will almost certainly do so in the future.

Carriers should take this eventuality seriously, as disasters that maybe occurred on a 20 year basis, now may strike every 2 or 3 years. Post-event changes in the regulations covering insurance policies, as in Sandy, will affect the terms on which coverage is placed, as it becomes increasingly likely that policies, regardless of their initial terms, will be essentially rewritten by regulators following massive loss events.

Turning to Kingsley’s specialty, cyber liability, he said: “The area that I’ve seen the most development is in the states… a number of states requiring certain privacy disclosures and protocols impacting or altering the insurance carrier’s perspective on how to handle these third party cyber liability claims. Cyber liability, as opposed to cyber crimes, is a third party versus first party aspect of it.”

More states have taken on the responsibility to regulate matters concerning “third party data.” This particularly imposes a duty as to “how you notify the carriers and the public, if it affects a certain number of people.” As an example he cited California’s recent enactment of a stature requiring notification when more than 500 people are involved.

As a result companies are altering the terms of their privacy conditions, and are being forced to get into the cyber liability market, where they “were still hoping, or not understanding, the processes,” Kingsley said. They do, however, seem to be more aware of the distinctions between tangible and intangible property.

“Now when you get the regulators becoming involved, and telling them what notifications they have to do, what other securities and issues you have to do as basically the steward of third party data, they’re now flocking toward these types of policies. They want to understand that these notices and the cover address these concerns.”

Intangible property is increasingly part of our daily lives. Kingsley pointed out that the data on an Iphone is “intangible, it’s in an I-cloud, it’s data, it’s out there and its stored either off-site, on-site, or through a server or through some third party provider.” Physical files are less and less used, while intangible files, documents, records etc. replace them. “All of that information is now in the cyber universe,” Kingsley said.

“But because of that – those aspects of being intangible – some companies don’t understand that your normal insurance coverage may not cover losses for third party liability exposures to those technically intangible properties.” In Kingsley’s opinion the day is coming when intangible losses will outnumber tangible loss events for many companies.

Any form of data breach, whether intentional, such as hacking into data files, or unintentional, such as sending sensitive information to the wrong person(s), creates a “huge potential loss.”

The necessity to protect privacy, while increasing the use of intangible electronic data, means companies most look for “some type of cover to insulate themselves from a large scale cyber loss.” Kingsley expects policies dealing with those kinds of losses will, be evolving significantly over the next year or two.

Asked his opinion of the Reinsurance Rendezvous, he said “you really get not only the flavor, but you get the real – distilled down to its essence – the concerns and the issues that are associated with the industry; so it gives you an unbelievable leg up.”

Topics Cyber Carriers Legislation Market