Jeff Kingsley, a partner with the law firm of Goldberg and Segalla, specializes in technology risks, notably cyber liability and cyber risk, an emerging sector with many variables and pit falls for the unwary, which he explained in an interview at the Reinsurance Rendezvous.
Cyber poses some interesting questions. “How do you quantify it; how do you place a value on something that’s intangible?” he said. Recent security breaches, involving several U.S. companies, have left a high profile footprint on those questions, and triggered the intervention of government regulators due to “public and political pressure.”
He explained that “it’s not only become an insurance and reinsurance issue in terms of quantifying it, it’s also becoming a directors and officers liability obligation in terms of the core philosophy of a corporation.” Businesses are under an obligation to provide adequate security.
In the sense that a corporation knew, or should have known, of the possibility of a data breach, they will increasingly be held responsible if one occurs, and won’t be excused from liability. Kingsley indicated that the imposition of these types of rules, which are designed to protect the public’s privacy, were widely anticipated in the wake of the highly publicized data breaches at Target and Home Depot.
They “highlighted the fact that there weren’t enough data security measures,” he said; and what regulatory bodies are doing is “placing those obligations as affirmative corporate core philosophies. If you don’t have them you are fundamentally breaching your duty as an officer and director of the corporation.” It’s “coming very close to strict liability,” he added.
The situation no longer gives corporations the leeway to think about implementing plans to protect their clients from data breaches, as target was apparently in the process of doing. “Now the response is you have to do something,” Kingsley said, “and not only do you have to do something, you have to do something that is sufficient.”
Therein lies the problem. “It’s cyclical,” he said; “because, how do you provide sufficiency on something that’s a moving target?” Security measures “may be adequate for one year, or one month – three, six or twelve months later – with new technology, new integration, harvesting and preserving that information consistent with your privacy protocol may change.”
Given the rapidity of those changes, Kingsley believes that “the D&O side will play a role in the whole cover,” and the nature of the risk indicates that it will become almost “an affirmative obligation” to transfer that risk to the re/insurance industry, “not only for the corporation, but also for its directors and officers. When you add that level of complexity on top of it, it makes pricing and shifting that risk all the more difficult.”
He cited Target’s experience of trying to assess what the “quantifiable damage” of the data breach was for its customers. “In the end they paid hundreds of millions of dollars,” Kingsley said, “but it was basically a lot of it for political and public relations issues, as well as dealing with banks. It’s a triggering event,” which in turn raises a number of privacy issues, “and their own issues with respect to preserving cyber liability.”
Cyber attacks have attracted more attention over the past 12 months, which Kingsley explained is “due to the high publicity in certain areas..” This has “created a ripple effect throughout the industry.” He warned, however, that for all of these efforts to contain data breaches, “you don’t know if it’s sufficient, until it’s breached,” which he described as a “chicken and egg scenario.”
Given the immense amount of data in all forms for “storing and maintaining information that is intangible,” designing adequate protections becomes a very difficult problem. “Hacking and [unauthorized] disclosures can come in all forms,” he continued. “How do we inject something that is ‘sufficient’ when we don’t know where the targets are going to be, because what has happened with those corporations last year – is last year; it will be something different; you need something that will be far more advanced, and you will always be playing catch up.” Whether that will be enough to satisfy regulatory requirements remains in question.
Kingsley, however, is not opposed to government regulations, which are needed to create some kind of ordered response to the multiple threats inherent in electronic data storage. But, ‘sufficiency’ is the main hurdle, and what the regulations are doing is effectively shifting “liability on to the directors and officers, so that they have some personal liability and are directly culpable for the inactions or insufficiencies of the corporation, then perhaps you’ll get a greater response and maybe be more sufficient.”
As insurers and reinsurers are closely tied to D&O liability coverage, they will be required to respond to the challenges posed by increased cyber liability. “They [re/insurers] are going to have to address [cyber issues] with new wording and new language,” Kingsley said. The terms and conditions of D&O policies need to be reworked. How you quantify it and how you understand what these new obligations may be is the first step. “Once you understand the scope of what is considered an additional obligation – as opposed to what it is not – then you can appropriately price the risk associated with it.
“There are two fundamental problems with that,” Kingsley continued. “One: you don’t know what the risk is necessarily, because you don’t have the length of time to create models, or to create expectancies as to what they risk may be. And Two: It’s constantly changing in terms of the ability to create that risk, because we’re talking about a fluid situation. D&O policies where there was an issue last year, may be inadequate. You have to inject certain policy language this year to cover that risk, and potentially spread that risk on to reinsurers, and it may be outdated at that point.”
As a result the situation “creates uncertainty as to how to manage that risk from a corporate perspective,” and “whether we are doing enough.” Kingsley said his clients are “constantly tweaking” their privacy policies “to make it better” in an effort to maintain their sufficiency. “It’s a very tricky situation, and it’s something we’re going to monitor over the next 12 to 24 months as governments start passing legislation on a state as well as a federal level to impose these obligations. Then the question will be ‘did you violate them?’ How did you violate them, and does that help or hurt in terms of getting to quantify and transfer that risk.”
Kingsley explained that when these types of obligations become a “core philosophy” for a corporation, it opens the door to civil liability lawsuits and claims. “When you have unexpected claims under a policy,” he said; “that’s where you have issues with respect to denial of that policy.
“Then it becomes the corporation’s own liability exposure. So naturally they [corporations] want to have as robust or broad terms and conditions to avoid that going forward.” Whether the re/insurance industry has the information necessary to draft and apply those terms and conditions is another question awaiting future answers.
While Kingsley is currently focused on the fallout from regulations and the question of ‘sufficiency’ for data protection, as well as the terms and conditions of D&O policies, he recognizes that other issues, such as climate change, and alternative capital also need to be addressed.
“Climate change, in terms of the cyclical nature of large losses, means the modeling needs to be redone,” he said. But other issues, including “water supply issues given the pressure on our natural resources, are creating a tension, or a bottleneck.”
It also carries over into the creation of “geo-political risk – in terms of terror risk.” The “volatile nature” of which affects businesses that operate in areas where it’s happening. As a result “the modeling and placing of the risks related to climate change are becoming more difficult. Droughts, famines, hurricanes and the risks to water supplies,” all play a role.
Emerging markets and insurance linked securities (ILS) also occupy the legal profession. Kingsley said: “When we’re dealing with these unknowns and these risks, we’re also talking about insurance linked securities and the capital markets.” Alternative capital, which some say complements and some say competes with, traditional capital has opened the door to the capital markets to enter the re/insurance industry directly.
“In terms of the relationship between the capital alternative markets and the [traditional] reinsurance markets, it’s not as strong,” Kingsley said. “If there’s a large loss in a traditional reinsurance dispute,” you can often mitigate or even eliminate the problem, “as you can discuss it at renewal.” When you have alternative capital markets, “you don’t have that strong a relationship,” and, as a result, you’ll see a greater amount of disputes – if and when we start seeing these heavier losses that may change the market.
“When you inject capital markets [into reinsurance] this lack of relationship building could pose a problem. You will see a lot more issues in terms of disputes or placing a premium on the language that you put into those agreements before you send them off.” As the alternative capital providers have other options as to where they put that capital, they may also be less inclined to renew reinsurance agreements when they’ve suffered a significant loss, in addition to disputing the loss in the first place.
The thing about “capital markets and ILS products is that they are novel Kingsley said, “and with novelty comes untested language.” We also have “pressures because of the overabundance of capital in the markets, so you try to lower legal costs and due diligence costs; you try to have a ‘one size fits all,’ and as a result that’s where you get into problems; where you don’t have the ‘tailored language’ appropriate for that particular product or placement, and that could become a problem in the near future.”
Was this article valuable?
Here are more articles you may enjoy.