Cyber policies offer too little: Lawyer

Cyber policies offer too little: Lawyer | Insurance Business America

Cyber policies offer too little: Lawyer
The day after Donald Trump met with the leaders of Apple, Google, Facebook, Microsoft and Tesla, a question arises for the insurance industry:

Did they talk about cybersecurity?

The question becomes even more pressing when later that Wednesday, Yahoo revealed one billion users’ data may have been compromised by a hack beginning in 2013.

Hacks are an area seriously under-covered by insurers according to Jim R. Woods, Co-leader of Mayer Brown's Global Insurance Industry Group.

The cyber lawyer points to Lloyd’s and the University of Cambridge’s joint 2015 study, Business Blackout, estimating damages between $243 billion to over $1 trillion in the hypothetical case of the US electrical grid suffering a catastrophic cyber-attack.
Woods said the biggest cyber coverage he’s seen is for $400 million and though Business Blackout calls this type of assault “improbable” the report also said it’s “technologically possible”.

The year 2016 has given Woods more grounds for concern.

“Odd catastrophes that have potentially occurred, including our recent presidential election where there was clear interference by foreign state operatives,” shows Woods other, previously unthinkable scale hacks can happen.

“Perhaps it’s time that brokers put together cyber bonds,” Woods said. “In order to provide sufficient capacity for the types of risks involved in a cyber-attack.”

Another, more recent report, this one from Allied Market Research, said the global cyber insurance market was set to reach a $14 billion value by 2022.

Though Woods agrees the report indicates companies are taking cyber safety seriously, he said that’s mostly regulator-driven.
Questions remain whether regulations will loosen or not under the incoming Trump administration, he said.

“I think we need almost a cabinet seat that deals directly with cyber,” Woods said. “I realize Homeland security has some cyber function, the Department of Defense has some cyber function, the FBI has a cyber function and others in the federal government have cyber functions.”

However, because of the broad scope, what hacks can do to companies, individuals and elections, Woods said cyber deserves a federal department.

He also advocated for uniformity of data breach disclosure laws throughout the US, adding most non-Fortune 500 companies don’t know what their legal responsibilities are following an online attack.

“Realistically, it (hacking) is a relatively new phenomenon that’s only occurred (on this scale) in the last two years,” Woods said.

But regulations continue to drive change. 

“If you’re an insurer with your head in the sand, you’re going to get kicked in the butt,” Woods said about hacker mitigation awareness.

Though liability for directors and operators has perceived to have grown, none have been convicted due to negligence from a cyber-attack in any American court.

That may not stay the case, Woods said.

The New York Department of Financial Services came out with a comprehensive set of regulations requiring all insurers have a detailed data breach response plan, a written information security plan, certification by a Board of Directors and from a Chief Information Security Officer.

The regulations go into effect January 1, 2017.

“If that standard is not adhered to, I think you’re going to see some derivative lawsuits and potential third party lawsuits for those who fail to follow those regulations,” Woods said.      

Related Stories:

CEOs risk lawsuits but Trump might make their life easier

Facebook blocks insurer’s plans to use social media profiles