The evolving privacy regulation environment is likely to have reverberations for the cyber insurance space, especially as one of the strictest privacy laws in the United States is just around the corner.
One cyber expert says the California Consumer Privacy Act (CCPA) will have “a big impact” on this line of business.
“If the history of other professional lines of business is a judge, more regulations generally equal more risk and thus a bigger need for insurance,” said Michael Palotay, chief underwriting officer for Tokio Marine HCC‘s cyber and professional lines group. “I think that in the near future, cyber insurers will be much stricter about getting into the details about how our applicants are confirming they are in compliance [and] how they know they're in compliance.”
Notably, the law outlines some stiff penalties for businesses that violate requirements – penalty thresholds that according to PwC, could expose large California-based businesses to substantial risk. Intentional violations of the CCPA can result in civil penalties that reach up to $7,500 for each violation, while the maximum fine for other violations is $2,500 per violation.
“It's something that businesses will want to take very seriously – you've got some statutory damages on a per violation basis that can add up to really big numbers when you're talking about millions of consumer records, so the potential for a big loss is great,” said Palotay.
These fines also put insures in an interesting and tough position, he added.
“A company could theoretically have millions of violations, so if insurers are providing a $1 million limit or a $5 million limit, but a company has $50 million-plus in exposure, it can quickly turn into a situation where we just basically have to give them the limit,” he said. “And they end up managing the defense on their own because they have way more to lose than what we have up on the limit. It's a weird dynamic that doesn't happen very much in my world, but my claims department has been warning that that can happen.”
The CCPA has two main penalty mechanisms – one where the government can come after a business for violating the law’s requirements and another where individuals affected by a data breach can sue the impacted company. One relief is that the question of whether a breach would be required for individuals to sue seemed to be influx at first, which would’ve meant much more exposure for cyber insurers, but has since been clarified.
Nonetheless, the cyber insurance landscape will have to change to keep up with the developments in the privacy space. Agents and brokers can do their part to help commercial clients prepare for the CCPA as well as other similar acts that will undoubtedly follow.
Cyber insurance and added risk management tools from Tokio Marine can also help businesses get prepared.
“Part of what you get with a policy is a robust risk management service, which is a combination of a website with a bunch of training materials that has a big section on CCPA and explains in layman's terms to our insurers what they need to be focusing on in order to ensure compliance,” said Palotay. “We also have various consulting services that are provided to the insureds, and we've been putting out a lot of education via webinars and other whitepapers to our insureds so they are fully informed about the law.”