The following is a recap of Wilson Elser's May 2024 webinar "The Ever-Evolving World of Cyber Coverage," presented by the authors listed here. The program delves into rising cyber risks and regulations, trends in first- and third-party coverage, and how insurance policies are responding to developing cyber language.
Rising Risks and Regulations
In today's digital age, corporations have undoubtedly benefited from unprecedented connectivity and convenience due to an increased reliance on digital sectors. As a result, these businesses also are becoming especially vulnerable to cyber risks. In the webinar, Jonathan Meer states that "in this year, there have been more than five billion records compromised in certain cyber breaches," highlighting the magnitude of these risks for both insurers and insureds.1 Businesses are navigating complex cybersecurity risks, ranging from ransomware attacks and wire transfer fraud to pixel tracking and AI vulnerabilities, sparking a heightened interest in insurance coverage. The panel noted that while Warren Buffet, CEO of Berkshire Hathaway, has expressed reservations surrounding cyber insurance due to potential huge losses, his recent investment in Chubb, a leading cyber insurer in the United States, suggests progressing perspectives in the industry.2
Due to these risks, cybersecurity regulations have been strengthened and enforced across state, federal and global levels, helping to mitigate the impact of data breaches. Global privacy laws, such as the EU's General Data Protection Regulation (GDPR), require companies to obtain permission from individuals before sharing their information and can potentially unify compliance efforts for multinational companies. Other regulations such as the SEC's cybersecurity incident disclosure requirement, promote transparency among public companies.
Litigation Trends
The growing threat of cyber is similarly mirrored in litigation trends regarding data security events. The number of filed lawsuits has grown exponentially in the past year, ranging from large-scale class actions to smaller cases targeting small businesses. Notably, major class actions have been filed against corporations such as HCA Healthcare and 23andMe, each impacting millions of individuals.3 Many large cybersecurity litigations, like T Mobile's 350-million-dollar settlement, were resolved.4 When evaluating a settlement, several factors are considered such as the class size and the nature of the compromised data. Often, the sensitivity of the data correlates with the amount of money negotiated.
Insurance Coverage Trends
In exploring the current trends in cyber risk coverage, Rick Bortnick in the webinar addresses the issue of silent cyber, where certain insurance policies may not explicitly cover cyber risks, potentially leaving gaps in coverage. Such ambiguity raises questions regarding insurers' willingness to provide coverage for damages stemming from cyber-related events.
Richard Boone emphasizes first-party coverage in relation to Business Interruption (BI) Loss, which allows businesses to recover from interruptions caused by cyber-attacks. In a related case, New England Systems v. Citizens Insurance, the court broadened the scope of BI insurance to include not only lost profits but also lost business opportunities.5 Conversely, in the case of P.F. Chang's v. Federal Insurance Company, the U.S. District Court for the District of Arizona determined that expenses incurred by P.F. Chang's following a data breach were not covered under their cyber insurance policy.6 The panel noted that this case highlights the critical role that specific policy terms play in determining coverage. The webinar also addresses the expansion of third-party coverage, as insurers begin to include media liability within their existing cyber policies. However, this expansion is countered by court decisions setting limits on cyber coverage and insurers adding exclusions such as those for biometrical information and war-related damages.
Key Takeaway
In response to new security threats, policies must adapt. As Jonathan Meer states, "the risks that existed five years ago are not the same today," highlighting how cyber criminals, using tools such as artificial intelligence, have become more sophisticated. Beyond policy expansion, practitioners must remain aware of and responsive to security risks to safeguard their systems effectively. Insurers have already enhanced cyber hygiene by imposing stricter underwriting requirements on companies applying for cyber coverage.
Given the current climate of cyber security, Siobhán Mueller anticipates that insurance companies will further "expand what these policies cover and how much an insurer pays out per incident." As businesses increasingly seek specialized policies and protections, the market for cyber insurance is positioned for continued growth, offering significant economic and societal value and fostering increased innovation in risk management.
Emma Gelch, a Wilson Elser summer staff assistant, facilitated the production of this article.
Listen to the webinar.
- Presentation Materials
- Playback Recording (Passcode: +5D=NvY1)
Footnotes
1 https://www.computerweekly.com/news/366583842/Over-53-billion-data-records-exposed-in-April-2024.
3 Gary Silvers et al. v. HCA Healthcare Inc., U.S. District Court, Middle District of Tennessee (23-cv-00684); Picha et al. v. 23andMe Inc., U.S. District Court, Northern District of California (23-cv-06719).
4 In Re: T-Mobile Customer Data Security Breach Litigation, MDL No. 3073.
5 New Eng. Sys. v. Citizens Ins. Co. of Am., No. 3:20-CV-01743 (SVN), 2022 U.S. Dist. (D. Conn. Dec. 12, 2022).
6 P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322, 2016 U.S. Dist. (D. Ariz. May 26, 2016).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.