Ransomware and demands, theft of personal health information (PHI), phishing for stolen passwords—cyber-related breaches come in many flavors.
These hacks are becoming more frequent and better designed, but they’re just the tip of the iceberg. There’s a whole world of risk hiding beneath what professionals commonly discuss about cybersecurity, and the public rarely gets wind.
Educate yourself about these hidden risks before they become all-too familiar to your clients or your agency:
Regulatory enforcement action. Regulatory agencies have communicated their intentions and interest in enforcing cybersecurity loud and clear: Secure your data, maintain transparency with your data collection, report activity and remedy vulnerabilities. It seems straightforward enough, but 30 Federal Trade Commission actions last year alone—plus significant actions from the Securities and Exchange Commission (SEC) and a growing list of compliance requirements—suggest otherwise.
Moving forward, expect enforcement actions to escalate further. Agencies like the SEC have explicitly warned that more actions are on the way. Others are also entering the cyber enforcement arena, while some are widening their view on enforcement through oversight of ransomware security controls, pursuit of the small to midsize enterprise sector, and enforcement of foreign and cross-border cyber laws.
Most standalone cyber insurance policies provide an optional coverage agreement for regulatory defense, but the scope of coverage often varies. When securing coverage for regulatory proceedings, make sure to address the following:
- Does the coverage encompass resulting fines and penalties, including payment card industry fines?
- Does the coverage contain exclusions for unauthorized data collection practices and/or failure to report a data breach?
- How does the coverage define “privacy incidents”? Does it limit them to only breaches that affect personally identifiable information (PII), or does the definition extend to breaches affecting PHI and credit card information?
- How does the coverage define “regulatory proceedings”? When is coverage triggered? Does it require a formal suit?
Cyber-related litigation. The potential for cyber-related claims has long been discussed with relatively little materializing. But it’s just the calm before the storm—many experts speculate that 2017 may be the year these claims finally begin to surface.
Such claims can come in many shapes and sizes, from consumer or shareholder class actions to derivative actions. Those even vaguely familiar with securities claims know when the market moves for the worst, a claim is soon to follow—which is exactly why shareholder claims in particular have been so silent.
Traditionally, breaches have not been market-moving events. And even when they are, companies tend to recover quickly. Still, because case law is so sparse regarding these claims, it is difficult to understand exactly how cyber and directors & officers policies will respond.
Keep in mind that certain clauses warrant extra attention. Cyber policies that contain broad securities exclusions would almost surely respond poorly, if at all; the same holds true for D&O policies with broad cyber-related exclusions. In situations where it appears both policies may respond, agents should attempt to coordinate coverage that addresses anti-stacking and “other insurance” provisions to eliminate finger-pointing between multiple carriers in the event of a loss.
Insider trading and market manipulation. The possibility of data breaches affecting the stock market has long been discussed, but a number of high-profile cases in the past two years paint a better picture of what that might look like. In the latest example, the SEC brought a case against an Expedia IT manager who exploited his role and access privileges to hack executive computers and extract private corporate information. He then traded on that information prior to its release in nine separate trades over the course of three years, gaining a net profit of $350,000.
It’s one of the first reported cases of an employee-based intrusion with the intent of insider trading—but with such substantial potential payouts, these attacks are all but sure to increase. If data breaches begin to impact stock prices, perpetrators may place short trades on target organizations prior to a hack in order to increase their bounty. The stolen data would likely be small potatoes compared to the resulting market gains, but even if shareholders and investors ignore the typical PII breach, cybercriminals will likely establish other creative ways to exploit the market through distributed denial-of-service attacks, or release of defamatory information about a company or its executives.
Also worth noting: Cybercriminals will likely attempt to manipulate the market by quietly shadowing employees, accessing data and potentially weaponizing that data. In contrast to the more familiar break-in entries, which clearly indicate an outside intrusion, these intruders would likely prefer to slip in quietly and leave without a trace. Identifying when such silent intrusions occur may require new security controls.
Make sure your insureds are aware of how these claims may arise. Shareholders may accuse a company of failing to take appropriate measures to prevent the stock drop. In situations where hackers silently intrude and weaponize financials or merger & acquisition data, investors and purchasing companies may accuse fraud in the form of misrepresenting or inflating the company’s valuations.
In order to mitigate this risk, agents should seek appropriately worded D&O policies and pay careful attention to the scope of regulatory defense and investigation coverage, plus any cyber-related exclusions. They should also review the insuring agreements and definitions, such as the definition of “wrongful act”, to ensure coverage for claims that arise from security intrusions.
Cybersecurity whistleblowing. Most companies are familiar with whistleblowing claims, but few companies are aware that earlier this year, the SEC’s awards to whistleblowers surpassed the $100-million mark—which demonstrates that such claims are big business for regulators.
Companies that fail to disclose a breach or address cybersecurity vulnerabilities are now at risk. Defending a whistleblower claim is not fun; the company is left to deal with regulatory investigations and fines, while the whistleblower can receive a profitable reward—which makes the incentive strong.
When cyber whistleblowing claims occur, insureds may find coverage under both cyber and D&O policies. Amending the “insured vs. insured” exclusion is critical, and agents should also ensure that the policy provides coverage for formal regulatory and administrative proceedings and investigations against the entity, with broadened coverage for informal investigations against individual directors.
Organizations that are primarily concerned with data theft, income loss and notification costs are only seeing a small sliver of a much larger picture. While it is never possible to eliminate cyber risk entirely, encourage your commercial clients to take steps to mitigate the risk that arises from the above events, and to secure carefully structured D&O and cyber insurance policies.
Evan Bundschuh is commercial lines manager at Gabriel Bundschuh & Associates, Inc.