The answer may very well depend upon whom you ask. If you are a cyber policyholder or their insurer, then the answer may well be yes, it does matter. If you are an individual whose personal data has been lost, stolen or even just revealed then you may not care about the precise cause, but will want compensation (if appropriate) as well action taken to redress the problem.
Take the example of a massive disclosure of confidential client information as a result of a hack, or a leak, involving an international firm providing professional legal or financial services.
Whether it was a hack or a leak, the data loss is unlikely to be a spur-of the-moment or opportunist hack by the putative teenager in his bedroom - it is more likely to be a well-planned and executed breach over a period of time. This in itself poses difficulties for any responding insurance policies written on a “claims made and notified basis” versus those on “losses occurring”. Liability will rest on when the breach occurred, when it was discovered and reported as defined by the policy.
If the firm holds a cyber liability policy, their insurer may well be concerned as to whether this was a hack or a leak; a leak could be interpreted as a deliberate act of an employee (or director or partner), and so might be excluded. And what about other coverages? As a professional firm, they will also hold Professional Liability coverage which could be triggered. Whilst such a policy is unlikely to provide any first-party or breach notification cover, it may well respond to legal liability claims flowing from a breach of duty of care, including any misuse of (confidential) information. However, similar to cyber risk policies, underwriters will want to determine if any losses were caused by a hack or a leak, as dishonest, fraudulent and malicious acts of employees are often excluded.
Whether the proximate cause of the data breach was a leak or a hack, given the presumed data security lapses it may be argued an insured was negligent in not adequately protecting clients’ confidential information. However, actual losses flowing from such a finding might be difficult to quantify; in this example sensitive data may have been revealed, but not necessarily monetised in a subsequent fraud. The affected clients may well incur secondary losses (e.g. loss of sales, reputational damage), but may choose not to pursue any legal action where further scrutiny in open court could exacerbate the problem. Even if only a handful of parties pursue an action against the insured, the defence costs alone could reach millions of dollars.
Other challenges for underwriters include the imprecise nature of potential losses from a cyber event
The complexity of this type loss highlights the difficulties for insurers in covering such multi-faceted risks, where losses can occur from a unexpected sources. The wide-ranging nature of cyber liability is a challenge for Lloyd’s, and in recent months, in consultation with the Lloyd’s Market Association, the market has been endeavouring to capture and assess cyber exposures. Lloyd’s is keen to monitor the prudential and systemic risks posed by cyber aggregation: “the most systemic risk that I’ve ever encountered in my insurance career” according to Stephen Catlin, executive deputy chairman at XL Catlin.1 That said, it would also be fair to say that those experienced in the writing of cyber risks are keen to demonstrate that they are actively engaged in talking to insureds, governments and security agencies about the threats that this relatively new class of insurance often covers. Insurance cyber risk models developed by Lloyd’s underwriters are rapidly becoming more sophisticated, and a host of cyber losses are contributing to the development of experience-based rating in this growth sector.
One of the challenges that a cyber underwriter faces, is that of getting the right data to accurately price the risk. Brokers have different perceptions of what is needed, and clients and risk managers have limited experience of buying cyber risk products, so often don’t know how to collate and assess material information. Standard proposal forms only provide very basic information, and so the LMA’s Cyber panel has been instrumental in drafting a new Cyber application form, containing an enhanced question set. The data sought reflects the recently agreed common ‘core data’ requirements for cyber risks announced by Lloyd’s.2. Risk Managers should review these standards, which will promote a better understanding of their own exposure, and provision of more meaningful data to prospective underwriters.
Other challenges for underwriters include the imprecise nature of potential losses from a cyber event. Cyber coverage may be defined to include first party losses such as regulatory fines and penalties, reputational harm, and business interruption amongst others, as well as third party claims for any data breach. It can be the latter which pose the most problems. Typical cyber losses often include the theft of credit card information or health data (for example); very different to the above example, where it might be alleged that leaked files revealed provision of financial services designed to help clients reduce tax bills. It is unlikely that this information would have been revealed on a proposal form, so insurers have to think laterally about exposures.
The insurance implications of losses of this type are clearly complex; and cover available will depend on the loss itself, and how it was caused (which may not be easy to identify). This loss clearly indicates the need to understand, holistically, the risks facing organisations, including what a major loss of data could mean for the business and its customers.