In my last posting on this blog, I opined that cyber incursions and the resulting lawsuits, defense costs, and damages payments are as inevitable as death and taxes. Thus, most companies are now trying to purchase some type of cyber insurance to cover these risks. The next question is whether your insurance will really cover a particular risk you face. My last article discussed a single product that would provide security and guarantee coverage for any breach up to a specified limit.

Today I want to discuss other defensive measures that a company might take against the inevitable, and how that might make coverage in the event of a breach more likely under a standard cyber insurance policy. Our last posting by Ms. Del Prete discussed the standard exclusions and conditions in the most common cyber policies. Those policy provisions require, e.g., that the insured follow industry standard security practices and take reasonable precautions against data breaches before coverage will attach for an incursion.  Subject to the purchase of an extended retroactive date, they also exclude breaches that occurred long before the beginning of the policy or which were facilitated by an incursion that occurred prior to the beginning of the policy. 

Of course, these provisions raise additional questions, such as what are industry standard security practices or reasonable precautions? There seem to be no decided cases on these issues yet.  But all sorts of security packages that might meet these standards are commercially available, and some new products may provide interesting adjuncts to existing cyber defenses. These new products typically monitor all data traffic to and from a company’s system to identify attempted attacks or phishing to facilitate a future attack, system vulnerabilities, and outside access to websites and countries that suggest that someone may be placing a company’s system in danger.  For example, if an employee who has no need to deal with countries like China, Russia, or various eastern European nations, which are generally considered hotbeds of hacking, starts contacting websites in these countries, then the software will question that access and notify the company, so that the company can eventually cut off the link if there is no good explanation given.  If hackers attempt to breach a firewall or otherwise enter a computer or system to explore future attack possibilities, an alert is given to shut down that user or analyze the specific attack or phishing.  The targeted alerts provided by these new products may make it easier to resolve more important issues and ignore other less important ones.  Such services may also help detect and log efforts to find a breach as soon as or even before it happens, so as to avoid policy exclusions for losses due to prior acts and for breaches that occurred prior to the effective date of the policy (or the retroactive date).

It appears that these types of new products and services may be folded into network equipment or services provided by ISPs as standard security defenses.  If a purchaser of cyber insurance does not also purchase these services, that may allow the insurer to seek to decline coverage for a subsequent breach.  Indeed, perhaps the carriers themselves will provide and/or certify such adjunct services (as some carriers have already done), much as they have also provided safety inspections and other loss-prevention services as part of their standard property and casualty insurance services.  The broad use of such products and services ultimately may even lower their cost and make them even more desirable.  It could certainly make them a required part of security defenses that insurers may require policyholders to implement to avoid policy exclusions.

The anticipated requirement for such products and services also presents the question whether they may make the policyholder’s website or other business less user friendly by requiring more password-type defenses before a customer can access her own data or otherwise use the site.  It appears that using facial recognition and/or fingerprints as a permitted substitute for increasingly bizarre passwords and two-factor authentication, both of which make it hard for a customer to access her data, might well solve that issue. These types of alternative authentication would appear to provide relatively hack‑proof identifiers for customers seeking to access their data on a site.

Unfortunately, recent regulatory efforts in Illinois and California seem to detract from making data access more user friendly by requiring increasing levels of specific consent for storing of the data required for use of this type of fingerprint or facial-recognition authentication.  While it is an issue whether third parties might misuse both types of data if they can gain access to it, the government has had a treasure trove of fingerprint data for a very long time, and it seems that facial data is no more subject to abuse. There is also a claim that faces and fingerprints can be spoofed, but they still seem more hack-proof than random passwords and two-factor authentication.

Regardless, a carrier might well require that its insureds use facial recognition and fingerprints as a permitted substitute for passwords, with proper customer consent, as an alternate reasonable method of establishing precautions against an incursion. Much as insurance carriers helped establish safety practices in factories and other brick-and-mortar industries, they can assist here to set baselines for proper security practices like passwords, facial recognition, and fingerprints; and in the process, they may be able to lower the cost of obtaining those protections as they spread across the web.

Some incursions may cause little or no real harm, but the litigation and resulting mitigation can consume significant resources, and setting well established baselines for reasonable efforts to prevent incursions would at least lower the cost of such litigation.  This might in turn decrease the cost of obtaining cyber insurance as carrier payouts should decrease and the cost of the security software might also go down.