In my previous blogs, I pointed out that security breaches are like death and taxes (i.e., unavoidable), and that insureds simply need a product that will pay for any losses from the inevitable security breaches. I also pointed out that insurance companies could help by certifying security products that were good enough to guarantee a payment under the companies’ policies if there were a breach. The recent Mondelez case points out why insureds often wonder whether carriers really intend to pay claims. There, the maker of Oreo cookies bought a policy which covered intrusions into the company’s computer code. After the advent of the Notpeya ransomware, the carrier refused claims valued in the millions based on the war exclusion. See April 29, 2019 J. Davis post. Relatedly, Merck reported $300m of losses from Notpeya, and insurer Hiscox reported that Cyber incidents rose from 45% to 61% of all companies surveyed between 2018 and 2019. And the recent indictment of two Chinese nationals for the Anthem hack that cost $115m also shows the likelihood of hacks and the resulting value of insurance that pays on such claims. Law 360 May 9, 2019. The option of buying a policy that would be guaranteed to pay as long as the insured purchased and properly used certified security software would go a long way toward increasing insureds’ comfort that their cyber-related losses will actually be covered.
Such an option would be similar to the long-standing efforts of property carriers to inspect factories and other facilities and suggest safety improvements, or to the creation in the 1950s of the Highway Safety Institute to develop safer cars. As reflected in a Wall Street Journal article dated March 26, a group of insurers has announced a plan to certify providers of cyber security software under the name “Cyber Catalyst.” It appears that Marsh will bring together a group of insurance companies such as Allianz, AXA, Munich, Zurich, and Beazley to jointly certify such software solutions. Marsh will not participate in the decision making, nor will Microsoft, which is serving as a technical advisor. Presumably, if an insured purchases cyber insurance from a carrier in this group as well as security software certified by the group, the carrier will not be able to use an exclusion for not taking adequate precautions or any similar exclusion to bar coverage for a security breach.
The formation of this group may present antitrust issues, but as long as it acts in a non-discriminatory fashion, there should be a consumer benefit from having these certified solutions, which solutions should be found permissible. The group might also be able to improve the quality of the generally available security software by pointing out the weaknesses of submitted software. Because of the creation of an industry of security consultants who log into insureds websites and try to spot alleged security flaws and then either publicize those flaws or seek business to assist the software provider to remedy the issue, it will be interesting to see how the consultants interact with the group of insurers certifying software and the certified security software providers. The consultants may well disagree with the insurers, and it will be interesting to see if the insurers then side with the consultants or their certification decisions when adjusting claims.
Carriers may also offer premium discounts to insureds who buy the certified software, similar to safe driver discounts. As also mentioned before in this blog, many security software providers are now thinking about selling insurance for the inevitable breach as part of their products. This will raise its own regulatory issues about meeting the disparate rules of the fifty states about selling insurance, but it should provide a value-added product for insureds. Guaranteed coverage for a breach as long as the insured buys a certified security software system and uses it correctly may also provide other values to consumers. Given the arcane language used in many cyber policies, the security software providers might be able to persuade carriers to provide more understandable policies. Cyber Catalyst should also be able to assemble better data on security claims to give the companies more confidence in pricing their cyber policies, which should hopefully result in lower rates.
Security software providers may also consider seeking to persuade cyber carriers to accept the risk that, on occasion, utility may be more important than security. If the carriers certified products that allow use of password devices like facial recognition and fingerprints as opposed to requiring complicated computer-generated passwords or two-factor authentication that tend to complicate access to data and destroy utility, that might preserve ease of customers’ access to their data. The goal should be to offer a product that provides compensation for the inevitable hack while still allowing a company to offer value to its customers by granting them relatively easy access to their own customer data or to on-line purchasing.
Carriers could also provide policies that pay claims when a security consultant or class-action lawyer claims to expose a problem that does not result in any loss of privacy or personal data, but leads to significant defense expenses. The recent case of USFI v. Xanitos, 19 CV 02947 (N.D. Ill), where the carrier is trying to avoid paying for defense of a suit alleging improper use of biometric software, shows how carriers might decrease use of effective biometric passwords by refusing to cover cases brought to enforce consent provisions, such as the one of Illinois bio-metric law at issue in USFI. This case admittedly involves a CGL policy, not a cyber policy, but if the carrier were to specifically approve the biometric software and defend it as part of a cyber policy, that would likely increase the usage of this feature, which makes it easier for employees to log into a job site containing sensitive health-care data.
Thus, it appears that the Cyber Catalyst project holds great promise for improving both cyber insurance and products that provide protection and compensation for the inevitable breaches that will continue to occur. Hopefully, it can also protect reasonable access to data and on‑line transactions by counteracting the increasing trend of advocacy groups to limit use of, e.g., biometric devices based on their particular views of how to secure user privacy. These advocates seem to have encouraged various newspapers to run a campaign against their web based advertising competitors under the guise of protecting privacy. If successful, this approach may hamper ease of access to websites and decrease consumer utility. By providing reasonable insurance against such campaigns and lawsuits, the Cyber Catalyst project might well maintain ease of access and benefit the majority of consumers.