Committees Active on This Topic

News Releases

Additional Resources

NAIC/CIPR Articles

Contacts

Media queries should be directed to the NAIC Communications Division at 816-783-8909 or news@naic.org

Eric Nordman
Director, Regulatory Services and CIPR
816-783-8232

CIPR Homepage

CIPR Newsletter | Subscribe

Cybersecurity

Last Updated 12/12/17

Issue: Cybersecurity risks have become more significant as critical consumer financial and health information is increasingly stored in electronic form. As people become more reliant on electronic communication, and as businesses collect and maintain ever more granular pieces of information on their customers, the opportunity for bad actors to cause difficulties for businesses and the public is exploding. Recent high-profile data breaches have led regulators to work toward strengthening insurer defenses against attacks.

Cyber Risk Management

In recent years, the demand for cyber insurance has increased significantly in response to sharply heightened risk awareness. However, managing cyber risks through insurance is relatively new. Although the market for cyber liability insurance is off to a good start, it is expected to grow dramatically over time as businesses gradually become more aware that current policies do not adequately cover cyber risks. With each announcement of a system failure leading to a significant business loss, the awareness grows. This growing awareness has stimulated demand for cyber liability insurance products.

As data breaches occur more frequently, there are additional pressures for business to step up efforts to protect the personal information in their possession. Cyber-attacks may come from nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Cybercriminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can eventually be monetized, such as credit card numbers, health records, personal identification information and tax returns.

Cyber risks include:

  • Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including such data elements as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license numbers, birth dates and PIN numbers.
  • Business interruption from a hacker shutting down a network.
  • Damage to the firm’s reputation.
  • Costs associated with damage to data records caused by a hacker.
  • Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
  • Introduction of malware, worms and other malicious computer code.
  • Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
  • The cost of credit monitoring services for people impacted by a security breach.
  • Lawsuits alleging trademark or copyright infringement.

Cyber Liability Policies

Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage. However, most standard commercial lines policies do not cover many of the cyber risks mentioned above. To cover these unique cyber risks through insurance requires the purchase of a special cyber liability policy. However, cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk are more customized than other risk insurers taken on, and, therefore, more costly. The type of business operation will dictate the type and cost of cyber liability coverage. The size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the Web, the type of data collected and stored, and other factors.

Cyber liability policies might include one or more of the following types of coverage:

  • Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
  • The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
  • The costs associated with restoring, updating or replacing business assets stored electronically.
  • Business interruption and extra expense related to a security or privacy breach.
  • Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
  • Expenses related to cyber extortion or cyber terrorism.
  • Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

Securing a cyber-liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk-management techniques applied by the business to protect its network and its assets. The insurer will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will most likely be keenly interested in how employees and others are able to access data systems. At a minimum, the insurer will probably want to know about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.

Status: The NAIC and state insurance regulators have made significant progress on their efforts to tackle cybersecurity issues. They have been working directly with Anthem and Premera to resolve immediate concerns on insurance information involved in these companies’ recent data breaches. State insurance regulators are also in the unique position of regulating and monitoring the solvency of insurance carriers underwriting cybersecurity policies.

The NAIC’s Cybersecurity (EX) Task Force (now disbanded, with its charges absorbed by the Innovation and Technology (EX) Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance in 2015. The 12 principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. The Working Group also bolstered consumer protections in 2015 with the adoption of the NAIC Roadmap for Cybersecurity Consumer Protections. In addition, the NAIC adopted the Insurance Data Security Model Law in late 2017. This model establishes the standards for data security and investigation and notification of a breach of data security applicable to insurance providers. The NAIC also updated its Financial Condition Examiners Handbook and will be updating the Market Regulation Handbook.

In addition, the NAIC adopted a Cybersecurity Insurance Coverage Supplement for the P/C annual financial statement to collect information about cybersecurity insurance markets. The initial filings were received April 1, 2016 for 2015 data and the second year of filings were received in April 2017 for 2016 data. Analysis for 2016 data showed more than 500 insurers provided business and individuals with cyber insurance in the U.S. The vast majority of these coverages were written as endorsements to commercial and personal policies.

At the federal level, state insurance regulators serve on the U.S. Department of the Treasury’s Financial Banking and Information Infrastructure Committee (FBIIC) and on the Executive Branch and Independent Agency Regulatory Cybersecurity Forum, where they work with federal regulators to address cyber threats in the U.S. The Treasury Department, in its Report on Asset Management and Insurance, endorsed the NAIC Insurance Data Security Model Law and recommended Congress should preempt the states if it is not adopted in 5 years. Separately, there continues to be work in Congress on legislative proposals relating to Data Security, some of which would be preemptive of state authorities.

The National Institute of Standards and Technology (NIST) recently issued a draft update to its framework for improving critical infrastructure cybersecurity. The updates provide new details regarding the management of cyber supply chain risks, clarify key terms, and introduce measurement methods for cybersecurity. Neither house of Congress have recently passed any bills addressing cybersecurity; however, this remains to be a key issue at the Federal level.